[Buildroot] [PATCH 1/1] package/x11r7/xserver_xorg-server: add security fix for CVE-2020-14347

[Buildroot] [PATCH 1/1] package/x11r7/xserver_xorg-server: add security fix for CVE-2020-14347

[Bernd Kuhls]

Release notes:
https://lists.x.org/archives/xorg-announce/2020-July/003051.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
 .../1.20.8/0007-fix-for-ZDI-11426.patch       | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 package/x11r7/xserver_xorg-server/1.20.8/0007-fix-for-ZDI-11426.patch

diff --git a/package/x11r7/xserver_xorg-server/1.20.8/0007-fix-for-ZDI-11426.patch b/package/x11r7/xserver_xorg-server/1.20.8/0007-fix-for-ZDI-11426.patch
new file mode 100644
index 0000000000..ce623b24cb
--- /dev/null
+++ b/package/x11r7/xserver_xorg-server/1.20.8/0007-fix-for-ZDI-11426.patch
@@ -0,0 +1,36 @@
+From aac28e162e5108510065ad4c323affd6deffd816 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Sat, 25 Jul 2020 19:33:50 +0200
+Subject: [PATCH] fix for ZDI-11426
+
+Avoid leaking un-initalized memory to clients by zeroing the
+whole pixmap on initial allocation.
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+[downloaded from upstream commit
+ https://gitlab.freedesktop.org/xorg/xserver/-/commit/aac28e162e5108510065ad4c323affd6deffd816]
+---
+ dix/pixmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dix/pixmap.c b/dix/pixmap.c
+index 1186d7dbbf..5a0146bbb6 100644
+--- a/dix/pixmap.c
++++ b/dix/pixmap.c
+@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize)
+     if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize)
+         return NullPixmap;
+ 
+-    pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize);
++    pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize);
+     if (!pPixmap)
+         return NullPixmap;
+ 
+-- 
+GitLab
+
-- 
2.27.0

[Buildroot] [PATCH 1/1] package/x11r7/xserver_xorg-server: add security fix for CVE-2020-14347

[Thomas Petazzoni]

On Mon, 10 Aug 2020 08:41:09 +0200
Bernd Kuhls <bernd.kuhls@t-online.de> wrote:

> Release notes:
> https://lists.x.org/archives/xorg-announce/2020-July/003051.html
> 
> Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
> ---
>  .../1.20.8/0007-fix-for-ZDI-11426.patch       | 36 +++++++++++++++++++
>  1 file changed, 36 insertions(+)
>  create mode 100644 package/x11r7/xserver_xorg-server/1.20.8/0007-fix-for-ZDI-11426.patch

You had forgotten to set XSERVER_XORG_SERVER_IGNORE_CVES to ignore
CVE-2020-14347 now that it is fixed by your patch. I have done so when
the selected X.org version is 1.20.

This raises a question: what about the older X.org server releases?
According to the NIST CVE entry, all versions prior to 1.20.9 are
affected, so should the patch be backported to the other X.org server
versions we support ?

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 1/1] package/x11r7/xserver_xorg-server: add security fix for CVE-2020-14347

[Bernd Kuhls]

Am Tue, 11 Aug 2020 23:49:06 +0200 schrieb Thomas Petazzoni via buildroot:

> This raises a question: what about the older X.org server releases?
> According to the NIST CVE entry, all versions prior to 1.20.9 are
> affected, so should the patch be backported to the other X.org server
> versions we support ?

Hi Thomas,

the bump to 1.20.9 fixed four CVEs in total which makes backporting 
upstream patches more complicated as time passes by and new issues arise, 
upstream does not update the older branches anymore:
https://cgit.freedesktop.org/xorg/xserver/

Due to the fact that personally I have no use for the older X.org server 
versions I would like to raise the question whether we can remove them? 
From my POV these older versions are unmaintained in buildroot because I 
want to concentrate on the current release which is the one I am using.

Regards, Bernd

[Buildroot] [PATCH 1/1] package/x11r7/xserver_xorg-server: add security fix for CVE-2020-14347

[Peter Korsgaard]

>>>>> "Bernd" == Bernd Kuhls <bernd.kuhls@t-online.de> writes:

 > Am Tue, 11 Aug 2020 23:49:06 +0200 schrieb Thomas Petazzoni via buildroot:
 >> This raises a question: what about the older X.org server releases?
 >> According to the NIST CVE entry, all versions prior to 1.20.9 are
 >> affected, so should the patch be backported to the other X.org server
 >> versions we support ?

 > Hi Thomas,

 > the bump to 1.20.9 fixed four CVEs in total which makes backporting 
 > upstream patches more complicated as time passes by and new issues arise, 
 > upstream does not update the older branches anymore:
 > https://cgit.freedesktop.org/xorg/xserver/

 > Due to the fact that personally I have no use for the older X.org server 
 > versions I would like to raise the question whether we can remove them? 
 > From my POV these older versions are unmaintained in buildroot because I 
 > want to concentrate on the current release which is the one I am using.

They were added to support various binary X11 video drivers,
E.G. nvidia-tegra23 for 1.14.x and amd-catalyst for 1.19.x. Given that
none of them have seen any real updates for ~5 years, I am fine with
removing those packages and the older xserver versions.

Care to send patches for this?

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 1/1] package/x11r7/xserver_xorg-server: add security fix for CVE-2020-14347

[Bernd Kuhls]

Hi Peter,

Am Fri, 28 Aug 2020 20:48:27 +0200 schrieb Peter Korsgaard:

> They were added to support various binary X11 video drivers,
> E.G. nvidia-tegra23 for 1.14.x and amd-catalyst for 1.19.x. Given that
> none of them have seen any real updates for ~5 years, I am fine with
> removing those packages and the older xserver versions.
> 
> Care to send patches for this?

done: http://patchwork.ozlabs.org/project/buildroot/list/?series=198371

I have no idea and no time to investigate if there are alternative 
drivers available so I just removed the catalyst & tegra23 drivers.

Regards, Bernd

[Buildroot] [PATCH 1/1] package/x11r7/xserver_xorg-server: add security fix for CVE-2020-14347

[Peter Korsgaard]

>>>>> "Bernd" == Bernd Kuhls <bernd.kuhls@t-online.de> writes:

 > Release notes:
 > https://lists.x.org/archives/xorg-announce/2020-July/003051.html

 > Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>

Committed to 2020.02.x and 2020.05.x, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 1/1] package/x11r7/xserver_xorg-server: add security fix

[Thomas Petazzoni]

Hello,

On Fri, 28 Aug 2020 19:03:25 +0200
Bernd Kuhls <bernd.kuhls@t-online.de> wrote:

> Due to the fact that personally I have no use for the older X.org server
> versions I would like to raise the question whether we can remove them?
> From my POV these older versions are unmaintained in buildroot because I
> want to concentrate on the current release which is the one I am using.

The problem comes from closed-source X.org drivers, which only work
with a certain X.org driver ABI.

We have amd-catalyst, which depends on ABI 19:

package/amd-catalyst/Config.in: depends on BR2_PACKAGE_XSERVER_XORG_SERVER_VIDEODRV_ABI_19

And nvidia-tegra23, which depends on ABI 14:

package/nvidia-tegra23/Config.in:       depends on BR2_PACKAGE_XSERVER_XORG_SERVER_VIDEODRV_ABI_14

So if we want to remove older X.org versions, we have to see if newer
versions of those drivers are available, and perhaps coordinate with
the maintainers of those drivers.

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com