Julien Cristau pushed to branch debian-bullseye at X Strike Force / xserver / xorg-server
Commits:
-
6c4d399c
by Julien Cristau at 2023-02-01T15:12:51+01:00
3 changed files:
- debian/changelog
- + debian/patches/20_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch
- debian/patches/series
Changes:
1 | +xorg-server (2:1.20.11-1+deb11u5) bullseye-security; urgency=high
|
|
2 | + |
|
3 | + * Xi: fix potential use-after-free in DeepCopyPointerClasses (CVE-2023-0494)
|
|
4 | + |
|
5 | + -- Julien Cristau <jcristau@debian.org> Wed, 01 Feb 2023 15:11:18 +0100
|
|
6 | + |
|
1 | 7 | xorg-server (2:1.20.11-1+deb11u4) bullseye-security; urgency=high
|
2 | 8 | |
3 | 9 | * Non-maintainer upload by the Security Team.
|
1 | +From 7150ba655c0cc08fa6ded309b81265bb672f2869 Mon Sep 17 00:00:00 2001
|
|
2 | +From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
3 | +Date: Wed, 25 Jan 2023 11:41:40 +1000
|
|
4 | +Subject: [PATCH xserver] Xi: fix potential use-after-free in
|
|
5 | + DeepCopyPointerClasses
|
|
6 | + |
|
7 | +CVE-2023-0494, ZDI-CAN 19596
|
|
8 | + |
|
9 | +This vulnerability was discovered by:
|
|
10 | +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
11 | + |
|
12 | +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
13 | +---
|
|
14 | + Xi/exevents.c | 4 +++-
|
|
15 | + 1 file changed, 3 insertions(+), 1 deletion(-)
|
|
16 | + |
|
17 | +--- a/Xi/exevents.c
|
|
18 | ++++ b/Xi/exevents.c
|
|
19 | +@@ -575,8 +575,10 @@ DeepCopyPointerClasses(DeviceIntPtr from
|
|
20 | + memcpy(to->button->xkb_acts, from->button->xkb_acts,
|
|
21 | + sizeof(XkbAction));
|
|
22 | + }
|
|
23 | +- else
|
|
24 | ++ else {
|
|
25 | + free(to->button->xkb_acts);
|
|
26 | ++ to->button->xkb_acts = NULL;
|
|
27 | ++ }
|
|
28 | +
|
|
29 | + memcpy(to->button->labels, from->button->labels,
|
|
30 | + from->button->numButtons * sizeof(Atom)); |
... | ... | @@ -19,3 +19,4 @@ |
19 | 19 | 17_Xi-return-an-error-from-XI-property-changes-if-verif.patch
|
20 | 20 | 18_Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch
|
21 | 21 | 19_xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch
|
22 | +20_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch |