diff --git a/SOURCES/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch b/SOURCES/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch new file mode 100644 index 0000000..99625dd --- /dev/null +++ b/SOURCES/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch @@ -0,0 +1,80 @@ +From a31ba141824a7649e11f0ef7673718ce559d6337 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 3 Oct 2023 11:53:05 +1000 +Subject: [PATCH xserver 1/4] Xi/randr: fix handling of PropModeAppend/Prepend + +The handling of appending/prepending properties was incorrect, with at +least two bugs: the property length was set to the length of the new +part only, i.e. appending or prepending N elements to a property with P +existing elements always resulted in the property having N elements +instead of N + P. + +Second, when pre-pending a value to a property, the offset for the old +values was incorrect, leaving the new property with potentially +uninitalized values and/or resulting in OOB memory writes. +For example, prepending a 3 element value to a 5 element property would +result in this 8 value array: + [N, N, N, ?, ?, P, P, P ] P, P + ^OOB write + +The XI2 code is a copy/paste of the RandR code, so the bug exists in +both. + +CVE-2023-5367, ZDI-CAN-22153 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer +--- + Xi/xiproperty.c | 4 ++-- + randr/rrproperty.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c +index 6ec419e870..563c4f31a5 100644 +--- a/Xi/xiproperty.c ++++ b/Xi/xiproperty.c +@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type, + XIDestroyDeviceProperty(prop); + return BadAlloc; + } +- new_value.size = len; ++ new_value.size = total_len; + new_value.type = type; + new_value.format = format; + +@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type, + case PropModePrepend: + new_data = new_value.data; + old_data = (void *) (((char *) new_value.data) + +- (prop_value->size * size_in_bytes)); ++ (len * size_in_bytes)); + break; + } + if (new_data) +diff --git a/randr/rrproperty.c b/randr/rrproperty.c +index c2fb9585c6..25469f57b2 100644 +--- a/randr/rrproperty.c ++++ b/randr/rrproperty.c +@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type, + RRDestroyOutputProperty(prop); + return BadAlloc; + } +- new_value.size = len; ++ new_value.size = total_len; + new_value.type = type; + new_value.format = format; + +@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type, + case PropModePrepend: + new_data = new_value.data; + old_data = (void *) (((char *) new_value.data) + +- (prop_value->size * size_in_bytes)); ++ (len * size_in_bytes)); + break; + } + if (new_data) +-- +2.41.0 + diff --git a/SPECS/xorg-x11-server.spec b/SPECS/xorg-x11-server.spec index 8a06ebb..56a1381 100644 --- a/SPECS/xorg-x11-server.spec +++ b/SPECS/xorg-x11-server.spec @@ -42,7 +42,7 @@ Summary: X.Org X11 X server Name: xorg-x11-server Version: 1.20.4 -Release: 23%{?gitdate:.%{gitdate}}%{?dist} +Release: 24%{?gitdate:.%{gitdate}}%{?dist} URL: http://www.x.org License: MIT Group: User Interface/X @@ -188,6 +188,8 @@ Patch10025: 0008-Xext-fix-invalid-event-type-mask-in-XTestSwapFakeInp.patch Patch10026: 0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch # CVE-2023-1393 Patch10027: 0001-composite-Fix-use-after-free-of-the-COW.patch +# CVE-2023-5367 +Patch10028: 0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch %global moduledir %{_libdir}/xorg/modules %global drimoduledir %{_libdir}/dri @@ -670,6 +672,10 @@ rm -rf $RPM_BUILD_ROOT %{xserver_source_dir} %changelog +* Wed Oct 25 2023 José Expósito - 1.20.4-24 +- CVE fix for: CVE-2023-5367 + Resolves: https://issues.redhat.com/browse/RHEL-13424 + * Wed Mar 29 2023 Olivier Fourdan - 1.20.4-23 - CVE fix for: CVE-2023-1393 (#2180290)