!35 fix CVE-2021-3472

From: @zzm_567 Reviewed-by: @yanan-rock Signed-off-by: @yanan-rock
2021-06-05 15:24:50 +08:00 · 2021-06-05 15:24:50 +08:00 · edf69416f8
commit edf69416f8
parent 0f8e1f3ded c0945cd06c
2 changed files with 47 additions and 4 deletions
--- a/backport-CVE-2021-3472.patch
+++ b/backport-CVE-2021-3472.patch
@ -0,0 +1,36 @@
 From 7aaf54a1884f71dc363f0b884e57bcb67407a6cd Mon Sep 17 00:00:00 2001
 From: Matthieu Herrb <matthieu@herrb.eu>
 Date: Sun, 21 Mar 2021 18:38:57 +0100
 Subject: [PATCH] Fix XChangeFeedbackControl() request underflow
 CVE-2021-3472 / ZDI-CAN-1259
 This vulnerability was discovered by:
 Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
 Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
 ---
 Xi/chgfctl.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
 index 1de4da9..7a597e4 100644
 --- a/Xi/chgfctl.c
 +++ b/Xi/chgfctl.c
@@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr client)
         break;
     case StringFeedbackClass:
     {
 -        xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
 +        xStringFeedbackCtl *f;
 +        REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq,
 +                                    sizeof(xStringFeedbackCtl));
 +        f = ((xStringFeedbackCtl *) &stuff[1]);
         if (client->swapped) {
             if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
                 return BadLength;
 -- 
 2.23.0
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -16,7 +16,7 @@
 Name:           xorg-x11-server
 Version:        1.20.10
-Release:        1
+Release:        2
 Summary:        X.Org X11 X server
 License:        MIT and GPLv2
 URL:            https://www.x.org
@ -78,6 +78,7 @@ Patch0026: 0022-xwayland-Call-xwl_window_check_resolution_change_emu.patch
 Patch0027: 0023-xwayland-Fix-setting-of-_XWAYLAND_RANDR_EMU_MONITOR_.patch
 Patch0028: 0024-xwayland-Remove-unnecessary-xwl_window_is_toplevel-c.patch
 Patch0029: xorg-s11-server-CVE-2018-20839.patch
 Patch0030: backport-CVE-2021-3472.patch
 BuildRequires:  audit-libs-devel autoconf automake bison dbus-devel flex flex-devel git
 BuildRequires:  systemtap-sdt-devel libtool pkgconfig 
@ -187,9 +188,9 @@ test `getminor extension` == %{extension_minor}
 %build
-export LDFLAGS="$RPM_LD_FLAGS -specs=/usr/lib/rpm/%{_vendor}/%{_vendor}-hardened-ld"
+export LDFLAGS="$RPM_LD_FLAGS -specs=/usr/lib/rpm/generic-hardened-ld"
-export CXXFLAGS="$RPM_OPT_FLAGS -specs=/usr/lib/rpm/%{_vendor}/%{_vendor}-hardened-cc1"
+export CXXFLAGS="$RPM_OPT_FLAGS -specs=/usr/lib/rpm/generic-hardened-cc1"
-export CFLAGS="$RPM_OPT_FLAGS -specs=/usr/lib/rpm/%{_vendor}/%{_vendor}-hardened-cc1"
+export CFLAGS="$RPM_OPT_FLAGS -specs=/usr/lib/rpm/generic-hardened-cc1"
 %ifnarch %{ix86} x86_64
 %global no_int10 --disable-vbe --disable-int10-module
@ -320,6 +321,12 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
 %{_libdir}/xorg/protocol.txt
 %changelog
 * Thu Jun 03 2021 zhanzhimin<zhanzhimin@huawei.com> - 1.20.10-2
 - Type:CVE
 - Id:CVE-2021-3472
 - SUG:NA
 - DESC:fix CVE-2021-3472
 * Sat Jan 30 2021 jinzhimin<jinzhmin2@huawei.com> - 1.20.10-1
 - Upgrade to 1.20.10