This is being handled with a stable branch version bump which is in the current test queue: "libx11: upgrade 1.8.5 -> 1.8.6"
Steve On Fri, Jul 14, 2023 at 5:05 AM Kai Kang <[email protected]> wrote: > > From: Kai Kang <[email protected]> > > CVE: CVE-2023-3138 > > Backport patch to fix CVE-2023-3138 for libx11. > > Signed-off-by: Kai Kang <[email protected]> > --- > .../xorg-lib/libx11/CVE-2023-3138.patch | 113 ++++++++++++++++++ > .../recipes-graphics/xorg-lib/libx11_1.8.5.bb | 4 +- > 2 files changed, 116 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch > > diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch > b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch > new file mode 100644 > index 0000000000..0d9397dd95 > --- /dev/null > +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch > @@ -0,0 +1,113 @@ > +From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001 > +From: Alan Coopersmith <[email protected]> > +Date: Sat, 10 Jun 2023 16:30:07 -0700 > +Subject: [PATCH] InitExt.c: Add bounds checks for extension request, event, & > + error codes > + > +Fixes CVE-2023-3138: X servers could return values from XQueryExtension > +that would cause Xlib to write entries out-of-bounds of the arrays to > +store them, though this would only overwrite other parts of the Display > +struct, not outside the bounds allocated for that structure. > + > +Reported-by: Gregory James DUCK <[email protected]> > +Signed-off-by: Alan Coopersmith <[email protected]> > + > +CVE: CVE-2023-3138 > +Upstream-Status: Backport > [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/304a654] > + > +Signed-off-by: Kai Kang <[email protected]> > +--- > + src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++ > + 1 file changed, 42 insertions(+) > + > +diff --git a/src/InitExt.c b/src/InitExt.c > +index 4de46f15..afc00a6b 100644 > +--- a/src/InitExt.c > ++++ b/src/InitExt.c > +@@ -33,6 +33,18 @@ from The Open Group. > + #include <X11/Xos.h> > + #include <stdio.h> > + > ++/* The X11 protocol spec reserves events 64 through 127 for extensions */ > ++#ifndef LastExtensionEvent > ++#define LastExtensionEvent 127 > ++#endif > ++ > ++/* The X11 protocol spec reserves requests 128 through 255 for extensions */ > ++#ifndef LastExtensionRequest > ++#define FirstExtensionRequest 128 > ++#define LastExtensionRequest 255 > ++#endif > ++ > ++ > + /* > + * This routine is used to link a extension in so it will be called > + * at appropriate times. > +@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent( > + WireToEventType proc) /* routine to call when converting event */ > + { > + register WireToEventType oldproc; > ++ if (event_number < 0 || > ++ event_number > LastExtensionEvent) { > ++ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", > ++ event_number); > ++ return (WireToEventType)_XUnknownWireEvent; > ++ } > + if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent; > + LockDisplay (dpy); > + oldproc = dpy->event_vec[event_number]; > +@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie( > + ) > + { > + WireToEventCookieType oldproc; > ++ if (extension < FirstExtensionRequest || > ++ extension > LastExtensionRequest) { > ++ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", > ++ extension); > ++ return (WireToEventCookieType)_XUnknownWireEventCookie; > ++ } > + if (proc == NULL) proc = > (WireToEventCookieType)_XUnknownWireEventCookie; > + LockDisplay (dpy); > + oldproc = dpy->generic_event_vec[extension & 0x7F]; > +@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie( > + ) > + { > + CopyEventCookieType oldproc; > ++ if (extension < FirstExtensionRequest || > ++ extension > LastExtensionRequest) { > ++ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", > ++ extension); > ++ return (CopyEventCookieType)_XUnknownCopyEventCookie; > ++ } > + if (proc == NULL) proc = > (CopyEventCookieType)_XUnknownCopyEventCookie; > + LockDisplay (dpy); > + oldproc = dpy->generic_event_copy_vec[extension & 0x7F]; > +@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire( > + EventToWireType proc) /* routine to call when converting event */ > + { > + register EventToWireType oldproc; > ++ if (event_number < 0 || > ++ event_number > LastExtensionEvent) { > ++ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", > ++ event_number); > ++ return (EventToWireType)_XUnknownNativeEvent; > ++ } > + if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent; > + LockDisplay (dpy); > + oldproc = dpy->wire_vec[event_number]; > +@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError( > + WireToErrorType proc) /* routine to call when converting error */ > + { > + register WireToErrorType oldproc = NULL; > ++ if (error_number < 0 || > ++ error_number > LastExtensionError) { > ++ fprintf(stderr, "Xlib: ignoring invalid extension error %d\n", > ++ error_number); > ++ return (WireToErrorType)_XDefaultWireError; > ++ } > + if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError; > + LockDisplay (dpy); > + if (!dpy->error_vec) { > +-- > +GitLab > + > diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.8.5.bb > b/meta/recipes-graphics/xorg-lib/libx11_1.8.5.bb > index cf2e29471a..028a757d39 100644 > --- a/meta/recipes-graphics/xorg-lib/libx11_1.8.5.bb > +++ b/meta/recipes-graphics/xorg-lib/libx11_1.8.5.bb > @@ -22,7 +22,9 @@ PE = "1" > > XORG_PN = "libX11" > > -SRC_URI += "file://disable_tests.patch" > +SRC_URI += "file://disable_tests.patch \ > + file://CVE-2023-3138.patch \ > + " > > SRC_URI[sha256sum] = > "e362c6f03c793171becd1ce2078c64789504c7d7ff48ee40a76ff76b59f6b561" > > -- > 2.34.1 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184272): https://lists.openembedded.org/g/openembedded-core/message/184272 Mute This Topic: https://lists.openembedded.org/mt/100142997/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
