[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Git][xorg-team/xserver/xorg-server][debian-bullseye] Xi: fix potential use-after-free in DeepCopyPointerClasses (CVE-2023-0494)

Title: GitLab

Julien Cristau pushed to branch debian-bullseye at X Strike Force / xserver / xorg-server

Commits:

  • 6c4d399c
    by Julien Cristau at 2023-02-01T15:12:51+01:00 
    Xi: fix potential use-after-free in DeepCopyPointerClasses (CVE-2023-0494)

3 changed files:

Changes:

  • debian/changelog
    1 
    +xorg-server (2:1.20.11-1+deb11u5) bullseye-security; urgency=high
    2 
    +
    3 
    +  * Xi: fix potential use-after-free in DeepCopyPointerClasses (CVE-2023-0494)
    4 
    +
    5 
    + -- Julien Cristau <jcristau@debian.org>  Wed, 01 Feb 2023 15:11:18 +0100
    6 
    +
    1 7 
     xorg-server (2:1.20.11-1+deb11u4) bullseye-security; urgency=high
    2 8
    3 9 
       * Non-maintainer upload by the Security Team.

  • debian/patches/20_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch
    1 
    +From 7150ba655c0cc08fa6ded309b81265bb672f2869 Mon Sep 17 00:00:00 2001
    2 
    +From: Peter Hutterer <peter.hutterer@who-t.net>
    3 
    +Date: Wed, 25 Jan 2023 11:41:40 +1000
    4 
    +Subject: [PATCH xserver] Xi: fix potential use-after-free in
    5 
    + DeepCopyPointerClasses
    6 
    +
    7 
    +CVE-2023-0494, ZDI-CAN 19596
    8 
    +
    9 
    +This vulnerability was discovered by:
    10 
    +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
    11 
    +
    12 
    +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    13 
    +---
    14 
    + Xi/exevents.c |    4 +++-
    15 
    + 1 file changed, 3 insertions(+), 1 deletion(-)
    16 
    +
    17 
    +--- a/Xi/exevents.c
    18 
    ++++ b/Xi/exevents.c
    19 
    +@@ -575,8 +575,10 @@ DeepCopyPointerClasses(DeviceIntPtr from
    20 
    +             memcpy(to->button->xkb_acts, from->button->xkb_acts,
    21 
    +                    sizeof(XkbAction));
    22 
    +         }
    23 
    +-        else
    24 
    ++        else {
    25 
    +             free(to->button->xkb_acts);
    26 
    ++            to->button->xkb_acts = NULL;
    27 
    ++        }
    28 
    +
    29 
    +         memcpy(to->button->labels, from->button->labels,
    30 
    +                from->button->numButtons * sizeof(Atom));

  • debian/patches/series
    ... ... @@ -19,3 +19,4 @@
    19 19 
     17_Xi-return-an-error-from-XI-property-changes-if-verif.patch
    20 20 
     18_Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch
    21 21 
     19_xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch
    22 
    +20_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch


    • View it on GitLab.
    You're receiving this email because of your account on salsa.debian.org. Manage all notifications · Help

    Reply to: