Commit d2d20037 authored by Leo's avatar Leo

main/xorg-server: fix various CVEs

CVE-2020-14345
CVE-2020-14346
CVE-2020-14361
CVE-2020-14362

See: #12035
parent 60dd7884
Pipeline #54517 passed with stages
in 23 minutes and 47 seconds
......@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=xorg-server
pkgver=1.20.6
pkgrel=1
pkgrel=2
pkgdesc="X.Org X servers"
url="https://www.x.org/wiki"
arch="all"
......@@ -59,9 +59,18 @@ source="https://www.x.org/releases/individual/xserver/$pkgname-$pkgver.tar.bz2
autoconfig-nvidia.patch
autoconfig-sis.patch
CVE-2020-14347.patch
CVE-2020-14345.patch
CVE-2020-14346.patch
CVE-2020-14361.patch
CVE-2020-14362.patch
"
# secfixes:
# 1.20.6-r2:
# - CVE-2020-14345
# - CVE-2020-14346
# - CVE-2020-14361
# - CVE-2020-14362
# 1.20.6-r1:
# - CVE-2020-14347
# 1.20.3-r0:
......@@ -168,8 +177,11 @@ xwayland() {
mkdir -p "$subpkgdir"/usr/bin
mv "$pkgdir"/usr/bin/Xwayland "$subpkgdir"/usr/bin/
}
sha512sums="9aa0ba4aee92fe628f2b8c41e4fe0134dc86154bb8787f907884ef2fd970e18e68e72ea8a1beb706d11ecf155b2abc9731f1abadff251ed592f8cca3b1240dd6 xorg-server-1.20.6.tar.bz2
016d10e59681d36be19aacc1505103bd340a5e81855e551997b42f8b54796be46fb2d91be8d1aa3bebb10d34e51258be9de1299c2e351b840450de38ff103df0 autoconfig-nvidia.patch
30a78f4278edd535c45ee3f80933427cb029a13abaa4b041f816515fdd8f64f00b9c6aef50d4eba2aaf0d4f333e730399864fd97fa18891273601c77a6637200 autoconfig-sis.patch
e2f1de245d526fbfe48011aaa1236ce16de9af4468e4825a233569c49c6f85cb046d019b1d1df45e39cab5df3742e82f41bb3444a1b0ee5e02fda4005d188e35 CVE-2020-14347.patch"
e2f1de245d526fbfe48011aaa1236ce16de9af4468e4825a233569c49c6f85cb046d019b1d1df45e39cab5df3742e82f41bb3444a1b0ee5e02fda4005d188e35 CVE-2020-14347.patch
3e411cb0af272b3f89ce9b8bb7e35eef703b4a01d8722331aaf3d365cd7867a28deee8d5224ceb8fe0cd63e9cf600f05d7360aa5ffb4c0ae2655e80e6430f7f9 CVE-2020-14345.patch
6981bb37302e6c6afc6e389698eef1e1021577a6ac54a81ec0470cc198a975274db8a2b6d9ecd0b22a1c8bb6aff07d37030c3cd451467452e6a05203f942e296 CVE-2020-14346.patch
4acf43c8a08a3ee3012cf9ae1af517bf8f7cc493316e6d9f5b55f39b205f22406b757618024e70ed98f9c56baa238ed166bcf8aa26995d33183e1e323c48f9c8 CVE-2020-14361.patch
0fa92233e405b74de6dc4ee144d995581f0ab7fbf7ee5f8410e4a842496724ac9425ed6406881d005e4fc70d01d4d05c4aff83491683f3e270e9ba360cb94d52 CVE-2020-14362.patch"
From f7cd1276bbd4fe3a9700096dec33b52b8440788d Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Tue, 18 Aug 2020 14:46:32 +0200
Subject: [PATCH] Correct bounds checking in XkbSetNames()
CVE-2020-14345 / ZDI 11428
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
---
xkb/xkb.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 48 insertions(+)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index d93078a6e3..8e016cd746 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -152,6 +152,19 @@ static RESTYPE RT_XKBCLIENT;
#define CHK_REQ_KEY_RANGE(err,first,num,r) \
CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue)
+static Bool
+_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) {
+ char *cstuff = (char *)stuff;
+ char *cfrom = (char *)from;
+ char *cto = (char *)to;
+
+ return cfrom < cto &&
+ cfrom >= cstuff &&
+ cfrom < cstuff + ((size_t)client->req_len << 2) &&
+ cto >= cstuff &&
+ cto <= cstuff + ((size_t)client->req_len << 2);
+}
+
/***====================================================================***/
int
@@ -4048,6 +4061,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
client->errorValue = _XkbErrCode2(0x04, stuff->firstType);
return BadAccess;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nTypes))
+ return BadLength;
old = tmp;
tmp = _XkbCheckAtoms(tmp, stuff->nTypes, client->swapped, &bad);
if (!tmp) {
@@ -4077,6 +4092,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
}
width = (CARD8 *) tmp;
tmp = (CARD32 *) (((char *) tmp) + XkbPaddedSize(stuff->nKTLevels));
+ if (!_XkbCheckRequestBounds(client, stuff, width, tmp))
+ return BadLength;
type = &xkb->map->types[stuff->firstKTLevel];
for (i = 0; i < stuff->nKTLevels; i++, type++) {
if (width[i] == 0)
@@ -4086,6 +4103,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
type->num_levels, width[i]);
return BadMatch;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + width[i]))
+ return BadLength;
tmp = _XkbCheckAtoms(tmp, width[i], client->swapped, &bad);
if (!tmp) {
client->errorValue = bad;
@@ -4098,6 +4117,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
client->errorValue = 0x08;
return BadMatch;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
+ tmp + Ones(stuff->indicators)))
+ return BadLength;
tmp = _XkbCheckMaskedAtoms(tmp, XkbNumIndicators, stuff->indicators,
client->swapped, &bad);
if (!tmp) {
@@ -4110,6 +4132,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
client->errorValue = 0x09;
return BadMatch;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
+ tmp + Ones(stuff->virtualMods)))
+ return BadLength;
tmp = _XkbCheckMaskedAtoms(tmp, XkbNumVirtualMods,
(CARD32) stuff->virtualMods,
client->swapped, &bad);
@@ -4123,6 +4148,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
client->errorValue = 0x0a;
return BadMatch;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
+ tmp + Ones(stuff->groupNames)))
+ return BadLength;
tmp = _XkbCheckMaskedAtoms(tmp, XkbNumKbdGroups,
(CARD32) stuff->groupNames,
client->swapped, &bad);
@@ -4144,9 +4172,14 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
stuff->nKeys);
return BadValue;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nKeys))
+ return BadLength;
tmp += stuff->nKeys;
}
if ((stuff->which & XkbKeyAliasesMask) && (stuff->nKeyAliases > 0)) {
+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
+ tmp + (stuff->nKeyAliases * 2)))
+ return BadLength;
tmp += stuff->nKeyAliases * 2;
}
if (stuff->which & XkbRGNamesMask) {
@@ -4154,6 +4187,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
client->errorValue = _XkbErrCode2(0x0d, stuff->nRadioGroups);
return BadValue;
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
+ tmp + stuff->nRadioGroups))
+ return BadLength;
tmp = _XkbCheckAtoms(tmp, stuff->nRadioGroups, client->swapped, &bad);
if (!tmp) {
client->errorValue = bad;
@@ -4347,6 +4383,8 @@ ProcXkbSetNames(ClientPtr client)
/* check device-independent stuff */
tmp = (CARD32 *) &stuff[1];
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbKeycodesNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
@@ -4354,6 +4392,8 @@ ProcXkbSetNames(ClientPtr client)
return BadAtom;
}
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbGeometryNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
@@ -4361,6 +4401,8 @@ ProcXkbSetNames(ClientPtr client)
return BadAtom;
}
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbSymbolsNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
@@ -4368,6 +4410,8 @@ ProcXkbSetNames(ClientPtr client)
return BadAtom;
}
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbPhysSymbolsNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
@@ -4375,6 +4419,8 @@ ProcXkbSetNames(ClientPtr client)
return BadAtom;
}
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbTypesNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
@@ -4382,6 +4428,8 @@ ProcXkbSetNames(ClientPtr client)
return BadAtom;
}
}
+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
+ return BadLength;
if (stuff->which & XkbCompatNameMask) {
tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
if (!tmp) {
--
GitLab
From c940cc8b6c0a2983c1ec974f1b3f019795dd4cff Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Tue, 18 Aug 2020 14:49:04 +0200
Subject: [PATCH] Fix XIChangeHierarchy() integer underflow
CVE-2020-14346 / ZDI-CAN-11429
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
---
Xi/xichangehierarchy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
index cbdd912581..504defe566 100644
--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
if (!stuff->num_changes)
return rc;
- len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
+ len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq);
any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
while (stuff->num_changes--) {
--
GitLab
From 144849ea27230962227e62a943b399e2ab304787 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Tue, 18 Aug 2020 14:52:29 +0200
Subject: [PATCH] Fix XkbSelectEvents() integer underflow
CVE-2020-14361 ZDI-CAN 11573
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
---
xkb/xkbSwap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c
index 1c1ed5ff46..50cabb90e5 100644
--- a/xkb/xkbSwap.c
+++ b/xkb/xkbSwap.c
@@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client)
register unsigned bit, ndx, maskLeft, dataLeft, size;
from.c8 = (CARD8 *) &stuff[1];
- dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq);
+ dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq);
maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask));
for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) {
if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify))
--
GitLab
From 2902b78535ecc6821cc027351818b28a5c7fdbdc Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Tue, 18 Aug 2020 14:55:01 +0200
Subject: [PATCH] Fix XRecordRegisterClients() Integer underflow
CVE-2020-14362 ZDI-CAN-11574
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
---
record/record.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/record/record.c b/record/record.c
index f2d38c877e..be154525d2 100644
--- a/record/record.c
+++ b/record/record.c
@@ -2500,7 +2500,7 @@ SProcRecordQueryVersion(ClientPtr client)
} /* SProcRecordQueryVersion */
static int _X_COLD
-SwapCreateRegister(xRecordRegisterClientsReq * stuff)
+SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
{
int i;
XID *pClientID;
@@ -2510,13 +2510,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff)
swapl(&stuff->nRanges);
pClientID = (XID *) &stuff[1];
if (stuff->nClients >
- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))
+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
return BadLength;
for (i = 0; i < stuff->nClients; i++, pClientID++) {
swapl(pClientID);
}
if (stuff->nRanges >
- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
- stuff->nClients)
return BadLength;
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
@@ -2531,7 +2531,7 @@ SProcRecordCreateContext(ClientPtr client)
swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
- if ((status = SwapCreateRegister((void *) stuff)) != Success)
+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
return status;
return ProcRecordCreateContext(client);
} /* SProcRecordCreateContext */
@@ -2544,7 +2544,7 @@ SProcRecordRegisterClients(ClientPtr client)
swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
- if ((status = SwapCreateRegister((void *) stuff)) != Success)
+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
return status;
return ProcRecordRegisterClients(client);
} /* SProcRecordRegisterClients */
--
GitLab
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment