[oe] [meta-oe][scarthgap][RFC PATCH 03/14] tigervnc: patch CVE-2023-6377

Tue, 27 Jan 2026 05:01:31 -0800 

Details: https://nvd.nist.gov/vuln/detail/CVE-2023-6377

Pick the backported version of the patch that is referenced by the
NVD advisory.

Signed-off-by: Gyorgy Sarvari <[email protected]>
---
 .../tigervnc/files/CVE-2023-6377.patch        | 80 +++++++++++++++++++
 .../tigervnc/tigervnc_1.11.0.bb               |  1 +
 2 files changed, 81 insertions(+)
 create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2023-6377.patch

diff --git a/meta-oe/recipes-graphics/tigervnc/files/CVE-2023-6377.patch 
b/meta-oe/recipes-graphics/tigervnc/files/CVE-2023-6377.patch
new file mode 100644
index 0000000000..d6dde0a9d2
--- /dev/null
+++ b/meta-oe/recipes-graphics/tigervnc/files/CVE-2023-6377.patch
@@ -0,0 +1,80 @@
+From 7eb0da0f29e975f67a5bef4560759672b84c7d22 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <[email protected]>
+Date: Tue, 28 Nov 2023 15:19:04 +1000
+Subject: [PATCH] Xi: allocate enough XkbActions for our buttons
+
+From: Peter Hutterer <[email protected]>
+
+button->xkb_acts is supposed to be an array sufficiently large for all
+our buttons, not just a single XkbActions struct. Allocating
+insufficient memory here means when we memcpy() later in
+XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
+leading to the usual security ooopsiedaisies.
+
+CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+(cherry picked from commit 0c1a93d319558fe3ab2d94f51d174b4f93810afd)
+
+CVE: CVE-2023-6377
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd]
+Signed-off-by: Gyorgy Sarvari <[email protected]>
+---
+ Xi/exevents.c | 12 ++++++------
+ dix/devices.c | 10 ++++++++++
+ 2 files changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/Xi/exevents.c b/Xi/exevents.c
+index 659816a46..fb6db8561 100644
+--- a/Xi/exevents.c
++++ b/Xi/exevents.c
+@@ -567,13 +567,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr 
to)
+         }
+ 
+         if (from->button->xkb_acts) {
+-            if (!to->button->xkb_acts) {
+-                to->button->xkb_acts = calloc(1, sizeof(XkbAction));
+-                if (!to->button->xkb_acts)
+-                    FatalError("[Xi] not enough memory for xkb_acts.\n");
+-            }
++            size_t maxbuttons = max(to->button->numButtons, 
from->button->numButtons);
++            to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
++                                                   maxbuttons,
++                                                   sizeof(XkbAction));
++            memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
+             memcpy(to->button->xkb_acts, from->button->xkb_acts,
+-                   sizeof(XkbAction));
++                   from->button->numButtons * sizeof(XkbAction));
+         }
+         else
+             free(to->button->xkb_acts);
+diff --git a/dix/devices.c b/dix/devices.c
+index e7c74d7b7..7776498f8 100644
+--- a/dix/devices.c
++++ b/dix/devices.c
+@@ -2502,6 +2502,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+ 
+     if (master->button && master->button->numButtons != maxbuttons) {
+         int i;
++        int last_num_buttons = master->button->numButtons;
++
+         DeviceChangedEvent event = {
+             .header = ET_Internal,
+             .type = ET_DeviceChanged,
+@@ -2512,6 +2514,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+         };
+ 
+         master->button->numButtons = maxbuttons;
++        if (last_num_buttons < maxbuttons) {
++            master->button->xkb_acts = 
xnfreallocarray(master->button->xkb_acts,
++                                                       maxbuttons,
++                                                       sizeof(XkbAction));
++            memset(&master->button->xkb_acts[last_num_buttons],
++                   0,
++                   (maxbuttons - last_num_buttons) * sizeof(XkbAction));
++        }
+ 
+         memcpy(&event.buttons.names, master->button->labels, maxbuttons *
+                sizeof(Atom));
diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb 
b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb
index fa0661dffe..7af347d858 100644
--- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb
+++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb
@@ -21,6 +21,7 @@ SRC_URI = 
"git://github.com/TigerVNC/tigervnc.git;branch=1.11-branch;protocol=ht
            file://0002-do-not-build-tests-sub-directory.patch \
            file://0003-add-missing-dynamic-library-to-FLTK_LIBRARIES.patch \
            file://0004-tigervnc-add-fPIC-option-to-COMPILE_FLAGS.patch \
+           file://CVE-2023-6377.patch;patchdir=${XORG_S} \
 "
 
 # Keep sync with xorg-server in oe-core

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#123943): 
https://lists.openembedded.org/g/openembedded-devel/message/123943
Mute This Topic: https://lists.openembedded.org/mt/117487429/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to