* [hardknott][PATCH 0/4] Fix CVEs of xserver-xorg
@ 2021-12-29 1:30 kai.kang
2021-12-29 1:30 ` [hardknott][PATCH 1/4] xserver-xorg: fix CVE-2021-4008 kai.kang
` (4 more replies)
0 siblings, 5 replies; 9+ messages in thread
From: kai.kang @ 2021-12-29 1:30 UTC (permalink / raw)
To: openembedded-core; +Cc: randy.macleod
From: Kai Kang <kai.kang@windriver.com>
Kai Kang (4):
xserver-xorg: fix CVE-2021-4008
xserver-xorg: fix CVE-2021-4009
xserver-xorg: fix CVE-2021-4010
xserver-xorg: fix CVE-2021-4011
.../xserver-xorg/CVE-2021-4008.patch | 59 +++++++++++++++++++
.../xserver-xorg/CVE-2021-4009.patch | 50 ++++++++++++++++
.../xserver-xorg/CVE-2021-4010.patch | 39 ++++++++++++
.../xserver-xorg/CVE-2021-4011.patch | 40 +++++++++++++
.../xorg-xserver/xserver-xorg_1.20.10.bb | 4 ++
5 files changed, 192 insertions(+)
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4009.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4010.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4011.patch
--
2.17.1
^ permalink raw reply [flat|nested] 9+ messages in thread
* [hardknott][PATCH 1/4] xserver-xorg: fix CVE-2021-4008
2021-12-29 1:30 [hardknott][PATCH 0/4] Fix CVEs of xserver-xorg kai.kang
@ 2021-12-29 1:30 ` kai.kang
2021-12-29 1:30 ` [hardknott][PATCH 2/4] xserver-xorg: fix CVE-2021-4009 kai.kang
` (3 subsequent siblings)
4 siblings, 0 replies; 9+ messages in thread
From: kai.kang @ 2021-12-29 1:30 UTC (permalink / raw)
To: openembedded-core; +Cc: randy.macleod
From: Kai Kang <kai.kang@windriver.com>
Backport patch to fix CVE-2021-4008 for xserver-xorg.
CVE: CVE-2021-4008
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
.../xserver-xorg/CVE-2021-4008.patch | 59 +++++++++++++++++++
.../xorg-xserver/xserver-xorg_1.20.10.bb | 1 +
2 files changed, 60 insertions(+)
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch
new file mode 100644
index 0000000000..3277be0185
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch
@@ -0,0 +1,59 @@
+Backport patch to fix CVE-2021-4008.
+
+CVE: CVE-2021-4008
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ebce7e2]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60 Mon Sep 17 00:00:00 2001
+From: Povilas Kanapickas <povilas@radix.lt>
+Date: Tue, 14 Dec 2021 15:00:03 +0200
+Subject: [PATCH] render: Fix out of bounds access in
+ SProcRenderCompositeGlyphs()
+
+ZDI-CAN-14192, CVE-2021-4008
+
+This vulnerability was discovered and the fix was suggested by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
+---
+ render/render.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/render/render.c b/render/render.c
+index c376090ca..456f156d4 100644
+--- a/render/render.c
++++ b/render/render.c
+@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client)
+
+ i = elt->len;
+ if (i == 0xff) {
++ if (buffer + 4 > end) {
++ return BadLength;
++ }
+ swapl((int *) buffer);
+ buffer += 4;
+ }
+@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client)
+ buffer += i;
+ break;
+ case 2:
++ if (buffer + i * 2 > end) {
++ return BadLength;
++ }
+ while (i--) {
+ swaps((short *) buffer);
+ buffer += 2;
+ }
+ break;
+ case 4:
++ if (buffer + i * 4 > end) {
++ return BadLength;
++ }
+ while (i--) {
+ swapl((int *) buffer);
+ buffer += 4;
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
index e0551fa999..9a7aa1ed9a 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
@@ -9,6 +9,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
file://0001-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch \
file://CVE-2021-3472.patch \
file://0001-hw-xwayland-Makefile.am-fix-build-without-glx.patch \
+ file://CVE-2021-4008.patch \
"
SRC_URI[sha256sum] = "977420c082450dc808de301ef56af4856d653eea71519a973c3490a780cb7c99"
--
2.17.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [hardknott][PATCH 2/4] xserver-xorg: fix CVE-2021-4009
2021-12-29 1:30 [hardknott][PATCH 0/4] Fix CVEs of xserver-xorg kai.kang
2021-12-29 1:30 ` [hardknott][PATCH 1/4] xserver-xorg: fix CVE-2021-4008 kai.kang
@ 2021-12-29 1:30 ` kai.kang
2021-12-29 1:30 ` [hardknott][PATCH 3/4] xserver-xorg: fix CVE-2021-4010 kai.kang
` (2 subsequent siblings)
4 siblings, 0 replies; 9+ messages in thread
From: kai.kang @ 2021-12-29 1:30 UTC (permalink / raw)
To: openembedded-core; +Cc: randy.macleod
From: Kai Kang <kai.kang@windriver.com>
Backport patch to fix CVE-2021-4009 for xserver-xorg.
