fix CVE-2020-14346,CVE-2020-14361,CVE-2020-14362

2020-12-08 20:10:23 +08:00 · 2020-12-08 20:10:23 +08:00 · d720b22fb9
commit d720b22fb9
parent 3308d86bad
4 changed files with 138 additions and 1 deletions
--- a/CVE-2020-14346.patch
+++ b/CVE-2020-14346.patch
@ -0,0 +1,31 @@
+From c940cc8b6c0a2983c1ec974f1b3f019795dd4cff Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:49:04 +0200
+Subject: [PATCH] Fix XIChangeHierarchy() integer underflow
+
+CVE-2020-14346 / ZDI-CAN-11429
+reference：https://gitlab.freedesktop.org/xorg/xserver/-/commit/c940cc8b6c0a2983c1ec974f1b3f019795dd4cff
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ Xi/xichangehierarchy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
+index cbdd912..504defe 100644
+--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
+@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
+     if (!stuff->num_changes)
+         return rc;
+ 
+-    len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
+    len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq);
+ 
+     any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
+     while (stuff->num_changes--) {
+-- 
+2.27.0
--- a/CVE-2020-14361.patch
+++ b/CVE-2020-14361.patch
@ -0,0 +1,32 @@
+From 144849ea27230962227e62a943b399e2ab304787 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:52:29 +0200
+Subject: [PATCH] Fix XkbSelectEvents() integer underflow
+
+CVE-2020-14361 ZDI-CAN 11573
+reference：https://gitlab.freedesktop.org/xorg/xserver/-/commit/144849ea27230962227e62a943b399e2ab304787
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+
+---
+ xkb/xkbSwap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c
+index 1c1ed5f..50cabb9 100644
+--- a/xkb/xkbSwap.c
+++ b/xkb/xkbSwap.c
+@@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client)
+         register unsigned bit, ndx, maskLeft, dataLeft, size;
+ 
+         from.c8 = (CARD8 *) &stuff[1];
+-        dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq);
+        dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq);
+         maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask));
+         for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) {
+             if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify))
+-- 
+2.27.0
--- a/CVE-2020-14362.patch
+++ b/CVE-2020-14362.patch
@ -0,0 +1,65 @@
+From 2902b78535ecc6821cc027351818b28a5c7fdbdc Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:55:01 +0200
+Subject: [PATCH] Fix XRecordRegisterClients() Integer underflow
+
+CVE-2020-14362 ZDI-CAN-11574
+reference：https://gitlab.freedesktop.org/xorg/xserver/-/commit/2902b78535ecc6821cc027351818b28a5c7fdbdc
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ record/record.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/record/record.c b/record/record.c
+index f0b739b..05d751a 100644
+--- a/record/record.c
+++ b/record/record.c
+@@ -2499,7 +2499,7 @@ SProcRecordQueryVersion(ClientPtr client)
+ }                               /* SProcRecordQueryVersion */
+ 
+ static int _X_COLD
+-SwapCreateRegister(xRecordRegisterClientsReq * stuff)
+SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
+ {
+     int i;
+     XID *pClientID;
+@@ -2509,13 +2509,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff)
+     swapl(&stuff->nRanges);
+     pClientID = (XID *) &stuff[1];
+     if (stuff->nClients >
+-        stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))
+        client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
+         return BadLength;
+     for (i = 0; i < stuff->nClients; i++, pClientID++) {
+         swapl(pClientID);
+     }
+     if (stuff->nRanges >
+-        stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
+        client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
+         - stuff->nClients)
+         return BadLength;
+     RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
+@@ -2530,7 +2530,7 @@ SProcRecordCreateContext(ClientPtr client)
+ 
+     swaps(&stuff->length);
+     REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
+-    if ((status = SwapCreateRegister((void *) stuff)) != Success)
+    if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
+         return status;
+     return ProcRecordCreateContext(client);
+ }                               /* SProcRecordCreateContext */
+@@ -2543,7 +2543,7 @@ SProcRecordRegisterClients(ClientPtr client)
+ 
+     swaps(&stuff->length);
+     REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
+-    if ((status = SwapCreateRegister((void *) stuff)) != Success)
+    if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
+         return status;
+     return ProcRecordRegisterClients(client);
+ }                               /* SProcRecordRegisterClients */
+-- 
+2.27.0
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -16,7 +16,7 @@

 Name:           xorg-x11-server
 Version:        1.20.8
-Release:        1
+Release:        2
 Summary:        X.Org X11 X server
 License:        MIT and GPLv2
 URL:            https://www.x.org
@ -78,6 +78,9 @@ Patch0026: 0022-xwayland-Call-xwl_window_check_resolution_change_emu.patch
 Patch0027: 0023-xwayland-Fix-setting-of-_XWAYLAND_RANDR_EMU_MONITOR_.patch
 Patch0028: 0024-xwayland-Remove-unnecessary-xwl_window_is_toplevel-c.patch
 Patch0029: xorg-s11-server-CVE-2018-20839.patch
+Patch0030: CVE-2020-14346.patch
+Patch0031: CVE-2020-14361.patch
+Patch0032: CVE-2020-14362.patch

 BuildRequires:  audit-libs-devel autoconf automake bison dbus-devel flex flex-devel git
 BuildRequires:  systemtap-sdt-devel libtool pkgconfig 
@ -320,6 +323,12 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
 %{_libdir}/xorg/protocol.txt

 %changelog
+* Tue Dec 08 2020 zhanzhimin<zhanzhimin@huawei.com> - 1.20.8-2
+- Type:CVE
+- Id:CVE-2020-14346,CVE-2020-14361,CVE-2020-14362
+- SUG:NA
+- DESC:fix CVE-2020-14346,CVE-2020-14361,CVE-2020-14362
+
 * Tue Jul 28 2020 chengguipeng<chengguipeng1@huawei.com> - 1.20.8-1
 - Type:enhancement
 - Id:NA