Hello community,
here is the log from the commit of package xorg-x11-server for openSUSE:Factory
checked in at 2020-09-18 14:24:31
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/xorg-x11-server (Old)
and /work/SRC/openSUSE:Factory/.xorg-x11-server.new.4249 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xorg-x11-server"
Fri Sep 18 14:24:31 2020 rev:386 rq:833405 version:1.20.9
Changes:
--------
--- /work/SRC/openSUSE:Factory/xorg-x11-server/xorg-x11-server.changes
2020-09-03 01:10:51.008400904 +0200
+++
/work/SRC/openSUSE:Factory/.xorg-x11-server.new.4249/xorg-x11-server.changes
2020-09-18 14:26:48.291193951 +0200
@@ -1,0 +2,6 @@
+Wed Sep 9 18:50:37 UTC 2020 - Michael Gorse <[email protected]>
+
+-Add U_xfree86_take_second_ref_for_xcursor.patch: fix
+ use-after-free when switching VTs.
+
+-------------------------------------------------------------------
New:
----
U_xfree86_take_second_ref_for_xcursor.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ xorg-x11-server.spec ++++++
--- /var/tmp/diff_new_pack.PAQ0vB/_old 2020-09-18 14:26:54.431200134 +0200
+++ /var/tmp/diff_new_pack.PAQ0vB/_new 2020-09-18 14:26:54.435200138 +0200
@@ -249,6 +249,7 @@
Patch1505: U_xwayland-Allow-passing-a-fd.patch
Patch1600: U_glamor_egl-Reject-OpenGL-2.1-early-on.patch
+Patch1700: U_xfree86_take_second_ref_for_xcursor.patch
%description
This package contains the X.Org Server.
@@ -398,6 +399,7 @@
%patch1503 -p1
%patch1505 -p1
%patch1600 -p1
+%patch1700 -p1
%build
%define _lto_cflags %{nil}
++++++ U_xfree86_take_second_ref_for_xcursor.patch ++++++
>From 919f1f46fc67dae93b2b3f278fcbfc77af34ec58 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <[email protected]>
Date: Mon, 31 Aug 2020 12:10:43 +0200
Subject: [PATCH] xfree86: Take second reference for SavedCursor in
xf86CursorSetCursor
The same pointer is kept in CurrentCursor as well, therefore two
RefCursor calls are needed.
Fixes use-after-free after switching VTs.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1067
---
hw/xfree86/ramdac/xf86CursorRD.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/xfree86/ramdac/xf86CursorRD.c b/hw/xfree86/ramdac/xf86CursorRD.c
index 9aa3de97b..c8362d169 100644
--- a/hw/xfree86/ramdac/xf86CursorRD.c
+++ b/hw/xfree86/ramdac/xf86CursorRD.c
@@ -334,6 +334,9 @@ xf86CursorSetCursor(DeviceIntPtr pDev, ScreenPtr pScreen,
CursorPtr pCurs,
ScreenPriv->HotY = cursor->bits->yhot;
if (!infoPtr->pScrn->vtSema) {
+ cursor = RefCursor(cursor);
+ if (ScreenPriv->SavedCursor)
+ FreeCursor(ScreenPriv->SavedCursor, None);
ScreenPriv->SavedCursor = cursor;
return;
}
--
2.28.0
