Julien Cristau pushed to branch debian-bullseye at X Strike Force / xserver / xorg-server
Commits: 30e8ec59 by Julien Cristau at 2023-03-23T11:26:13+01:00 composite: Fix use-after-free of the COW (CVE-2023-1393) - - - - - 3 changed files: - debian/changelog - + debian/patches/21_composite-Fix-use-after-free-of-the-COW.patch - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,9 @@ +xorg-server (2:1.20.11-1+deb11u6) bullseye-security; urgency=high + + * composite: Fix use-after-free of the COW (CVE-2023-1393) + + -- Julien Cristau <jcris...@debian.org> Thu, 23 Mar 2023 11:25:56 +0100 + xorg-server (2:1.20.11-1+deb11u5) bullseye-security; urgency=high * Xi: fix potential use-after-free in DeepCopyPointerClasses (CVE-2023-0494) ===================================== debian/patches/21_composite-Fix-use-after-free-of-the-COW.patch ===================================== @@ -0,0 +1,37 @@ +From 947bd1b3f4a23565bf10879ec41ba06ebe1e1c76 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan <ofour...@redhat.com> +Date: Mon, 13 Mar 2023 11:08:47 +0100 +Subject: [PATCH xserver] composite: Fix use-after-free of the COW + +ZDI-CAN-19866/CVE-2023-1393 + +If a client explicitly destroys the compositor overlay window (aka COW), +we would leave a dangling pointer to that window in the CompScreen +structure, which will trigger a use-after-free later. + +Make sure to clear the CompScreen pointer to the COW when the latter gets +destroyed explicitly by the client. + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan <ofour...@redhat.com> +Reviewed-by: Adam Jackson <a...@redhat.com> +--- + composite/compwindow.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/composite/compwindow.c ++++ b/composite/compwindow.c +@@ -613,6 +613,11 @@ compDestroyWindow(WindowPtr pWin) + ret = (*pScreen->DestroyWindow) (pWin); + cs->DestroyWindow = pScreen->DestroyWindow; + pScreen->DestroyWindow = compDestroyWindow; ++ ++ /* Did we just destroy the overlay window? */ ++ if (pWin == cs->pOverlayWin) ++ cs->pOverlayWin = NULL; ++ + /* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/ + return ret; + } ===================================== debian/patches/series ===================================== @@ -20,3 +20,4 @@ 18_Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch 19_xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch 20_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch +21_composite-Fix-use-after-free-of-the-COW.patch View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/-/commit/30e8ec59ec5b9d690ae7cda996e9043406d29c3a -- View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/-/commit/30e8ec59ec5b9d690ae7cda996e9043406d29c3a You're receiving this email because of your account on salsa.debian.org.