CVE: CVE-2021-4009
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
.../xserver-xorg/CVE-2021-4009.patch | 50 +++++++++++++++++++
.../xorg-xserver/xserver-xorg_1.20.10.bb | 1 +
2 files changed, 51 insertions(+)
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4009.patch
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4009.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4009.patch
new file mode 100644
index 0000000000..ddfbb43ee4
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4009.patch
@@ -0,0 +1,50 @@
+Backport patch to fix CVE-2021-4009.
+
+CVE: CVE-2021-4009
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b519675]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From b5196750099ae6ae582e1f46bd0a6dad29550e02 Mon Sep 17 00:00:00 2001
+From: Povilas Kanapickas <povilas@radix.lt>
+Date: Tue, 14 Dec 2021 15:00:01 +0200
+Subject: [PATCH] xfixes: Fix out of bounds access in
+ *ProcXFixesCreatePointerBarrier()
+
+ZDI-CAN-14950, CVE-2021-4009
+
+This vulnerability was discovered and the fix was suggested by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
+---
+ xfixes/cursor.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/xfixes/cursor.c b/xfixes/cursor.c
+index 60580b88f..c5d4554b2 100644
+--- a/xfixes/cursor.c
++++ b/xfixes/cursor.c
+@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client)
+ {
+ REQUEST(xXFixesCreatePointerBarrierReq);
+
+- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
++ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
++ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
+ LEGAL_NEW_RESOURCE(stuff->barrier, client);
+
+ return XICreatePointerBarrier(client, stuff);
+@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
+
+ swaps(&stuff->length);
+ swaps(&stuff->num_devices);
+- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
++ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
++ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
+
+ swapl(&stuff->barrier);
+ swapl(&stuff->window);
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
index 9a7aa1ed9a..ac32bb25c2 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
@@ -10,6 +10,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
file://CVE-2021-3472.patch \
file://0001-hw-xwayland-Makefile.am-fix-build-without-glx.patch \
file://CVE-2021-4008.patch \
+ file://CVE-2021-4009.patch \
"
SRC_URI[sha256sum] = "977420c082450dc808de301ef56af4856d653eea71519a973c3490a780cb7c99"
--
2.17.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [hardknott][PATCH 3/4] xserver-xorg: fix CVE-2021-4010
2021-12-29 1:30 [hardknott][PATCH 0/4] Fix CVEs of xserver-xorg kai.kang
2021-12-29 1:30 ` [hardknott][PATCH 1/4] xserver-xorg: fix CVE-2021-4008 kai.kang
2021-12-29 1:30 ` [hardknott][PATCH 2/4] xserver-xorg: fix CVE-2021-4009 kai.kang
@ 2021-12-29 1:30 ` kai.kang
2021-12-29 1:30 ` [hardknott][PATCH 4/4] xserver-xorg: fix CVE-2021-4011 kai.kang
[not found] ` <16C515AB4535CCA0.27787@lists.openembedded.org>
4 siblings, 0 replies; 9+ messages in thread
From: kai.kang @ 2021-12-29 1:30 UTC (permalink / raw)
To: openembedded-core; +Cc: randy.macleod
From: Kai Kang <kai.kang@windriver.com>
Backport patch to fix CVE-2021-4010 for xserver-xorg.
CVE: CVE-2021-4010
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
.../xserver-xorg/CVE-2021-4010.patch | 39 +++++++++++++++++++
.../xorg-xserver/xserver-xorg_1.20.10.bb | 1 +
2 files changed, 40 insertions(+)
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4010.patch
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4010.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4010.patch
new file mode 100644
index 0000000000..06ebe7d077
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4010.patch
@@ -0,0 +1,39 @@
+Backport patch to fix CVE-2021-4010.
+
+CVE: CVE-2021-4010
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/6c4c530]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From 6c4c53010772e3cb4cb8acd54950c8eec9c00d21 Mon Sep 17 00:00:00 2001
+From: Povilas Kanapickas <povilas@radix.lt>
+Date: Tue, 14 Dec 2021 15:00:02 +0200
+Subject: [PATCH] Xext: Fix out of bounds access in SProcScreenSaverSuspend()
+
+ZDI-CAN-14951, CVE-2021-4010
+
+This vulnerability was discovered and the fix was suggested by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
+---
+ Xext/saver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Xext/saver.c b/Xext/saver.c
+index 1d7e3cadf..f813ba08d 100644
+--- a/Xext/saver.c
++++ b/Xext/saver.c
+@@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client)
+ REQUEST(xScreenSaverSuspendReq);
+
+ swaps(&stuff->length);
+- swapl(&stuff->suspend);
+ REQUEST_SIZE_MATCH(xScreenSaverSuspendReq);
++ swapl(&stuff->suspend);
+ return ProcScreenSaverSuspend(client);
+ }
+
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
index ac32bb25c2..84b0acb42f 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
@@ -11,6 +11,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
file://0001-hw-xwayland-Makefile.am-fix-build-without-glx.patch \
file://CVE-2021-4008.patch \
file://CVE-2021-4009.patch \
+ file://CVE-2021-4010.patch \
"
SRC_URI[sha256sum] = "977420c082450dc808de301ef56af4856d653eea71519a973c3490a780cb7c99"
--
2.17.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [hardknott][PATCH 4/4] xserver-xorg: fix CVE-2021-4011
2021-12-29 1:30 [hardknott][PATCH 0/4] Fix CVEs of xserver-xorg kai.kang
` (2 preceding siblings ...)
2021-12-29 1:30 ` [hardknott][PATCH 3/4] xserver-xorg: fix CVE-2021-4010 kai.kang
@ 2021-12-29 1:30 ` kai.kang
[not found] ` <16C515AB4535CCA0.27787@lists.openembedded.org>
4 siblings, 0 replies; 9+ messages in thread
From: kai.kang @ 2021-12-29 1:30 UTC (permalink / raw)
To: openembedded-core; +Cc: randy.macleod
From: Kai Kang <kai.kang@windriver.com>
Backport patch to fix CVE-2021-4011 for xserver-xorg.
CVE: CVE-2021-4011
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
.../xserver-xorg/CVE-2021-4011.patch | 40 +++++++++++++++++++
.../xorg-xserver/xserver-xorg_1.20.10.bb | 1 +
2 files changed, 41 insertions(+)
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4011.patch
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4011.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4011.patch
new file mode 100644
index 0000000000..c7eb03091d
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4011.patch
@@ -0,0 +1,40 @@
+Backport patch to fix CVE-2021-4011.
+
+CVE: CVE-2021-4011
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/e56f61c]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From e56f61c79fc3cee26d83cda0f84ae56d5979f768 Mon Sep 17 00:00:00 2001
+From: Povilas Kanapickas <povilas@radix.lt>
+Date: Tue, 14 Dec 2021 15:00:00 +0200
+Subject: [PATCH] record: Fix out of bounds access in SwapCreateRegister()
+
+ZDI-CAN-14952, CVE-2021-4011
+
+This vulnerability was discovered and the fix was suggested by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
+---
+ record/record.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/record/record.c b/record/record.c
+index be154525d..e123867a7 100644
+--- a/record/record.c
++++ b/record/record.c
+@@ -2516,8 +2516,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
+ swapl(pClientID);
+ }
+ if (stuff->nRanges >
+- client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
+- - stuff->nClients)
++ (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
++ - stuff->nClients) / bytes_to_int32(sz_xRecordRange))
+ return BadLength;
+ RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
+ return Success;
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
index 84b0acb42f..58f1eb328e 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
@@ -12,6 +12,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
file://CVE-2021-4008.patch \
file://CVE-2021-4009.patch \
file://CVE-2021-4010.patch \
+ file://CVE-2021-4011.patch \
"
SRC_URI[sha256sum] = "977420c082450dc808de301ef56af4856d653eea71519a973c3490a780cb7c99"
--
2.17.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [OE-core] [hardknott][PATCH 1/4] xserver-xorg: fix CVE-2021-4008
[not found] ` <16C515AB4535CCA0.27787@lists.openembedded.org>
@ 2022-01-07 2:56 ` Kai
2022-01-07 7:51 ` Mittal, Anuj
0 siblings, 1 reply; 9+ messages in thread
From: Kai @ 2022-01-07 2:56 UTC (permalink / raw)
To: openembedded-core; +Cc: randy.macleod
[-- Attachment #1: Type: text/plain, Size: 3988 bytes --]
On 12/29/21 9:30 AM, kai wrote:
> From: Kai Kang <kai.kang@windriver.com>
>
> Backport patch to fix CVE-2021-4008 for xserver-xorg.
>
> CVE: CVE-2021-4008
Ping.
Kai
>
> Signed-off-by: Kai Kang <kai.kang@windriver.com>
> ---
> .../xserver-xorg/CVE-2021-4008.patch | 59 +++++++++++++++++++
> .../xorg-xserver/xserver-xorg_1.20.10.bb | 1 +
> 2 files changed, 60 insertions(+)
> create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch
>
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch
> new file mode 100644
> index 0000000000..3277be0185
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch
> @@ -0,0 +1,59 @@
> +Backport patch to fix CVE-2021-4008.
> +
> +CVE: CVE-2021-4008
> +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ebce7e2]
> +
> +Signed-off-by: Kai Kang <kai.kang@windriver.com>
> +
> +From ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60 Mon Sep 17 00:00:00 2001
> +From: Povilas Kanapickas <povilas@radix.lt>
> +Date: Tue, 14 Dec 2021 15:00:03 +0200
> +Subject: [PATCH] render: Fix out of bounds access in
> + SProcRenderCompositeGlyphs()
> +
> +ZDI-CAN-14192, CVE-2021-4008
> +
> +This vulnerability was discovered and the fix was suggested by:
> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> +
> +Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
> +---
> + render/render.c | 9 +++++++++
> + 1 file changed, 9 insertions(+)
> +
> +diff --git a/render/render.c b/render/render.c
> +index c376090ca..456f156d4 100644
> +--- a/render/render.c
> ++++ b/render/render.c
> +@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client)
> +
> + i = elt->len;
> + if (i == 0xff) {
> ++ if (buffer + 4 > end) {
> ++ return BadLength;
> ++ }
> + swapl((int *) buffer);
> + buffer += 4;
> + }
> +@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client)
> + buffer += i;
> + break;
> + case 2:
> ++ if (buffer + i * 2 > end) {
> ++ return BadLength;
> ++ }
> + while (i--) {
> + swaps((short *) buffer);
> + buffer += 2;
> + }
> + break;
> + case 4:
> ++ if (buffer + i * 4 > end) {
> ++ return BadLength;
> ++ }
> + while (i--) {
> + swapl((int *) buffer);
> + buffer += 4;
> +--
> +GitLab
> +
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
> index e0551fa999..9a7aa1ed9a 100644
> --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
> @@ -9,6 +9,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
> file://0001-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch \
> file://CVE-2021-3472.patch \
> file://0001-hw-xwayland-Makefile.am-fix-build-without-glx.patch \
> + file://CVE-2021-4008.patch \
> "
> SRC_URI[sha256sum] = "977420c082450dc808de301ef56af4856d653eea71519a973c3490a780cb7c99"
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#160043): https://lists.openembedded.org/g/openembedded-core/message/160043
> Mute This Topic: https://lists.openembedded.org/mt/88007524/3616933
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [kai.kang@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
Kai Kang
Wind River Linux
[-- Attachment #2: Type: text/html, Size: 5780 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [OE-core] [hardknott][PATCH 1/4] xserver-xorg: fix CVE-2021-4008
2022-01-07 2:56 ` [OE-core] [hardknott][PATCH 1/4] xserver-xorg: fix CVE-2021-4008 Kai
@ 2022-01-07 7:51 ` Mittal, Anuj
2022-01-07 7:56 ` Kai
0 siblings, 1 reply; 9+ messages in thread
From: Mittal, Anuj @ 2022-01-07 7:51 UTC (permalink / raw)
To: kai.kang, openembedded-core; +Cc: randy.macleod
On Fri, 2022-01-07 at 10:56 +0800, kai wrote:
> On 12/29/21 9:30 AM, kai wrote:
>
> > From: Kai Kang <kai.kang@windriver.com>
> >
> > Backport patch to fix CVE-2021-4008 for xserver-xorg.
> >
> > CVE: CVE-2021-4008
> Ping.
> Kai
>
This is in this week's pull request and should get merged soon.
Thanks,
Anuj
> >
> > Signed-off-by: Kai Kang <kai.kang@windriver.com>
> > ---
> > .../xserver-xorg/CVE-2021-4008.patch | 59
> > +++++++++++++++++++
> > .../xorg-xserver/xserver-xorg_1.20.10.bb | 1 +
> > 2 files changed, 60 insertions(+)
> > create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-
> > xorg/CVE-2021-4008.patch
> >
> > diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-
> > 2021-4008.patch b/meta/recipes-graphics/xorg-xserver/xserver-
> > xorg/CVE-2021-4008.patch
> > new file mode 100644
> > index 0000000000..3277be0185
> > --- /dev/null
> > +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-
> > 4008.patch
> > @@ -0,0 +1,59 @@
> > +Backport patch to fix CVE-2021-4008.
> > +
> > +CVE: CVE-2021-4008
> > +Upstream-Status: Backport
> > [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ebce7e2]
> > +
> > +Signed-off-by: Kai Kang <kai.kang@windriver.com>
> > +
> > +From ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60 Mon Sep 17 00:00:00
> > 2001
> > +From: Povilas Kanapickas <povilas@radix.lt>
> > +Date: Tue, 14 Dec 2021 15:00:03 +0200
> > +Subject: [PATCH] render: Fix out of bounds access in
> > + SProcRenderCompositeGlyphs()
> > +
> > +ZDI-CAN-14192, CVE-2021-4008
> > +
> > +This vulnerability was discovered and the fix was suggested by:
> > +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> > +
> > +Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
> > +---
> > + render/render.c | 9 +++++++++
> > + 1 file changed, 9 insertions(+)
> > +
> > +diff --git a/render/render.c b/render/render.c
> > +index c376090ca..456f156d4 100644
> > +--- a/render/render.c
> > ++++ b/render/render.c
> > +@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client)
> > +
> > + i = elt->len;
> > + if (i == 0xff) {
> > ++ if (buffer + 4 > end) {
> > ++ return BadLength;
> > ++ }
> > + swapl((int *) buffer);
> > + buffer += 4;
> > + }
> > +@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr
> > client)
> > + buffer += i;
> > + break;
> > + case 2:
> > ++ if (buffer + i * 2 > end) {
> > ++ return BadLength;
> > ++ }
> > + while (i--) {
> > + swaps((short *) buffer);
> > + buffer += 2;
> > + }
> > + break;
> > + case 4:
> > ++ if (buffer + i * 4 > end) {
> > ++ return BadLength;
> > ++ }
> > + while (i--) {
> > + swapl((int *) buffer);
> > + buffer += 4;
> > +--
> > +GitLab
> > +
> > diff --git a/meta/recipes-graphics/xorg-xserver/xserver-
> > xorg_1.20.10.bb b/meta/recipes-graphics/xorg-xserver/xserver-
> > xorg_1.20.10.bb
> > index e0551fa999..9a7aa1ed9a 100644
> > --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
> > +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
> > @@ -9,6 +9,7 @@ SRC_URI +=
> > "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.p
> > at
> > file://0001-Fix-segfault-on-probing-a-non-PCI-platform-
> > device-on.patch \
> > file://CVE-2021-3472.patch \
> >
> > file://0001-hw-xwayland-Makefile.am-fix-build-without-glx.patch \
> > + file://CVE-2021-4008.patch \
> > "
> > SRC_URI[sha256sum] =
> > "977420c082450dc808de301ef56af4856d653eea71519a973c3490a780cb7c99"
> >
> >
> >
> >
> >
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#160247):
> https://lists.openembedded.org/g/openembedded-core/message/160247
> Mute This Topic: https://lists.openembedded.org/mt/88254273/3616702
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe:
> https://lists.openembedded.org/g/openembedded-core/unsub [
> anuj.mittal@intel.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [OE-core] [hardknott][PATCH 1/4] xserver-xorg: fix CVE-2021-4008
2022-01-07 7:51 ` Mittal, Anuj
@ 2022-01-07 7:56 ` Kai
0 siblings, 0 replies; 9+ messages in thread
From: Kai @ 2022-01-07 7:56 UTC (permalink / raw)
To: Mittal, Anuj, openembedded-core; +Cc: randy.macleod
On 1/7/22 3:51 PM, Mittal, Anuj wrote:
> On Fri, 2022-01-07 at 10:56 +0800, kai wrote:
>> On 12/29/21 9:30 AM, kai wrote:
>>
>>> From: Kai Kang <kai.kang@windriver.com>
>>>
>>> Backport patch to fix CVE-2021-4008 for xserver-xorg.
>>>
>>> CVE: CVE-2021-4008
>> Ping.
>> Kai
>>
> This is in this week's pull request and should get merged soon.
Thanks.
Kai
>
> Thanks,
>
> Anuj
>
>>> Signed-off-by: Kai Kang <kai.kang@windriver.com>
>>> ---
>>> .../xserver-xorg/CVE-2021-4008.patch | 59
>>> +++++++++++++++++++
>>> .../xorg-xserver/xserver-xorg_1.20.10.bb | 1 +
>>> 2 files changed, 60 insertions(+)
>>> create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-
>>> xorg/CVE-2021-4008.patch
>>>
>>> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-
>>> 2021-4008.patch b/meta/recipes-graphics/xorg-xserver/xserver-
>>> xorg/CVE-2021-4008.patch
>>> new file mode 100644
>>> index 0000000000..3277be0185
>>> --- /dev/null
>>> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-
>>> 4008.patch
>>> @@ -0,0 +1,59 @@
>>> +Backport patch to fix CVE-2021-4008.
>>> +
>>> +CVE: CVE-2021-4008
>>> +Upstream-Status: Backport
>>> [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ebce7e2]
>>> +
>>> +Signed-off-by: Kai Kang <kai.kang@windriver.com>
>>> +
>>> +From ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60 Mon Sep 17 00:00:00
>>> 2001
>>> +From: Povilas Kanapickas <povilas@radix.lt>
>>> +Date: Tue, 14 Dec 2021 15:00:03 +0200
>>> +Subject: [PATCH] render: Fix out of bounds access in
>>> + SProcRenderCompositeGlyphs()
>>> +
>>> +ZDI-CAN-14192, CVE-2021-4008
>>> +
>>> +This vulnerability was discovered and the fix was suggested by:
>>> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
>>> +
>>> +Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
>>> +---
>>> + render/render.c | 9 +++++++++
>>> + 1 file changed, 9 insertions(+)
>>> +
>>> +diff --git a/render/render.c b/render/render.c
>>> +index c376090ca..456f156d4 100644
>>> +--- a/render/render.c
>>> ++++ b/render/render.c
>>> +@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client)
>>> +
>>> + i = elt->len;
>>> + if (i == 0xff) {
>>> ++ if (buffer + 4 > end) {
>>> ++ return BadLength;
>>> ++ }
>>> + swapl((int *) buffer);
>>> + buffer += 4;
>>> + }
>>> +@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr
>>> client)
>>> + buffer += i;
>>> + break;
>>> + case 2:
>>> ++ if (buffer + i * 2 > end) {
>>> ++ return BadLength;
>>> ++ }
>>> + while (i--) {
>>> + swaps((short *) buffer);
>>> + buffer += 2;
>>> + }
>>> + break;
>>> + case 4:
>>> ++ if (buffer + i * 4 > end) {
>>> ++ return BadLength;
>>> ++ }
>>> + while (i--) {
>>> + swapl((int *) buffer);
>>> + buffer += 4;
>>> +--
>>> +GitLab
>>> +
>>> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-
>>> xorg_1.20.10.bb b/meta/recipes-graphics/xorg-xserver/xserver-
>>> xorg_1.20.10.bb
>>> index e0551fa999..9a7aa1ed9a 100644
>>> --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
>>> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
>>> @@ -9,6 +9,7 @@ SRC_URI +=
>>> "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.p
>>> at
>>> file://0001-Fix-segfault-on-probing-a-non-PCI-platform-
>>> device-on.patch \
>>> file://CVE-2021-3472.patch \
>>>
>>> file://0001-hw-xwayland-Makefile.am-fix-build-without-glx.patch \
>>> + file://CVE-2021-4008.patch \
>>> "
>>> SRC_URI[sha256sum] =
>>> "977420c082450dc808de301ef56af4856d653eea71519a973c3490a780cb7c99"
>>>
>>>
>>>
>>>
>>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#160247):
>> https://lists.openembedded.org/g/openembedded-core/message/160247
>> Mute This Topic: https://lists.openembedded.org/mt/88254273/3616702
>> Group Owner: openembedded-core+owner@lists.openembedded.org
>> Unsubscribe:
>> https://lists.openembedded.org/g/openembedded-core/unsub [
>> anuj.mittal@intel.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
--
Kai Kang
Wind River Linux
^ permalink raw reply [flat|nested] 9+ messages in thread
* [hardknott][PATCH 4/4] xserver-xorg: fix CVE-2021-4011
2021-12-28 9:29 [hardknott][PATCH 0/4] Fix CVEs of xserver-xorg kai.kang
@ 2021-12-28 9:29 ` kai.kang
0 siblings, 0 replies; 9+ messages in thread
From: kai.kang @ 2021-12-28 9:29 UTC (permalink / raw)
To: openembedded-devel
From: Kai Kang <kai.kang@windriver.com>
Backport patch to fix CVE-2021-4011 for xserver-xorg.
