[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Git][xorg-team/xserver/xorg-server][debian-bullseye] 2 commits: Security update



Title: GitLab

Emilio Pozuelo Monfort pushed to branch debian-bullseye at X Strike Force / xserver / xorg-server

Commits:

  • b8753e5b
    by Emilio Pozuelo Monfort at 2022-11-10T13:18:48+01:00
    Security update
    
    * xkb: proof GetCountedString against request length attacks (CVE-2022-3550)
    * xkb: fix some possible memleaks in XkbGetKbdByName (CVE-2022-3551)
    
  • 4126d4f4
    by Emilio Pozuelo Monfort at 2022-11-11T13:38:16+01:00
    Release to bullseye-security
    

4 changed files:

Changes:

  • debian/changelog
    1
    +xorg-server (2:1.20.11-1+deb11u3) bullseye-security; urgency=medium
    
    2
    +
    
    3
    +  * xkb: proof GetCountedString against request length attacks (CVE-2022-3550)
    
    4
    +  * xkb: fix some possible memleaks in XkbGetKbdByName (CVE-2022-3551)
    
    5
    +
    
    6
    + -- Emilio Pozuelo Monfort <pochu@debian.org>  Fri, 11 Nov 2022 13:37:52 +0100
    
    7
    +
    
    1 8
     xorg-server (2:1.20.11-1+deb11u2) bullseye-security; urgency=medium
    
    2 9
     
    
    3 10
       * xkb: add request length validation for XkbSetGeometry (CVE-2022-2319)
    

  • debian/patches/11_xkb-proof-GetCountedString-against-request-length-at.patch
    1
    +From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001
    
    2
    +From: Peter Hutterer <peter.hutterer@who-t.net>
    
    3
    +Date: Tue, 5 Jul 2022 12:06:20 +1000
    
    4
    +Subject: [PATCH] xkb: proof GetCountedString against request length attacks
    
    5
    +
    
    6
    +GetCountedString did a check for the whole string to be within the
    
    7
    +request buffer but not for the initial 2 bytes that contain the length
    
    8
    +field. A swapped client could send a malformed request to trigger a
    
    9
    +swaps() on those bytes, writing into random memory.
    
    10
    +
    
    11
    +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    
    12
    +---
    
    13
    + xkb/xkb.c | 5 +++++
    
    14
    + 1 file changed, 5 insertions(+)
    
    15
    +
    
    16
    +diff --git a/xkb/xkb.c b/xkb/xkb.c
    
    17
    +index f42f59ef3..1841cff26 100644
    
    18
    +--- a/xkb/xkb.c
    
    19
    ++++ b/xkb/xkb.c
    
    20
    +@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
    
    21
    +     CARD16 len;
    
    22
    + 
    
    23
    +     wire = *wire_inout;
    
    24
    ++
    
    25
    ++    if (client->req_len <
    
    26
    ++        bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
    
    27
    ++        return BadValue;
    
    28
    ++
    
    29
    +     len = *(CARD16 *) wire;
    
    30
    +     if (client->swapped) {
    
    31
    +         swaps(&len);
    
    32
    +-- 
    
    33
    +2.30.2
    
    34
    +

  • debian/patches/12_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
    1
    +From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001
    
    2
    +From: Peter Hutterer <peter.hutterer@who-t.net>
    
    3
    +Date: Wed, 13 Jul 2022 11:23:09 +1000
    
    4
    +Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName
    
    5
    +
    
    6
    +GetComponentByName returns an allocated string, so let's free that if we
    
    7
    +fail somewhere.
    
    8
    +
    
    9
    +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    
    10
    +---
    
    11
    + xkb/xkb.c | 26 ++++++++++++++++++++------
    
    12
    + 1 file changed, 20 insertions(+), 6 deletions(-)
    
    13
    +
    
    14
    +diff --git a/xkb/xkb.c b/xkb/xkb.c
    
    15
    +index 4692895db..b79a269e3 100644
    
    16
    +--- a/xkb/xkb.c
    
    17
    ++++ b/xkb/xkb.c
    
    18
    +@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client)
    
    19
    +     xkb = dev->key->xkbInfo->desc;
    
    20
    +     status = Success;
    
    21
    +     str = (unsigned char *) &stuff[1];
    
    22
    +-    if (GetComponentSpec(&str, TRUE, &status))  /* keymap, unsupported */
    
    23
    +-        return BadMatch;
    
    24
    ++    {
    
    25
    ++        char *keymap = GetComponentSpec(&str, TRUE, &status);  /* keymap, unsupported */
    
    26
    ++        if (keymap) {
    
    27
    ++            free(keymap);
    
    28
    ++            return BadMatch;
    
    29
    ++        }
    
    30
    ++    }
    
    31
    +     names.keycodes = GetComponentSpec(&str, TRUE, &status);
    
    32
    +     names.types = GetComponentSpec(&str, TRUE, &status);
    
    33
    +     names.compat = GetComponentSpec(&str, TRUE, &status);
    
    34
    +     names.symbols = GetComponentSpec(&str, TRUE, &status);
    
    35
    +     names.geometry = GetComponentSpec(&str, TRUE, &status);
    
    36
    +-    if (status != Success)
    
    37
    ++    if (status == Success) {
    
    38
    ++        len = str - ((unsigned char *) stuff);
    
    39
    ++        if ((XkbPaddedSize(len) / 4) != stuff->length)
    
    40
    ++            status = BadLength;
    
    41
    ++    }
    
    42
    ++
    
    43
    ++    if (status != Success) {
    
    44
    ++        free(names.keycodes);
    
    45
    ++        free(names.types);
    
    46
    ++        free(names.compat);
    
    47
    ++        free(names.symbols);
    
    48
    ++        free(names.geometry);
    
    49
    +         return status;
    
    50
    +-    len = str - ((unsigned char *) stuff);
    
    51
    +-    if ((XkbPaddedSize(len) / 4) != stuff->length)
    
    52
    +-        return BadLength;
    
    53
    ++    }
    
    54
    + 
    
    55
    +     CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
    
    56
    +     CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
    
    57
    +-- 
    
    58
    +2.30.2
    
    59
    +

  • debian/patches/series
    ... ... @@ -10,3 +10,5 @@
    10 10
     08_xkb-switch-to-array-index-loops-to-moving-pointers.patch
    
    11 11
     09_xkb-add-request-length-validation-for-XkbSetGeometry.patch
    
    12 12
     10_xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch
    
    13
    +11_xkb-proof-GetCountedString-against-request-length-at.patch
    
    14
    +12_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch


  • Reply to: