!45 fix CVE-2023-3138
From: @leeffo Reviewed-by: @weidongkl Signed-off-by: @weidongkl
This commit is contained in:
openeuler-ci-bot
Gitee
commit
9bac72b4e8
108
backport-CVE-2023-3138.patch
Normal file
108
backport-CVE-2023-3138.patch
Normal file
@ -0,0 +1,108 @@
|
||||
From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Sat, 10 Jun 2023 16:30:07 -0700
|
||||
Subject: [PATCH] InitExt.c: Add bounds checks for extension request, event, &
|
||||
error codes
|
||||
|
||||
Fixes CVE-2023-3138: X servers could return values from XQueryExtension
|
||||
that would cause Xlib to write entries out-of-bounds of the arrays to
|
||||
store them, though this would only overwrite other parts of the Display
|
||||
struct, not outside the bounds allocated for that structure.
|
||||
|
||||
Reported-by: Gregory James DUCK <gjduck@gmail.com>
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 42 insertions(+)
|
||||
|
||||
diff --git a/src/InitExt.c b/src/InitExt.c
|
||||
index 4de46f15..afc00a6b 100644
|
||||
--- a/src/InitExt.c
|
||||
+++ b/src/InitExt.c
|
||||
@@ -33,6 +33,18 @@ from The Open Group.
|
||||
#include <X11/Xos.h>
|
||||
#include <stdio.h>
|
||||
|
||||
+/* The X11 protocol spec reserves events 64 through 127 for extensions */
|
||||
+#ifndef LastExtensionEvent
|
||||
+#define LastExtensionEvent 127
|
||||
+#endif
|
||||
+
|
||||
+/* The X11 protocol spec reserves requests 128 through 255 for extensions */
|
||||
+#ifndef LastExtensionRequest
|
||||
+#define FirstExtensionRequest 128
|
||||
+#define LastExtensionRequest 255
|
||||
+#endif
|
||||
+
|
||||
+
|
||||
/*
|
||||
* This routine is used to link a extension in so it will be called
|
||||
* at appropriate times.
|
||||
@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent(
|
||||
WireToEventType proc) /* routine to call when converting event */
|
||||
{
|
||||
register WireToEventType oldproc;
|
||||
+ if (event_number < 0 ||
|
||||
+ event_number > LastExtensionEvent) {
|
||||
+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
|
||||
+ event_number);
|
||||
+ return (WireToEventType)_XUnknownWireEvent;
|
||||
+ }
|
||||
if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent;
|
||||
LockDisplay (dpy);
|
||||
oldproc = dpy->event_vec[event_number];
|
||||
@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie(
|
||||
)
|
||||
{
|
||||
WireToEventCookieType oldproc;
|
||||
+ if (extension < FirstExtensionRequest ||
|
||||
+ extension > LastExtensionRequest) {
|
||||
+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
|
||||
+ extension);
|
||||
+ return (WireToEventCookieType)_XUnknownWireEventCookie;
|
||||
+ }
|
||||
if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie;
|
||||
LockDisplay (dpy);
|
||||
oldproc = dpy->generic_event_vec[extension & 0x7F];
|
||||
@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie(
|
||||
)
|
||||
{
|
||||
CopyEventCookieType oldproc;
|
||||
+ if (extension < FirstExtensionRequest ||
|
||||
+ extension > LastExtensionRequest) {
|
||||
+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
|
||||
+ extension);
|
||||
+ return (CopyEventCookieType)_XUnknownCopyEventCookie;
|
||||
+ }
|
||||
if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie;
|
||||
LockDisplay (dpy);
|
||||
oldproc = dpy->generic_event_copy_vec[extension & 0x7F];
|
||||
@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire(
|
||||
EventToWireType proc) /* routine to call when converting event */
|
||||
{
|
||||
register EventToWireType oldproc;
|
||||
+ if (event_number < 0 ||
|
||||
+ event_number > LastExtensionEvent) {
|
||||
+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
|
||||
+ event_number);
|
||||
+ return (EventToWireType)_XUnknownNativeEvent;
|
||||
+ }
|
||||
if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent;
|
||||
LockDisplay (dpy);
|
||||
oldproc = dpy->wire_vec[event_number];
|
||||
@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError(
|
||||
WireToErrorType proc) /* routine to call when converting error */
|
||||
{
|
||||
register WireToErrorType oldproc = NULL;
|
||||
+ if (error_number < 0 ||
|
||||
+ error_number > LastExtensionError) {
|
||||
+ fprintf(stderr, "Xlib: ignoring invalid extension error %d\n",
|
||||
+ error_number);
|
||||
+ return (WireToErrorType)_XDefaultWireError;
|
||||
+ }
|
||||
if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError;
|
||||
LockDisplay (dpy);
|
||||
if (!dpy->error_vec) {
|
||||
--
|
||||
GitLab
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
Name: libX11
|
||||
Version: 1.8.4
|
||||
Release: 1
|
||||
Release: 2
|
||||
Summary: Core X11 protocol client library
|
||||
License: MIT
|
||||
URL: http://www.x.org
|
||||
@ -8,6 +8,7 @@ Source0: https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.
|
||||
|
||||
Patch1: dont-forward-keycode-0.patch
|
||||
#Patch6001: backport-CVE-2022-3554.patch
|
||||
Patch6001: backport-CVE-2023-3138.patch
|
||||
|
||||
BuildRequires: xorg-x11-util-macros >= 1.11 xorg-x11-proto-devel perl-Pod-Usage libXau-devel
|
||||
BuildRequires: libxcb-devel >= 1.2 libXdmcp-devel xorg-x11-xtrans-devel >= 1.0.3-4 make
|
||||
@ -77,6 +78,9 @@ make %{?_smp_mflags} check
|
||||
%{_mandir}/*/*
|
||||
|
||||
%changelog
|
||||
* Mon Jun 19 2023 liweigang <liweiganga@uniontech.com> - 1.8.4-2
|
||||
- fix CVE-2023-3138
|
||||
|
||||
* Wed Apr 12 2023 liweiganga <liweiganga@uniontech.com> - 1.8.4-1
|
||||
- update to 1.8.4
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user