Julien Cristau pushed to branch debian-buster at X Strike Force / xserver / xorg-server
Commits:
-
4d0845ec
by Julien Cristau at 2021-12-18T10:07:36+01:00
6 changed files:
- debian/changelog
- + debian/patches/13_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch
- + debian/patches/14_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch
- + debian/patches/15_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch
- + debian/patches/16_render-Fix-out-of-bounds-access-in-SProcRenderCompos.patch
- debian/patches/series
Changes:
1 |
+xorg-server (2:1.20.4-1+deb10u4) buster-security; urgency=high
|
|
2 |
+ |
|
3 |
+ * record: Fix out of bounds access in SwapCreateRegister() [CVE-2021-4011]
|
|
4 |
+ * xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier() [CVE-2021-4009]
|
|
5 |
+ * Xext: Fix out of bounds access in SProcScreenSaverSuspend() [CVE-2021-4010]
|
|
6 |
+ * render: Fix out of bounds access in SProcRenderCompositeGlyphs() [CVE-2021-4008]
|
|
7 |
+ |
|
8 |
+ -- Julien Cristau <jcristau@debian.org> Sat, 18 Dec 2021 10:05:36 +0100
|
|
9 |
+ |
|
1 | 10 |
xorg-server (2:1.20.4-1+deb10u3) buster-security; urgency=high
|
2 | 11 |
|
3 | 12 |
* Fix XChangeFeedbackControl() request underflow (CVE-2021-3472)
|
1 |
+From e56f61c79fc3cee26d83cda0f84ae56d5979f768 Mon Sep 17 00:00:00 2001
|
|
2 |
+From: Povilas Kanapickas <povilas@radix.lt>
|
|
3 |
+Date: Tue, 14 Dec 2021 15:00:00 +0200
|
|
4 |
+Subject: [PATCH] record: Fix out of bounds access in SwapCreateRegister()
|
|
5 |
+ |
|
6 |
+ZDI-CAN-14952, CVE-2021-4011
|
|
7 |
+ |
|
8 |
+This vulnerability was discovered and the fix was suggested by:
|
|
9 |
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
10 |
+ |
|
11 |
+Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
|
12 |
+---
|
|
13 |
+ record/record.c | 4 ++--
|
|
14 |
+ 1 file changed, 2 insertions(+), 2 deletions(-)
|
|
15 |
+ |
|
16 |
+diff --git a/record/record.c b/record/record.c
|
|
17 |
+index be154525d2..e123867a7d 100644
|
|
18 |
+--- a/record/record.c
|
|
19 |
++++ b/record/record.c
|
|
20 |
+@@ -2516,8 +2516,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
|
|
21 |
+ swapl(pClientID);
|
|
22 |
+ }
|
|
23 |
+ if (stuff->nRanges >
|
|
24 |
+- client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
|
|
25 |
+- - stuff->nClients)
|
|
26 |
++ (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
|
|
27 |
++ - stuff->nClients) / bytes_to_int32(sz_xRecordRange))
|
|
28 |
+ return BadLength;
|
|
29 |
+ RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
|
|
30 |
+ return Success;
|
|
31 |
+--
|
|
32 |
+2.30.2
|
|
33 |
+ |
1 |
+From b5196750099ae6ae582e1f46bd0a6dad29550e02 Mon Sep 17 00:00:00 2001
|
|
2 |
+From: Povilas Kanapickas <povilas@radix.lt>
|
|
3 |
+Date: Tue, 14 Dec 2021 15:00:01 +0200
|
|
4 |
+Subject: [PATCH] xfixes: Fix out of bounds access in
|
|
5 |
+ *ProcXFixesCreatePointerBarrier()
|
|
6 |
+ |
|
7 |
+ZDI-CAN-14950, CVE-2021-4009
|
|
8 |
+ |
|
9 |
+This vulnerability was discovered and the fix was suggested by:
|
|
10 |
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
11 |
+ |
|
12 |
+Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
|
13 |
+---
|
|
14 |
+ xfixes/cursor.c | 6 ++++--
|
|
15 |
+ 1 file changed, 4 insertions(+), 2 deletions(-)
|
|
16 |
+ |
|
17 |
+diff --git a/xfixes/cursor.c b/xfixes/cursor.c
|
|
18 |
+index 60580b88f2..c5d4554b22 100644
|
|
19 |
+--- a/xfixes/cursor.c
|
|
20 |
++++ b/xfixes/cursor.c
|
|
21 |
+@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client)
|
|
22 |
+ {
|
|
23 |
+ REQUEST(xXFixesCreatePointerBarrierReq);
|
|
24 |
+
|
|
25 |
+- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
|
|
26 |
++ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
|
|
27 |
++ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
|
|
28 |
+ LEGAL_NEW_RESOURCE(stuff->barrier, client);
|
|
29 |
+
|
|
30 |
