[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Git][xorg-team/xserver/xorg-server][debian-bullseye] composite: Fix use-after-free of the COW (CVE-2023-1393)

Title: GitLab

Julien Cristau pushed to branch debian-bullseye at X Strike Force / xserver / xorg-server

Commits:

  • 30e8ec59
    by Julien Cristau at 2023-03-23T11:26:13+01:00 
    composite: Fix use-after-free of the COW (CVE-2023-1393)

3 changed files:

Changes:

  • debian/changelog
    1 
    +xorg-server (2:1.20.11-1+deb11u6) bullseye-security; urgency=high
    2 
    +
    3 
    +  * composite: Fix use-after-free of the COW (CVE-2023-1393)
    4 
    +
    5 
    + -- Julien Cristau <jcristau@debian.org>  Thu, 23 Mar 2023 11:25:56 +0100
    6 
    +
    1 7 
     xorg-server (2:1.20.11-1+deb11u5) bullseye-security; urgency=high
    2 8
    3 9 
       * Xi: fix potential use-after-free in DeepCopyPointerClasses (CVE-2023-0494)

  • debian/patches/21_composite-Fix-use-after-free-of-the-COW.patch
    1 
    +From 947bd1b3f4a23565bf10879ec41ba06ebe1e1c76 Mon Sep 17 00:00:00 2001
    2 
    +From: Olivier Fourdan <ofourdan@redhat.com>
    3 
    +Date: Mon, 13 Mar 2023 11:08:47 +0100
    4 
    +Subject: [PATCH xserver] composite: Fix use-after-free of the COW
    5 
    +
    6 
    +ZDI-CAN-19866/CVE-2023-1393
    7 
    +
    8 
    +If a client explicitly destroys the compositor overlay window (aka COW),
    9 
    +we would leave a dangling pointer to that window in the CompScreen
    10 
    +structure, which will trigger a use-after-free later.
    11 
    +
    12 
    +Make sure to clear the CompScreen pointer to the COW when the latter gets
    13 
    +destroyed explicitly by the client.
    14 
    +
    15 
    +This vulnerability was discovered by:
    16 
    +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
    17 
    +
    18 
    +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    19 
    +Reviewed-by: Adam Jackson <ajax@redhat.com>
    20 
    +---
    21 
    + composite/compwindow.c | 5 +++++
    22 
    + 1 file changed, 5 insertions(+)
    23 
    +
    24 
    +--- a/composite/compwindow.c
    25 
    ++++ b/composite/compwindow.c
    26 
    +@@ -613,6 +613,11 @@ compDestroyWindow(WindowPtr pWin)
    27 
    +     ret = (*pScreen->DestroyWindow) (pWin);
    28 
    +     cs->DestroyWindow = pScreen->DestroyWindow;
    29 
    +     pScreen->DestroyWindow = compDestroyWindow;
    30 
    ++
    31 
    ++    /* Did we just destroy the overlay window? */
    32 
    ++    if (pWin == cs->pOverlayWin)
    33 
    ++        cs->pOverlayWin = NULL;
    34 
    ++
    35 
    + /*    compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
    36 
    +     return ret;
    37 
    + }

  • debian/patches/series
    ... ... @@ -20,3 +20,4 @@
    20 20 
     18_Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch
    21 21 
     19_xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch
    22 22 
     20_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch
    23 
    +21_composite-Fix-use-after-free-of-the-COW.patch


    • View it on GitLab.
    You're receiving this email because of your account on salsa.debian.org. Manage all notifications · Help

    Reply to: