!70 fix CVE-2021-4008 CVE-2021-4009 CVE-2021-4010 CVE-2021-4011
Merge pull request !70 from yangcheng1203/master
This commit is contained in:
openeuler-ci-bot
Gitee
commit
7681b6140f
51
backport-CVE-2021-4008.patch
Normal file
51
backport-CVE-2021-4008.patch
Normal file
@ -0,0 +1,51 @@
|
||||
From ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60 Mon Sep 17 00:00:00 2001
|
||||
From: Povilas Kanapickas <povilas@radix.lt>
|
||||
Date: Tue, 14 Dec 2021 15:00:03 +0200
|
||||
Subject: [PATCH] render: Fix out of bounds access in
|
||||
SProcRenderCompositeGlyphs()
|
||||
|
||||
ZDI-CAN-14192, CVE-2021-4008
|
||||
|
||||
This vulnerability was discovered and the fix was suggested by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
||||
---
|
||||
render/render.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/render/render.c b/render/render.c
|
||||
index c376090ca..456f156d4 100644
|
||||
--- a/render/render.c
|
||||
+++ b/render/render.c
|
||||
@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client)
|
||||
|
||||
i = elt->len;
|
||||
if (i == 0xff) {
|
||||
+ if (buffer + 4 > end) {
|
||||
+ return BadLength;
|
||||
+ }
|
||||
swapl((int *) buffer);
|
||||
buffer += 4;
|
||||
}
|
||||
@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client)
|
||||
buffer += i;
|
||||
break;
|
||||
case 2:
|
||||
+ if (buffer + i * 2 > end) {
|
||||
+ return BadLength;
|
||||
+ }
|
||||
while (i--) {
|
||||
swaps((short *) buffer);
|
||||
buffer += 2;
|
||||
}
|
||||
break;
|
||||
case 4:
|
||||
+ if (buffer + i * 4 > end) {
|
||||
+ return BadLength;
|
||||
+ }
|
||||
while (i--) {
|
||||
swapl((int *) buffer);
|
||||
buffer += 4;
|
||||
--
|
||||
GitLab
|
||||
42
backport-CVE-2021-4009.patch
Normal file
42
backport-CVE-2021-4009.patch
Normal file
@ -0,0 +1,42 @@
|
||||
From b5196750099ae6ae582e1f46bd0a6dad29550e02 Mon Sep 17 00:00:00 2001
|
||||
From: Povilas Kanapickas <povilas@radix.lt>
|
||||
Date: Tue, 14 Dec 2021 15:00:01 +0200
|
||||
Subject: [PATCH] xfixes: Fix out of bounds access in
|
||||
*ProcXFixesCreatePointerBarrier()
|
||||
|
||||
ZDI-CAN-14950, CVE-2021-4009
|
||||
|
||||
This vulnerability was discovered and the fix was suggested by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
||||
---
|
||||
xfixes/cursor.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/xfixes/cursor.c b/xfixes/cursor.c
|
||||
index 60580b88f..c5d4554b2 100644
|
||||
--- a/xfixes/cursor.c
|
||||
+++ b/xfixes/cursor.c
|
||||
@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client)
|
||||
{
|
||||
REQUEST(xXFixesCreatePointerBarrierReq);
|
||||
|
||||
- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
|
||||
+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
|
||||
+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
|
||||
LEGAL_NEW_RESOURCE(stuff->barrier, client);
|
||||
|
||||
return XICreatePointerBarrier(client, stuff);
|
||||
@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
|
||||
|
||||
swaps(&stuff->length);
|
||||
swaps(&stuff->num_devices);
|
||||
- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
|
||||
+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
|
||||
+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
|
||||
|
||||
swapl(&stuff->barrier);
|
||||
swapl(&stuff->window);
|
||||
--
|
||||
GitLab
|
||||
31
backport-CVE-2021-4010.patch
Normal file
31
backport-CVE-2021-4010.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From 6c4c53010772e3cb4cb8acd54950c8eec9c00d21 Mon Sep 17 00:00:00 2001
|
||||
From: Povilas Kanapickas <povilas@radix.lt>
|
||||
Date: Tue, 14 Dec 2021 15:00:02 +0200
|
||||
Subject: [PATCH] Xext: Fix out of bounds access in SProcScreenSaverSuspend()
|
||||
|
||||
ZDI-CAN-14951, CVE-2021-4010
|
||||
|
||||
This vulnerability was discovered and the fix was suggested by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
||||
---
|
||||
Xext/saver.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Xext/saver.c b/Xext/saver.c
|
||||
index 1d7e3cadf..f813ba08d 100644
|
||||
--- a/Xext/saver.c
|
||||
+++ b/Xext/saver.c
|
||||
@@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client)
|
||||
REQUEST(xScreenSaverSuspendReq);
|
||||
|
||||
swaps(&stuff->length);
|
||||
- swapl(&stuff->suspend);
|
||||
REQUEST_SIZE_MATCH(xScreenSaverSuspendReq);
|
||||
+ swapl(&stuff->suspend);
|
||||
return ProcScreenSaverSuspend(client);
|
||||
}
|
||||
|
||||
--
|
||||
GitLab
|
||||
32
backport-CVE-2021-4011.patch
Normal file
32
backport-CVE-2021-4011.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From e56f61c79fc3cee26d83cda0f84ae56d5979f768 Mon Sep 17 00:00:00 2001
|
||||
From: Povilas Kanapickas <povilas@radix.lt>
|
||||
Date: Tue, 14 Dec 2021 15:00:00 +0200
|
||||
Subject: [PATCH] record: Fix out of bounds access in SwapCreateRegister()
|
||||
|
||||
ZDI-CAN-14952, CVE-2021-4011
|
||||
|
||||
This vulnerability was discovered and the fix was suggested by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
||||
---
|
||||
record/record.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/record/record.c b/record/record.c
|
||||
index be154525d..e123867a7 100644
|
||||
--- a/record/record.c
|
||||
+++ b/record/record.c
|
||||
@@ -2516,8 +2516,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
|
||||
swapl(pClientID);
|
||||
}
|
||||
if (stuff->nRanges >
|
||||
- client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
|
||||
- - stuff->nClients)
|
||||
+ (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
|
||||
+ - stuff->nClients) / bytes_to_int32(sz_xRecordRange))
|
||||
return BadLength;
|
||||
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
|
||||
return Success;
|
||||
--
|
||||
GitLab
|
||||
@ -16,7 +16,7 @@
|
||||
|
||||
Name: xorg-x11-server
|
||||
Version: 1.20.11
|
||||
Release: 1
|
||||
Release: 2
|
||||
Summary: X.Org X11 X server
|
||||
License: MIT and GPLv2
|
||||
URL: https://www.x.org
|
||||
@ -51,6 +51,10 @@ Patch0003: 0001-autobind-GPUs-to-the-screen.patch
|
||||
Patch0004: 0001-Fedora-hack-Make-the-suid-root-wrapper-always-start-.patch
|
||||
|
||||
Patch0029: xorg-s11-server-CVE-2018-20839.patch
|
||||
Patch6000: backport-CVE-2021-4008.patch
|
||||
Patch6001: backport-CVE-2021-4009.patch
|
||||
Patch6002: backport-CVE-2021-4010.patch
|
||||
Patch6003: backport-CVE-2021-4011.patch
|
||||
|
||||
BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex git gcc
|
||||
BuildRequires: systemtap-sdt-devel libtool pkgconfig
|
||||
@ -392,6 +396,12 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
|
||||
%{_libdir}/xorg/protocol.txt
|
||||
|
||||
%changelog
|
||||
* Sat Dec 25 2021 yangcheng<yangcheng87@huawei.com> - 1.20.11-2
|
||||
- Type:CVE
|
||||
- Id:CVE-2021-4008 CVE-2021-4009 CVE-2021-4010 CVE-2021-4011
|
||||
- SUG:NA
|
||||
- DESC:fix CVE-2021-4008 CVE-2021-4009 CVE-2021-4010 CVE-2021-4011
|
||||
|
||||
* Fri Dec 3 2021 yangcheng<yangcheng87@huawei.com> - 1.20.11-1
|
||||
- upgrade to 1.20.11
|
||||
- split the main xorg-x11-server package
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user