Emilio Pozuelo Monfort pushed to branch debian-bullseye at X Strike Force / xserver / xorg-server
Commits:
-
b8753e5b
by Emilio Pozuelo Monfort at 2022-11-10T13:18:48+01:00
-
4126d4f4
by Emilio Pozuelo Monfort at 2022-11-11T13:38:16+01:00
4 changed files:
- debian/changelog
- + debian/patches/11_xkb-proof-GetCountedString-against-request-length-at.patch
- + debian/patches/12_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
- debian/patches/series
Changes:
| 1 | +xorg-server (2:1.20.11-1+deb11u3) bullseye-security; urgency=medium
|
|
| 2 | + |
|
| 3 | + * xkb: proof GetCountedString against request length attacks (CVE-2022-3550)
|
|
| 4 | + * xkb: fix some possible memleaks in XkbGetKbdByName (CVE-2022-3551)
|
|
| 5 | + |
|
| 6 | + -- Emilio Pozuelo Monfort <pochu@debian.org> Fri, 11 Nov 2022 13:37:52 +0100
|
|
| 7 | + |
|
| 1 | 8 | xorg-server (2:1.20.11-1+deb11u2) bullseye-security; urgency=medium
|
| 2 | 9 | |
| 3 | 10 | * xkb: add request length validation for XkbSetGeometry (CVE-2022-2319)
|
| 1 | +From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001
|
|
| 2 | +From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
| 3 | +Date: Tue, 5 Jul 2022 12:06:20 +1000
|
|
| 4 | +Subject: [PATCH] xkb: proof GetCountedString against request length attacks
|
|
| 5 | + |
|
| 6 | +GetCountedString did a check for the whole string to be within the
|
|
| 7 | +request buffer but not for the initial 2 bytes that contain the length
|
|
| 8 | +field. A swapped client could send a malformed request to trigger a
|
|
| 9 | +swaps() on those bytes, writing into random memory.
|
|
| 10 | + |
|
| 11 | +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
| 12 | +---
|
|
| 13 | + xkb/xkb.c | 5 +++++
|
|
| 14 | + 1 file changed, 5 insertions(+)
|
|
| 15 | + |
|
| 16 | +diff --git a/xkb/xkb.c b/xkb/xkb.c
|
|
| 17 | +index f42f59ef3..1841cff26 100644
|
|
| 18 | +--- a/xkb/xkb.c
|
|
| 19 | ++++ b/xkb/xkb.c
|
|
| 20 | +@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
|
|
| 21 | + CARD16 len;
|
|
| 22 | +
|
|
| 23 | + wire = *wire_inout;
|
|
| 24 | ++
|
|
| 25 | ++ if (client->req_len <
|
|
| 26 | ++ bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
|
|
| 27 | ++ return BadValue;
|
|
| 28 | ++
|
|
| 29 | + len = *(CARD16 *) wire;
|
|
| 30 | + if (client->swapped) {
|
|
| 31 | + swaps(&len);
|
|
| 32 | +--
|
|
| 33 | +2.30.2
|
|
| 34 | + |
| 1 | +From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001
|
|
| 2 | +From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
| 3 | +Date: Wed, 13 Jul 2022 11:23:09 +1000
|
|
| 4 | +Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName
|
|
| 5 | + |
|
| 6 | +GetComponentByName returns an allocated string, so let's free that if we
|
|
| 7 | +fail somewhere.
|
|
| 8 | + |
|
| 9 | +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
| 10 | +---
|
|
| 11 | + xkb/xkb.c | 26 ++++++++++++++++++++------
|
|
| 12 | + 1 file changed, 20 insertions(+), 6 deletions(-)
|
|
| 13 | + |
|
| 14 | +diff --git a/xkb/xkb.c b/xkb/xkb.c
|
|
| 15 | +index 4692895db..b79a269e3 100644
|
|
| 16 | +--- a/xkb/xkb.c
|
|
| 17 | ++++ b/xkb/xkb.c
|
|
| 18 | +@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client)
|
|
| 19 | + xkb = dev->key->xkbInfo->desc;
|
|
| 20 | + status = Success;
|
|
| 21 | + str = (unsigned char *) &stuff[1];
|
|
| 22 | +- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */
|
|
| 23 | +- return BadMatch;
|
|
| 24 | ++ {
|
|
| 25 | ++ char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */
|
|
| 26 | ++ if (keymap) {
|
|
| 27 | ++ free(keymap);
|
|
| 28 | ++ return BadMatch;
|
|
| 29 | ++ }
|
|
| 30 | ++ }
|
|
| 31 | + names.keycodes = GetComponentSpec(&str, TRUE, &status);
|
|
| 32 | + names.types = GetComponentSpec(&str, TRUE, &status);
|
|
| 33 | + names.compat = GetComponentSpec(&str, TRUE, &status);
|
|
| 34 | + names.symbols = GetComponentSpec(&str, TRUE, &status);
|
|
| 35 | + names.geometry = GetComponentSpec(&str, TRUE, &status);
|
|
| 36 | +- if (status != Success)
|
|
| 37 | ++ if (status == Success) {
|
|
| 38 | ++ len = str - ((unsigned char *) stuff);
|
|
| 39 | ++ if ((XkbPaddedSize(len) / 4) != stuff->length)
|
|
| 40 | ++ status = BadLength;
|
|
| 41 | ++ }
|
|
| 42 | ++
|
|
| 43 | ++ if (status != Success) {
|
|
| 44 | ++ free(names.keycodes);
|
|
| 45 | ++ free(names.types);
|
|
| 46 | ++ free(names.compat);
|
|
| 47 | ++ free(names.symbols);
|
|
| 48 | ++ free(names.geometry);
|
|
| 49 | + return status;
|
|
| 50 | +- len = str - ((unsigned char *) stuff);
|
|
| 51 | +- if ((XkbPaddedSize(len) / 4) != stuff->length)
|
|
| 52 | +- return BadLength;
|
|
| 53 | ++ }
|
|
| 54 | +
|
|
| 55 | + CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
|
|
| 56 | + CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
|
|
| 57 | +--
|
|
| 58 | +2.30.2
|
|
| 59 | + |
| ... | ... | @@ -10,3 +10,5 @@ |
| 10 | 10 | 08_xkb-switch-to-array-index-loops-to-moving-pointers.patch
|
| 11 | 11 | 09_xkb-add-request-length-validation-for-XkbSetGeometry.patch
|
| 12 | 12 | 10_xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch
|
| 13 | +11_xkb-proof-GetCountedString-against-request-length-at.patch
|
|
| 14 | +12_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch |