Julien Cristau pushed to branch debian-unstable at X Strike Force / xserver / xorg-server
Commits: 80c6923d by Olivier Fourdan at 2023-03-29T15:10:10+02:00 composite: Fix use-after-free of the COW ZDI-CAN-19866/CVE-2023-1393 If a client explicitly destroys the compositor overlay window (aka COW), we would leave a dangling pointer to that window in the CompScreen structure, which will trigger a use-after-free later. Make sure to clear the CompScreen pointer to the COW when the latter gets destroyed explicitly by the client. This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Olivier Fourdan <[email protected]> Reviewed-by: Adam Jackson <[email protected]> (cherry picked from commit 26ef545b3502f61ca722a7a3373507e88ef64110) - - - - - 55908a43 by Julien Cristau at 2023-03-29T15:11:30+02:00 Upload to unstable - - - - - 2 changed files: - composite/compwindow.c - debian/changelog Changes: ===================================== composite/compwindow.c ===================================== @@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin) ret = (*pScreen->DestroyWindow) (pWin); cs->DestroyWindow = pScreen->DestroyWindow; pScreen->DestroyWindow = compDestroyWindow; + + /* Did we just destroy the overlay window? */ + if (pWin == cs->pOverlayWin) + cs->pOverlayWin = NULL; + /* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/ return ret; } ===================================== debian/changelog ===================================== @@ -1,3 +1,10 @@ +xorg-server (2:21.1.7-2) unstable; urgency=high + + * composite: Fix use-after-free of the COW + ZDI-CAN-19866/CVE-2023-1393 + + -- Julien Cristau <[email protected]> Wed, 29 Mar 2023 15:11:07 +0200 + xorg-server (2:21.1.7-1) unstable; urgency=medium * New upstream release View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/-/compare/74e0f696111ca6d76aa125d667e9f5e3685df680...55908a43dde489287b85684a5b4470ed274b0873 -- View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/-/compare/74e0f696111ca6d76aa125d667e9f5e3685df680...55908a43dde489287b85684a5b4470ed274b0873 You're receiving this email because of your account on salsa.debian.org.