CVE: CVE-2021-4011
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
.../xserver-xorg/CVE-2021-4011.patch | 40 +++++++++++++++++++
.../xorg-xserver/xserver-xorg_1.20.10.bb | 1 +
2 files changed, 41 insertions(+)
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4011.patch
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4011.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4011.patch
new file mode 100644
index 0000000000..c7eb03091d
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4011.patch
@@ -0,0 +1,40 @@
+Backport patch to fix CVE-2021-4011.
+
+CVE: CVE-2021-4011
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/e56f61c]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From e56f61c79fc3cee26d83cda0f84ae56d5979f768 Mon Sep 17 00:00:00 2001
+From: Povilas Kanapickas <povilas@radix.lt>
+Date: Tue, 14 Dec 2021 15:00:00 +0200
+Subject: [PATCH] record: Fix out of bounds access in SwapCreateRegister()
+
+ZDI-CAN-14952, CVE-2021-4011
+
+This vulnerability was discovered and the fix was suggested by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
+---
+ record/record.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/record/record.c b/record/record.c
+index be154525d..e123867a7 100644
+--- a/record/record.c
++++ b/record/record.c
+@@ -2516,8 +2516,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
+ swapl(pClientID);
+ }
+ if (stuff->nRanges >
+- client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
+- - stuff->nClients)
++ (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
++ - stuff->nClients) / bytes_to_int32(sz_xRecordRange))
+ return BadLength;
+ RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
+ return Success;
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
index 84b0acb42f..58f1eb328e 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
@@ -12,6 +12,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
file://CVE-2021-4008.patch \
file://CVE-2021-4009.patch \
file://CVE-2021-4010.patch \
+ file://CVE-2021-4011.patch \
"
SRC_URI[sha256sum] = "977420c082450dc808de301ef56af4856d653eea71519a973c3490a780cb7c99"
--
2.17.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
end of thread, other threads:[~2022-01-07 7:56 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-29 1:30 [hardknott][PATCH 0/4] Fix CVEs of xserver-xorg kai.kang
2021-12-29 1:30 ` [hardknott][PATCH 1/4] xserver-xorg: fix CVE-2021-4008 kai.kang
2021-12-29 1:30 ` [hardknott][PATCH 2/4] xserver-xorg: fix CVE-2021-4009 kai.kang
2021-12-29 1:30 ` [hardknott][PATCH 3/4] xserver-xorg: fix CVE-2021-4010 kai.kang
2021-12-29 1:30 ` [hardknott][PATCH 4/4] xserver-xorg: fix CVE-2021-4011 kai.kang
[not found] ` <16C515AB4535CCA0.27787@lists.openembedded.org>
2022-01-07 2:56 ` [OE-core] [hardknott][PATCH 1/4] xserver-xorg: fix CVE-2021-4008 Kai
2022-01-07 7:51 ` Mittal, Anuj
2022-01-07 7:56 ` Kai
-- strict thread matches above, loose matches on Subject: below --
2021-12-28 9:29 [hardknott][PATCH 0/4] Fix CVEs of xserver-xorg kai.kang
2021-12-28 9:29 ` [hardknott][PATCH 4/4] xserver-xorg: fix CVE-2021-4011 kai.kang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.