+ return XICreatePointerBarrier(client, stuff);
|
|
31 |
+@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
|
|
32 |
+
|
|
33 |
+ swaps(&stuff->length);
|
|
34 |
+ swaps(&stuff->num_devices);
|
|
35 |
+- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
|
|
36 |
++ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
|
|
37 |
++ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
|
|
38 |
+
|
|
39 |
+ swapl(&stuff->barrier);
|
|
40 |
+ swapl(&stuff->window);
|
|
41 |
+--
|
|
42 |
+2.30.2
|
|
43 |
+ |
1 |
+From 6c4c53010772e3cb4cb8acd54950c8eec9c00d21 Mon Sep 17 00:00:00 2001
|
|
2 |
+From: Povilas Kanapickas <povilas@radix.lt>
|
|
3 |
+Date: Tue, 14 Dec 2021 15:00:02 +0200
|
|
4 |
+Subject: [PATCH] Xext: Fix out of bounds access in SProcScreenSaverSuspend()
|
|
5 |
+ |
|
6 |
+ZDI-CAN-14951, CVE-2021-4010
|
|
7 |
+ |
|
8 |
+This vulnerability was discovered and the fix was suggested by:
|
|
9 |
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
10 |
+ |
|
11 |
+Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
|
12 |
+---
|
|
13 |
+ Xext/saver.c | 2 +-
|
|
14 |
+ 1 file changed, 1 insertion(+), 1 deletion(-)
|
|
15 |
+ |
|
16 |
+diff --git a/Xext/saver.c b/Xext/saver.c
|
|
17 |
+index 1d7e3cadf3..f813ba08d1 100644
|
|
18 |
+--- a/Xext/saver.c
|
|
19 |
++++ b/Xext/saver.c
|
|
20 |
+@@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client)
|
|
21 |
+ REQUEST(xScreenSaverSuspendReq);
|
|
22 |
+
|
|
23 |
+ swaps(&stuff->length);
|
|
24 |
+- swapl(&stuff->suspend);
|
|
25 |
+ REQUEST_SIZE_MATCH(xScreenSaverSuspendReq);
|
|
26 |
++ swapl(&stuff->suspend);
|
|
27 |
+ return ProcScreenSaverSuspend(client);
|
|
28 |
+ }
|
|
29 |
+
|
|
30 |
+--
|
|
31 |
+2.30.2
|
|
32 |
+ |
1 |
+From ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60 Mon Sep 17 00:00:00 2001
|
|
2 |
+From: Povilas Kanapickas <povilas@radix.lt>
|
|
3 |
+Date: Tue, 14 Dec 2021 15:00:03 +0200
|
|
4 |
+Subject: [PATCH] render: Fix out of bounds access in
|
|
5 |
+ SProcRenderCompositeGlyphs()
|
|
6 |
+ |
|
7 |
+ZDI-CAN-14192, CVE-2021-4008
|
|
8 |
+ |
|
9 |
+This vulnerability was discovered and the fix was suggested by:
|
|
10 |
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
11 |
+ |
|
12 |
+Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
|
13 |
+---
|
|
14 |
+ render/render.c | 9 +++++++++
|
|
15 |
+ 1 file changed, 9 insertions(+)
|
|
16 |
+ |
|
17 |
+diff --git a/render/render.c b/render/render.c
|
|
18 |
+index c376090cad..456f156d43 100644
|
|
19 |
+--- a/render/render.c
|
|
20 |
++++ b/render/render.c
|
|
21 |
+@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client)
|
|
22 |
+
|
|
23 |
+ i = elt->len;
|
|
24 |
+ if (i == 0xff) {
|
|
25 |
++ if (buffer + 4 > end) {
|
|
26 |
++ return BadLength;
|
|
27 |
++ }
|
|
28 |
+ swapl((int *) buffer);
|
|
29 |
+ buffer += 4;
|
|
30 |
+ }
|
|
31 |
+@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client)
|
|
32 |
+ buffer += i;
|
|
33 |
+ break;
|
|
34 |
+ case 2:
|
|
35 |
++ if (buffer + i * 2 > end) {
|
|
36 |
++ return BadLength;
|
|
37 |
++ }
|
|
38 |
+ while (i--) {
|
|
39 |
+ swaps((short *) buffer);
|
|
40 |
+ buffer += 2;
|
|
41 |
+ }
|
|
42 |
+ break;
|
|
43 |
+ case 4:
|
|
44 |
++ if (buffer + i * 4 > end) {
|
|
45 |
++ return BadLength;
|
|
46 |
++ }
|
|
47 |
+ while (i--) {
|
|
48 |
+ swapl((int *) buffer);
|
|
49 |
+ buffer += 4;
|
|
50 |
+--
|
|
51 |
+2.30.2
|
|
52 |
+ |
... | ... | @@ -11,3 +11,7 @@ |
11 | 11 |
10_Fix-XIChangeHierarchy-integer-underflow.patch
|
12 | 12 |
11_Fix-XkbSelectEvents-integer-underflow.patch
|
13 | 13 |
12_Fix-XRecordRegisterClients-Integer-underflow.patch
|
14 |
+13_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch
|
|
15 |
+14_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch
|
|
16 |
+15_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch
|
|
17 |
+16_render-Fix-out-of-bounds-access-in-SProcRenderCompos.patch
|