Timo Aaltonen pushed to branch debian-unstable at X Strike Force / wayland / xwayland
Commits: 26120df7 by Matthieu Herrb at 2024-10-29T16:26:59+01:00 xkb: Fix buffer overflow in _XkbSetCompatMap() The _XkbSetCompatMap() function attempts to resize the `sym_interpret` buffer. However, It didn't update its size properly. It updated `num_si` only, without updating `size_si`. This may lead to local privilege escalation if the server is run as root or remote code execution (e.g. x11 over ssh). CVE-2024-9632, ZDI-CAN-24756 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Reviewed-by: Peter Hutterer <[email protected]> Tested-by: Peter Hutterer <[email protected]> Reviewed-by: José Expósito <[email protected]> (cherry picked from commit 85b776571487f52e756f68a069c768757369bfe3) Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1735> - - - - - 3bfef8d7 by José Expósito at 2024-10-29T16:27:04+01:00 Bump version to 24.1.4 Signed-off-by: José Expósito <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1735> - - - - - 51d00a81 by Timo Aaltonen at 2024-10-30T12:00:51+02:00 Merge branch 'upstream-unstable' into debian-unstable - - - - - edb0ccd1 by Timo Aaltonen at 2024-10-30T12:03:06+02:00 releasing package xwayland version 2:24.1.4-1 - - - - - 3 changed files: - debian/changelog - meson.build - xkb/xkb.c Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,11 @@ +xwayland (2:24.1.4-1) unstable; urgency=medium + + * New upstream release + + CVE-2024-9632: Heap-based buffer overflow privilege escalation in + _XkbSetCompatMap (closes: #1086244) + + -- Timo Aaltonen <[email protected]> Wed, 30 Oct 2024 12:01:08 +0200 + xwayland (2:24.1.3-1) unstable; urgency=medium * New upstream release. ===================================== meson.build ===================================== @@ -3,10 +3,10 @@ project('xwayland', 'c', 'buildtype=debugoptimized', 'c_std=gnu99', ], - version: '24.1.3', + version: '24.1.4', meson_version: '>= 0.56.0', ) -release_date = '2024-10-02' +release_date = '2024-10-29' add_project_arguments('-DHAVE_DIX_CONFIG_H', language: ['c', 'objc']) cc = meson.get_compiler('c') ===================================== xkb/xkb.c ===================================== @@ -2990,13 +2990,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, XkbSymInterpretPtr sym; unsigned int skipped = 0; - if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) { - compat->num_si = req->firstSI + req->nSI; + if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) { + compat->num_si = compat->size_si = req->firstSI + req->nSI; compat->sym_interpret = reallocarray(compat->sym_interpret, - compat->num_si, + compat->size_si, sizeof(XkbSymInterpretRec)); if (!compat->sym_interpret) { - compat->num_si = 0; + compat->num_si = compat->size_si = 0; return BadAlloc; } } View it on GitLab: https://salsa.debian.org/xorg-team/wayland/xwayland/-/compare/1d4cbf4782e65aed36ddb767828dca6264f83cfe...edb0ccd18944630fd1e1493293fb99a9036f0ad3 -- View it on GitLab: https://salsa.debian.org/xorg-team/wayland/xwayland/-/compare/1d4cbf4782e65aed36ddb767828dca6264f83cfe...edb0ccd18944630fd1e1493293fb99a9036f0ad3 You're receiving this email because of your account on salsa.debian.org.
