!150 fix CVE-2023-1393

From: @leeffo Reviewed-by: @weidongkl Signed-off-by: @weidongkl
2023-04-13 03:00:39 +00:00 · 2023-04-13 03:00:39 +00:00 · 4b14bd358e
commit 4b14bd358e
parent 4447e9c0b0 d5f00cb214
2 changed files with 47 additions and 1 deletions
--- a/backport-CVE-2023-1393.patch
+++ b/backport-CVE-2023-1393.patch
@ -0,0 +1,42 @@
+From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 13 Mar 2023 11:08:47 +0100
+Subject: [PATCH xserver] composite: Fix use-after-free of the COW
+ 
+ZDI-CAN-19866/CVE-2023-1393
+ 
+If a client explicitly destroys the compositor overlay window (aka COW),
+we would leave a dangling pointer to that window in the CompScreen
+structure, which will trigger a use-after-free later.
+ 
+Make sure to clear the CompScreen pointer to the COW when the latter gets
+destroyed explicitly by the client.
+ 
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+ 
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+---
+ composite/compwindow.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+ 
+diff --git a/composite/compwindow.c b/composite/compwindow.c
+index 4e2494b86..b30da589e 100644
+--- a/composite/compwindow.c
+++ b/composite/compwindow.c
+@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
+     ret = (*pScreen->DestroyWindow) (pWin);
+     cs->DestroyWindow = pScreen->DestroyWindow;
+     pScreen->DestroyWindow = compDestroyWindow;
+
+    /* Did we just destroy the overlay window? */
+    if (pWin == cs->pOverlayWin)
+        cs->pOverlayWin = NULL;
+
+ /*    compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
+     return ret;
+ }
+-- 
+2.40.0
+ 
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -16,7 +16,7 @@

 Name:           xorg-x11-server
 Version:        1.20.11
-Release:        17
+Release:        18
 Summary:        X.Org X11 X server
 License:        MIT and GPLv2
 URL:            https://www.x.org
@ -103,6 +103,7 @@ Patch6016: backport-Xi-return-an-error-from-XI-property-changes-if-verification-
 Patch6017: backport-CVE-2022-46344.patch
 Patch6018: backport-CVE-2022-4283.patch
 Patch6019: backport-CVE-2023-0494.patch
+Patch6020: backport-CVE-2023-1393.patch

 BuildRequires:  audit-libs-devel autoconf automake bison dbus-devel flex git gcc 
 BuildRequires:  systemtap-sdt-devel libtool pkgconfig 
@ -443,6 +444,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
 %{_mandir}/man*/*

 %changelog
+* Wed Apr 12 2023 liweiganga <liweiganga@uniontech.com> -1.20.11-18
+- fix CVE-2023-1393
+
 * Mon Mar 20 2023 liweiganga <liweiganga@uniontech.com> -1.20.11-17
 - feat: all man files is provided by help package