Emilio Pozuelo Monfort pushed to branch debian-bullseye at X Strike Force / xserver / xorg-server
Commits:
-
b8753e5b
by Emilio Pozuelo Monfort at 2022-11-10T13:18:48+01:00
-
4126d4f4
by Emilio Pozuelo Monfort at 2022-11-11T13:38:16+01:00
4 changed files:
- debian/changelog
- + debian/patches/11_xkb-proof-GetCountedString-against-request-length-at.patch
- + debian/patches/12_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
- debian/patches/series
Changes:
1 | +xorg-server (2:1.20.11-1+deb11u3) bullseye-security; urgency=medium
|
|
2 | + |
|
3 | + * xkb: proof GetCountedString against request length attacks (CVE-2022-3550)
|
|
4 | + * xkb: fix some possible memleaks in XkbGetKbdByName (CVE-2022-3551)
|
|
5 | + |
|
6 | + -- Emilio Pozuelo Monfort <pochu@debian.org> Fri, 11 Nov 2022 13:37:52 +0100
|
|
7 | + |
|
1 | 8 | xorg-server (2:1.20.11-1+deb11u2) bullseye-security; urgency=medium
|
2 | 9 | |
3 | 10 | * xkb: add request length validation for XkbSetGeometry (CVE-2022-2319)
|
1 | +From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001
|
|
2 | +From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
3 | +Date: Tue, 5 Jul 2022 12:06:20 +1000
|
|
4 | +Subject: [PATCH] xkb: proof GetCountedString against request length attacks
|
|
5 | + |
|
6 | +GetCountedString did a check for the whole string to be within the
|
|
7 | +request buffer but not for the initial 2 bytes that contain the length
|
|
8 | +field. A swapped client could send a malformed request to trigger a
|
|
9 | +swaps() on those bytes, writing into random memory.
|
|
10 | + |
|
11 | +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
12 | +---
|
|
13 | + xkb/xkb.c | 5 +++++
|
|
14 | + 1 file changed, 5 insertions(+)
|
|
15 | + |
|
16 | +diff --git a/xkb/xkb.c b/xkb/xkb.c
|
|
17 | +index f42f59ef3..1841cff26 100644
|
|
18 | +--- a/xkb/xkb.c
|
|
19 | ++++ b/xkb/xkb.c
|
|
20 | +@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
|
|
21 | + CARD16 len;
|
|
22 | +
|
|
23 | + wire = *wire_inout;
|
|
24 | ++
|
|
25 | ++ if (client->req_len <
|
|
26 | ++ bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
|
|
27 | ++ return BadValue;
|
|
28 | ++
|
|
29 | + len = *(CARD16 *) wire;
|
|
30 | + if (client->swapped) {
|
|
31 | + swaps(&len);
|
|
32 | +--
|
|
33 | +2.30.2
|
|
34 | + |
1 | +From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001
|
|
2 | +From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
3 | +Date: Wed, 13 Jul 2022 11:23:09 +1000
|
|
4 | +Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName
|
|
5 | + |
|
6 | +GetComponentByName returns an allocated string, so let's free that if we
|
|
7 | +fail somewhere.
|
|
8 | + |
|
9 | +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
10 | +---
|
|
11 | + xkb/xkb.c | 26 ++++++++++++++++++++------
|
|
12 | + 1 file changed, 20 insertions(+), 6 deletions(-)
|
|
13 | + |
|
14 | +diff --git a/xkb/xkb.c b/xkb/xkb.c
|
|
15 | +index 4692895db..b79a269e3 100644
|
|
16 | +--- a/xkb/xkb.c
|
|
17 | ++++ b/xkb/xkb.c
|
|
18 | +@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client)
|
|
19 | + xkb = dev->key->xkbInfo->desc;
|
|
20 | + status = Success;
|
|
21 | + str = (unsigned char *) &stuff[1];
|
|
22 | +- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */
|
|
23 | +- return BadMatch;
|
|
24 | ++ {
|
|
25 | ++ char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */
|
|
26 | ++ if (keymap) {
|
|
27 | ++ free(keymap);
|
|
28 | ++ return BadMatch;
|
|
29 | ++ }
|
|
30 | ++ }
|
|
31 | + names.keycodes = GetComponentSpec(&str, TRUE, &status);
|
|
32 | + names.types = GetComponentSpec(&str, TRUE, &status);
|
|
33 | + names.compat = GetComponentSpec(&str, TRUE, &status);
|
|
34 | + names.symbols = GetComponentSpec(&str, TRUE, &status);
|
|
35 | + names.geometry = GetComponentSpec(&str, TRUE, &status);
|
|
36 | +- if (status != Success)
|
|
37 | ++ if (status == Success) {
|
|
38 | ++ len = str - ((unsigned char *) stuff);
|
|
39 | ++ if ((XkbPaddedSize(len) / 4) != stuff->length)
|
|
40 | ++ status = BadLength;
|
|
41 | ++ }
|
|
42 | ++
|
|
43 | ++ if (status != Success) {
|
|
44 | ++ free(names.keycodes);
|
|
45 | ++ free(names.types);
|
|
46 | ++ free(names.compat);
|
|
47 | ++ free(names.symbols);
|
|
48 | ++ free(names.geometry);
|
|
49 | + return status;
|
|
50 | +- len = str - ((unsigned char *) stuff);
|
|
51 | +- if ((XkbPaddedSize(len) / 4) != stuff->length)
|
|
52 | +- return BadLength;
|
|
53 | ++ }
|
|
54 | +
|
|
55 | + CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
|
|
56 | + CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
|
|
57 | +--
|
|
58 | +2.30.2
|
|
59 | + |
... | ... | @@ -10,3 +10,5 @@ |
10 | 10 | 08_xkb-switch-to-array-index-loops-to-moving-pointers.patch
|
11 | 11 | 09_xkb-add-request-length-validation-for-XkbSetGeometry.patch
|
12 | 12 | 10_xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch
|
13 | +11_xkb-proof-GetCountedString-against-request-length-at.patch
|
|
14 | +12_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch |