!70 fix CVE-2021-4008 CVE-2021-4009 CVE-2021-4010 CVE-2021-4011

Merge pull request !70 from yangcheng1203/master
2021-12-25 07:57:14 +00:00 · 2021-12-25 07:57:14 +00:00 · 7681b6140f
commit 7681b6140f
parent 424917ebcc f7c4c153fe
5 changed files with 167 additions and 1 deletions
--- a/backport-CVE-2021-4008.patch
+++ b/backport-CVE-2021-4008.patch
@ -0,0 +1,51 @@
 From ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60 Mon Sep 17 00:00:00 2001
 From: Povilas Kanapickas <povilas@radix.lt>
 Date: Tue, 14 Dec 2021 15:00:03 +0200
 Subject: [PATCH] render: Fix out of bounds access in
 SProcRenderCompositeGlyphs()
 ZDI-CAN-14192, CVE-2021-4008
 This vulnerability was discovered and the fix was suggested by:
 Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
 Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
 ---
 render/render.c | 9 +++++++++
 1 file changed, 9 insertions(+)
 diff --git a/render/render.c b/render/render.c
 index c376090ca..456f156d4 100644
 --- a/render/render.c
 +++ b/render/render.c
@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client)
         i = elt->len;
         if (i == 0xff) {
 +            if (buffer + 4 > end) {
 +                return BadLength;
 +            }
             swapl((int *) buffer);
             buffer += 4;
         }
@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client)
                 buffer += i;
                 break;
             case 2:
 +                if (buffer + i * 2 > end) {
 +                    return BadLength;
 +                }
                 while (i--) {
                     swaps((short *) buffer);
                     buffer += 2;
                 }
                 break;
             case 4:
 +                if (buffer + i * 4 > end) {
 +                    return BadLength;
 +                }
                 while (i--) {
                     swapl((int *) buffer);
                     buffer += 4;
 -- 
 GitLab
--- a/backport-CVE-2021-4009.patch
+++ b/backport-CVE-2021-4009.patch
@ -0,0 +1,42 @@
 From b5196750099ae6ae582e1f46bd0a6dad29550e02 Mon Sep 17 00:00:00 2001
 From: Povilas Kanapickas <povilas@radix.lt>
 Date: Tue, 14 Dec 2021 15:00:01 +0200
 Subject: [PATCH] xfixes: Fix out of bounds access in
 *ProcXFixesCreatePointerBarrier()
 ZDI-CAN-14950, CVE-2021-4009
 This vulnerability was discovered and the fix was suggested by:
 Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
 Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
 ---
 xfixes/cursor.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
 diff --git a/xfixes/cursor.c b/xfixes/cursor.c
 index 60580b88f..c5d4554b2 100644
 --- a/xfixes/cursor.c
 +++ b/xfixes/cursor.c
@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client)
 {
     REQUEST(xXFixesCreatePointerBarrierReq);
 -    REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
 +    REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
 +                       pad_to_int32(stuff->num_devices * sizeof(CARD16)));
     LEGAL_NEW_RESOURCE(stuff->barrier, client);
     return XICreatePointerBarrier(client, stuff);
@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
     swaps(&stuff->length);
     swaps(&stuff->num_devices);
 -    REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
 +    REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
 +                       pad_to_int32(stuff->num_devices * sizeof(CARD16)));
     swapl(&stuff->barrier);
     swapl(&stuff->window);
 -- 
 GitLab
--- a/backport-CVE-2021-4010.patch
+++ b/backport-CVE-2021-4010.patch
@ -0,0 +1,31 @@
 From 6c4c53010772e3cb4cb8acd54950c8eec9c00d21 Mon Sep 17 00:00:00 2001
 From: Povilas Kanapickas <povilas@radix.lt>
 Date: Tue, 14 Dec 2021 15:00:02 +0200
 Subject: [PATCH] Xext: Fix out of bounds access in SProcScreenSaverSuspend()
 ZDI-CAN-14951, CVE-2021-4010
 This vulnerability was discovered and the fix was suggested by:
 Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
 Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
 ---
 Xext/saver.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/Xext/saver.c b/Xext/saver.c
 index 1d7e3cadf..f813ba08d 100644
 --- a/Xext/saver.c
 +++ b/Xext/saver.c
@@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client)
     REQUEST(xScreenSaverSuspendReq);
     swaps(&stuff->length);
 -    swapl(&stuff->suspend);
     REQUEST_SIZE_MATCH(xScreenSaverSuspendReq);
 +    swapl(&stuff->suspend);
     return ProcScreenSaverSuspend(client);
 }
 -- 
 GitLab
--- a/backport-CVE-2021-4011.patch
+++ b/backport-CVE-2021-4011.patch
@ -0,0 +1,32 @@
 From e56f61c79fc3cee26d83cda0f84ae56d5979f768 Mon Sep 17 00:00:00 2001
 From: Povilas Kanapickas <povilas@radix.lt>
 Date: Tue, 14 Dec 2021 15:00:00 +0200
 Subject: [PATCH] record: Fix out of bounds access in SwapCreateRegister()
 ZDI-CAN-14952, CVE-2021-4011
 This vulnerability was discovered and the fix was suggested by:
 Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
 Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
 ---
 record/record.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/record/record.c b/record/record.c
 index be154525d..e123867a7 100644
 --- a/record/record.c
 +++ b/record/record.c
@@ -2516,8 +2516,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
         swapl(pClientID);
     }
     if (stuff->nRanges >
 -        client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
 -        - stuff->nClients)
 +        (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
 +        - stuff->nClients) / bytes_to_int32(sz_xRecordRange))
         return BadLength;
     RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
     return Success;
 -- 
 GitLab
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -16,7 +16,7 @@
 Name:           xorg-x11-server
 Version:        1.20.11
-Release:        1
+Release:        2
 Summary:        X.Org X11 X server
 License:        MIT and GPLv2
 URL:            https://www.x.org
@ -51,6 +51,10 @@ Patch0003: 0001-autobind-GPUs-to-the-screen.patch
 Patch0004: 0001-Fedora-hack-Make-the-suid-root-wrapper-always-start-.patch
 Patch0029: xorg-s11-server-CVE-2018-20839.patch
 Patch6000: backport-CVE-2021-4008.patch
 Patch6001: backport-CVE-2021-4009.patch
 Patch6002: backport-CVE-2021-4010.patch
 Patch6003: backport-CVE-2021-4011.patch
 BuildRequires:  audit-libs-devel autoconf automake bison dbus-devel flex git gcc 
 BuildRequires:  systemtap-sdt-devel libtool pkgconfig 
@ -392,6 +396,12 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
 %{_libdir}/xorg/protocol.txt
 %changelog
 * Sat Dec 25 2021 yangcheng<yangcheng87@huawei.com> - 1.20.11-2
 - Type:CVE
 - Id:CVE-2021-4008 CVE-2021-4009 CVE-2021-4010 CVE-2021-4011
 - SUG:NA
 - DESC:fix CVE-2021-4008 CVE-2021-4009 CVE-2021-4010 CVE-2021-4011
 * Fri Dec 3 2021 yangcheng<yangcheng87@huawei.com> - 1.20.11-1
 - upgrade to 1.20.11
 - split the main xorg-x11-server package