Details: https://nvd.nist.gov/vuln/detail/CVE-2023-6478
Pick the backported version of the commit referenced by the NVD report. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../tigervnc/files/CVE-2023-6478.patch | 65 +++++++++++++++++++ .../tigervnc/tigervnc_1.11.0.bb | 1 + 2 files changed, 66 insertions(+) create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2023-6478.patch diff --git a/meta-oe/recipes-graphics/tigervnc/files/CVE-2023-6478.patch b/meta-oe/recipes-graphics/tigervnc/files/CVE-2023-6478.patch new file mode 100644 index 0000000000..765e83e196 --- /dev/null +++ b/meta-oe/recipes-graphics/tigervnc/files/CVE-2023-6478.patch @@ -0,0 +1,65 @@ +From a0952cc293c0fbda15e7519b1af9c1c2d3d9475f Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari <[email protected]> +Date: Mon, 27 Nov 2023 16:27:49 +1000 +Subject: [PATCH] randr: avoid integer truncation in length check of + ProcRRChange*Property + +From: Peter Hutterer <[email protected]> + +Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty. +See also xserver@8f454b79 where this same bug was fixed for the core +protocol and XI. + +This fixes an OOB read and the resulting information disclosure. + +Length calculation for the request was clipped to a 32-bit integer. With +the correct stuff->nUnits value the expected request size was +truncated, passing the REQUEST_FIXED_SIZE check. + +The server then proceeded with reading at least stuff->num_items bytes +(depending on stuff->format) from the request and stuffing whatever it +finds into the property. In the process it would also allocate at least +stuff->nUnits bytes, i.e. 4GB. + +CVE-2023-6478, ZDI-CAN-22561 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +(cherry picked from commit 14f480010a93ff962fef66a16412fafff81ad632) +(cherry picked from commit 58e83c683950ac9e253ab05dd7a13a8368b70a3c) + +CVE: CVE-2023-6478 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/58e83c683950ac9e253ab05dd7a13a8368b70a3c] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + randr/rrproperty.c | 2 +- + randr/rrproviderproperty.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/randr/rrproperty.c b/randr/rrproperty.c +index c2fb9585c..1fb89e67e 100644 +--- a/randr/rrproperty.c ++++ b/randr/rrproperty.c +@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client) + char format, mode; + unsigned long len; + int sizeInBytes; +- int totalSize; ++ uint64_t totalSize; + int err; + + REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq); +diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c +index b79c17f9b..90c5a9a93 100644 +--- a/randr/rrproviderproperty.c ++++ b/randr/rrproviderproperty.c +@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client) + char format, mode; + unsigned long len; + int sizeInBytes; +- int totalSize; ++ uint64_t totalSize; + int err; + + REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq); diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb index 7af347d858..a8eb397ba8 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb @@ -22,6 +22,7 @@ SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.11-branch;protocol=ht file://0003-add-missing-dynamic-library-to-FLTK_LIBRARIES.patch \ file://0004-tigervnc-add-fPIC-option-to-COMPILE_FLAGS.patch \ file://CVE-2023-6377.patch;patchdir=${XORG_S} \ + file://CVE-2023-6478.patch;patchdir=${XORG_S} \ " # Keep sync with xorg-server in oe-core
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123944): https://lists.openembedded.org/g/openembedded-devel/message/123944 Mute This Topic: https://lists.openembedded.org/mt/117487430/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
