packages/xorg-x11-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2020-14346,CVE-2020-14361,CVE-2020-14362

Browse Source
This commit is contained in:
zhanzhimin 2020-12-08 20:10:23 +08:00
parent 3308d86bad
commit d720b22fb9
4 changed files with 138 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
CVE-2020-14346.patch Normal file
View File

@ -0,0 +1,31 @@
From c940cc8b6c0a2983c1ec974f1b3f019795dd4cff Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Tue, 18 Aug 2020 14:49:04 +0200
Subject: [PATCH] Fix XIChangeHierarchy() integer underflow
CVE-2020-14346 / ZDI-CAN-11429
referencehttps://gitlab.freedesktop.org/xorg/xserver/-/commit/c940cc8b6c0a2983c1ec974f1b3f019795dd4cff
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
---
Xi/xichangehierarchy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
index cbdd912..504defe 100644
--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
if (!stuff->num_changes)
return rc;
- len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
+ len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq);
any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
while (stuff->num_changes--) {
--
2.27.0

32
CVE-2020-14361.patch Normal file
View File

@ -0,0 +1,32 @@
From 144849ea27230962227e62a943b399e2ab304787 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Tue, 18 Aug 2020 14:52:29 +0200
Subject: [PATCH] Fix XkbSelectEvents() integer underflow
CVE-2020-14361 ZDI-CAN 11573
referencehttps://gitlab.freedesktop.org/xorg/xserver/-/commit/144849ea27230962227e62a943b399e2ab304787
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
---
xkb/xkbSwap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c
index 1c1ed5f..50cabb9 100644
--- a/xkb/xkbSwap.c
+++ b/xkb/xkbSwap.c
@@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client)
register unsigned bit, ndx, maskLeft, dataLeft, size;
from.c8 = (CARD8 *) &stuff[1];
- dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq);
+ dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq);
maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask));
for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) {
if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify))
--
2.27.0

65
CVE-2020-14362.patch Normal file
View File

@ -0,0 +1,65 @@
From 2902b78535ecc6821cc027351818b28a5c7fdbdc Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Tue, 18 Aug 2020 14:55:01 +0200
Subject: [PATCH] Fix XRecordRegisterClients() Integer underflow
CVE-2020-14362 ZDI-CAN-11574
referencehttps://gitlab.freedesktop.org/xorg/xserver/-/commit/2902b78535ecc6821cc027351818b28a5c7fdbdc
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
---
record/record.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/record/record.c b/record/record.c
index f0b739b..05d751a 100644
--- a/record/record.c
+++ b/record/record.c
@@ -2499,7 +2499,7 @@ SProcRecordQueryVersion(ClientPtr client)
} /* SProcRecordQueryVersion */
static int _X_COLD
-SwapCreateRegister(xRecordRegisterClientsReq * stuff)
+SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
{
int i;
XID *pClientID;
@@ -2509,13 +2509,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff)
swapl(&stuff->nRanges);
pClientID = (XID *) &stuff[1];
if (stuff->nClients >
- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))
+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
return BadLength;
for (i = 0; i < stuff->nClients; i++, pClientID++) {
swapl(pClientID);
}
if (stuff->nRanges >
- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
- stuff->nClients)
return BadLength;
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
@@ -2530,7 +2530,7 @@ SProcRecordCreateContext(ClientPtr client)
swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
- if ((status = SwapCreateRegister((void *) stuff)) != Success)
+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
return status;
return ProcRecordCreateContext(client);
} /* SProcRecordCreateContext */
@@ -2543,7 +2543,7 @@ SProcRecordRegisterClients(ClientPtr client)
swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
- if ((status = SwapCreateRegister((void *) stuff)) != Success)
+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
return status;
return ProcRecordRegisterClients(client);
} /* SProcRecordRegisterClients */
--
2.27.0

11
xorg-x11-server.spec
View File

@ -16,7 +16,7 @@
Name: xorg-x11-server Name: xorg-x11-server
Version: 1.20.8 Version: 1.20.8
Release: 1 Release: 2
Summary: X.Org X11 X server Summary: X.Org X11 X server
License: MIT and GPLv2 License: MIT and GPLv2
URL: https://www.x.org URL: https://www.x.org
@ -78,6 +78,9 @@ Patch0026: 0022-xwayland-Call-xwl_window_check_resolution_change_emu.patch
Patch0027: 0023-xwayland-Fix-setting-of-_XWAYLAND_RANDR_EMU_MONITOR_.patch Patch0027: 0023-xwayland-Fix-setting-of-_XWAYLAND_RANDR_EMU_MONITOR_.patch
Patch0028: 0024-xwayland-Remove-unnecessary-xwl_window_is_toplevel-c.patch Patch0028: 0024-xwayland-Remove-unnecessary-xwl_window_is_toplevel-c.patch
Patch0029: xorg-s11-server-CVE-2018-20839.patch Patch0029: xorg-s11-server-CVE-2018-20839.patch
Patch0030: CVE-2020-14346.patch
Patch0031: CVE-2020-14361.patch
Patch0032: CVE-2020-14362.patch
BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex flex-devel git BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex flex-devel git
BuildRequires: systemtap-sdt-devel libtool pkgconfig BuildRequires: systemtap-sdt-devel libtool pkgconfig
@ -320,6 +323,12 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
%{_libdir}/xorg/protocol.txt %{_libdir}/xorg/protocol.txt
%changelog %changelog
* Tue Dec 08 2020 zhanzhimin<zhanzhimin@huawei.com> - 1.20.8-2
- Type:CVE
- Id:CVE-2020-14346,CVE-2020-14361,CVE-2020-14362
- SUG:NA
- DESC:fix CVE-2020-14346,CVE-2020-14361,CVE-2020-14362
* Tue Jul 28 2020 chengguipeng<chengguipeng1@huawei.com> - 1.20.8-1 * Tue Jul 28 2020 chengguipeng<chengguipeng1@huawei.com> - 1.20.8-1
- Type:enhancement - Type:enhancement
- Id:NA - Id:NA