Hello community, here is the log from the commit of package xorg-x11-server for openSUSE:Factory checked in at 2017-07-08 12:25:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xorg-x11-server (Old) and /work/SRC/openSUSE:Factory/.xorg-x11-server.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xorg-x11-server" Sat Jul 8 12:25:28 2017 rev:344 rq:508731 version:1.19.3 Changes: -------- --- /work/SRC/openSUSE:Factory/xorg-x11-server/xorg-x11-server.changes 2017-06-17 10:21:21.965489996 +0200 +++ /work/SRC/openSUSE:Factory/.xorg-x11-server.new/xorg-x11-server.changes 2017-07-08 12:25:29.949779207 +0200 @@ -1,0 +2,15 @@ +Fri Jul 7 09:13:23 UTC 2017 - [email protected] + +- U_Xi-Do-not-try-to-swap-GenericEvent.patch, + U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch, + U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch, + U_dix-Disallow-GenericEvent-in-SendEvent-request.patch + * Fix security issues in event handling. (bnc#1035283, + CVE-2017-10971, CVE-2017-10972) + +------------------------------------------------------------------- +Tue Jul 4 15:45:45 UTC 2017 - [email protected] + +- enable Xwayland also for s390x (bsc#1047173) + +------------------------------------------------------------------- New: ---- U_Xi-Do-not-try-to-swap-GenericEvent.patch U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch U_dix-Disallow-GenericEvent-in-SendEvent-request.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xorg-x11-server.spec ++++++ --- /var/tmp/diff_new_pack.WrwGaY/_old 2017-07-08 12:25:31.061622370 +0200 +++ /var/tmp/diff_new_pack.WrwGaY/_new 2017-07-08 12:25:31.061622370 +0200 @@ -16,13 +16,11 @@ # -%ifarch s390 s390x -%define have_wayland 0 -%else %define pci_ids_dir %{_sysconfdir}/X11/xorg_pci_ids %if 0%{?suse_version} >= 1330 || 0%{?build_xwayland} %define have_wayland 1 -%endif +%else +%define have_wayland 0 %endif %define build_suid_wrapper 0 @@ -204,6 +202,11 @@ Patch209: u_pci-primary-Fix-up-primary-PCI-device-detection-for-the-platfrom-bus.patch Patch210: u_os-connections-Check-for-stale-FDs.patch +Patch211: U_Xi-Do-not-try-to-swap-GenericEvent.patch +Patch212: U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch +Patch213: U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch +Patch214: U_dix-Disallow-GenericEvent-in-SendEvent-request.patch + Patch1000: n_xserver-optimus-autoconfig-hack.patch Patch1162: b_cache-xkbcomp-output-for-fast-start-up.patch @@ -335,6 +338,11 @@ ### not applicable anymore #%patch210 -p1 +%patch211 -p1 +%patch212 -p1 +%patch213 -p1 +%patch214 -p1 + ### disabled for now #%patch1000 -p1 ++++++ U_Xi-Do-not-try-to-swap-GenericEvent.patch ++++++ Author: Michal Srb <[email protected]> Subject: Xi: Do not try to swap GenericEvent. Git-commit: ba336b24052122b136486961c82deac76bbde455 Patch-mainline: Upstream References: bnc#1035283 CVE-2017-10971 The SProcXSendExtensionEvent must not attempt to swap GenericEvent because it is assuming that the event has fixed size and gives the swapping function xEvent-sized buffer. A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway. Signed-off-by: Michal Srb <[email protected]> Reviewed-by: Peter Hutterer <[email protected]> --- Xi/sendexev.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Xi/sendexev.c b/Xi/sendexev.c index 5e63bfcca..5c2e0fc56 100644 --- a/Xi/sendexev.c +++ b/Xi/sendexev.c @@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client) eventP = (xEvent *) &stuff[1]; for (i = 0; i < stuff->num_events; i++, eventP++) { + if (eventP->u.u.type == GenericEvent) { + client->errorValue = eventP->u.u.type; + return BadValue; + } + proc = EventSwapVector[eventP->u.u.type & 0177]; - if (proc == NotImplemented) /* no swapping proc; invalid event type? */ + /* no swapping proc; invalid event type? */ + if (proc == NotImplemented) { + client->errorValue = eventP->u.u.type; return BadValue; + } (*proc) (eventP, &eventT); *eventP = eventT; } -- 2.12.0 ++++++ U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch ++++++ Author: Michal Srb <[email protected]> Subject: Xi: Verify all events in ProcXSendExtensionEvent. Git-commit: 8caed4df36b1f802b4992edcfd282cbeeec35d9d Patch-mainline: Upstream References: bnc#1035283 CVE-2017-10971 The requirement is that events have type in range EXTENSION_EVENT_BASE..lastEvent, but it was tested only for first event of all. Signed-off-by: Michal Srb <[email protected]> Reviewed-by: Peter Hutterer <[email protected]> --- Xi/sendexev.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/Xi/sendexev.c b/Xi/sendexev.c index 1cf118ab6..5e63bfcca 100644 --- a/Xi/sendexev.c +++ b/Xi/sendexev.c @@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client) int ProcXSendExtensionEvent(ClientPtr client) { - int ret; + int ret, i; DeviceIntPtr dev; xEvent *first; XEventClass *list; @@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client) /* The client's event type must be one defined by an extension. */ first = ((xEvent *) &stuff[1]); - if (!((EXTENSION_EVENT_BASE <= first->u.u.type) && - (first->u.u.type < lastEvent))) { - client->errorValue = first->u.u.type; - return BadValue; + for (i = 0; i < stuff->num_events; i++) { + if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) && + (first[i].u.u.type < lastEvent))) { + client->errorValue = first[i].u.u.type; + return BadValue; + } } list = (XEventClass *) (first + stuff->num_events); -- 2.12.0 ++++++ U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch ++++++ Author: Michal Srb <[email protected]> Subject: Xi: Zero target buffer in SProcXSendExtensionEvent. Git-commit: 05442de962d3dc624f79fc1a00eca3ffc5489ced Patch-mainline: Upstream References: bnc#1035283 CVE-2017-10972 Make sure that the xEvent eventT is initialized with zeros, the same way as in SProcSendEvent. Some event swapping functions do not overwrite all 32 bytes of xEvent structure, for example XSecurityAuthorizationRevoked. Two cooperating clients, one swapped and the other not, can send XSecurityAuthorizationRevoked event to each other to retrieve old stack data from X server. This can be potentialy misused to go around ASLR or stack-protector. Signed-off-by: Michal Srb <[email protected]> Reviewed-by: Peter Hutterer <[email protected]> --- Xi/sendexev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Xi/sendexev.c b/Xi/sendexev.c index 11d82029f..1cf118ab6 100644 --- a/Xi/sendexev.c +++ b/Xi/sendexev.c @@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client) { CARD32 *p; int i; - xEvent eventT; + xEvent eventT = { .u.u.type = 0 }; xEvent *eventP; EventSwapPtr proc; -- 2.12.0 ++++++ U_dix-Disallow-GenericEvent-in-SendEvent-request.patch ++++++ Author: Michal Srb <[email protected]> Subject: dix: Disallow GenericEvent in SendEvent request. Git-commit: 215f894965df5fb0bb45b107d84524e700d2073c Patch-mainline: Upstream References: bnc#1035283 CVE-2017-10971 The SendEvent request holds xEvent which is exactly 32 bytes long, no more, no less. Both ProcSendEvent and SProcSendEvent verify that the received data exactly match the request size. However nothing stops the client from passing in event with xEvent::type = GenericEvent and any value of xGenericEvent::length. In the case of ProcSendEvent, the event will be eventually passed to WriteEventsToClient which will see that it is Generic event and copy the arbitrary length from the receive buffer (and possibly past it) and send it to the other client. This allows clients to copy unitialized heap memory out of X server or to crash it. In case of SProcSendEvent, it will attempt to swap the incoming event by calling a swapping function from the EventSwapVector array. The swapped event is written to target buffer, which in this case is local xEvent variable. The xEvent variable is 32 bytes long, but the swapping functions for GenericEvents expect that the target buffer has size matching the size of the source GenericEvent. This allows clients to cause stack buffer overflows. Signed-off-by: Michal Srb <[email protected]> Reviewed-by: Peter Hutterer <[email protected]> --- dix/events.c | 6 ++++++ dix/swapreq.c | 7 +++++++ 2 files changed, 13 insertions(+) diff --git a/dix/events.c b/dix/events.c index cc26ba5db..3faad53a8 100644 --- a/dix/events.c +++ b/dix/events.c @@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client) client->errorValue = stuff->event.u.u.type; return BadValue; } + /* Generic events can have variable size, but SendEvent request holds + exactly 32B of event data. */ + if (stuff->event.u.u.type == GenericEvent) { + client->errorValue = stuff->event.u.u.type; + return BadValue; + } if (stuff->event.u.u.type == ClientMessage && stuff->event.u.u.detail != 8 && stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) { diff --git a/dix/swapreq.c b/dix/swapreq.c index 719e9b81c..67850593b 100644 --- a/dix/swapreq.c +++ b/dix/swapreq.c @@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client) swapl(&stuff->destination); swapl(&stuff->eventMask); + /* Generic events can have variable size, but SendEvent request holds + exactly 32B of event data. */ + if (stuff->event.u.u.type == GenericEvent) { + client->errorValue = stuff->event.u.u.type; + return BadValue; + } + /* Swap event */ proc = EventSwapVector[stuff->event.u.u.type & 0177]; if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */ -- 2.12.0
