Blame SOURCES/0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch

290b8e
From 94f6fe99d87cf6ba0adadd95c595158c345b7d29 Mon Sep 17 00:00:00 2001
290b8e
From: Peter Hutterer <peter.hutterer@who-t.net>
290b8e
Date: Tue, 29 Nov 2022 14:53:07 +1000
290b8e
Subject: [PATCH xserver 5/7] Xext: free the screen saver resource when
290b8e
 replacing it
290b8e
290b8e
This fixes a use-after-free bug:
290b8e
290b8e
When a client first calls ScreenSaverSetAttributes(), a struct
290b8e
ScreenSaverAttrRec is allocated and added to the client's
290b8e
resources.
290b8e
290b8e
When the same client calls ScreenSaverSetAttributes() again, a new
290b8e
struct ScreenSaverAttrRec is allocated, replacing the old struct. The
290b8e
old struct was freed but not removed from the clients resources.
290b8e
290b8e
Later, when the client is destroyed the resource system invokes
290b8e
ScreenSaverFreeAttr and attempts to clean up the already freed struct.
290b8e
290b8e
Fix this by letting the resource system free the old attrs instead.
290b8e
290b8e
CVE-2022-46343, ZDI-CAN 19404
290b8e
290b8e
This vulnerability was discovered by:
290b8e
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
290b8e
290b8e
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
290b8e
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
290b8e
---
290b8e
 Xext/saver.c | 2 +-
290b8e
 1 file changed, 1 insertion(+), 1 deletion(-)
290b8e
290b8e
diff --git a/Xext/saver.c b/Xext/saver.c
290b8e
index f813ba08d1..fd6153c313 100644
290b8e
--- a/Xext/saver.c
290b8e
+++ b/Xext/saver.c
290b8e
@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client)
290b8e
         pVlist++;
290b8e
     }
290b8e
     if (pPriv->attr)
290b8e
-        FreeScreenAttr(pPriv->attr);
290b8e
+        FreeResource(pPriv->attr->resource, AttrType);
290b8e
     pPriv->attr = pAttr;
290b8e
     pAttr->resource = FakeClientID(client->index);
290b8e
     if (!AddResource(pAttr->resource, AttrType, (void *) pAttr))
290b8e
--
290b8e
2.38.1