Julien Cristau pushed to branch debian-bullseye at X Strike Force / xserver / xorg-server
Commits: 6c4d399c by Julien Cristau at 2023-02-01T15:12:51+01:00 Xi: fix potential use-after-free in DeepCopyPointerClasses (CVE-2023-0494) - - - - - 3 changed files: - debian/changelog - + debian/patches/20_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,9 @@ +xorg-server (2:1.20.11-1+deb11u5) bullseye-security; urgency=high + + * Xi: fix potential use-after-free in DeepCopyPointerClasses (CVE-2023-0494) + + -- Julien Cristau <jcris...@debian.org> Wed, 01 Feb 2023 15:11:18 +0100 + xorg-server (2:1.20.11-1+deb11u4) bullseye-security; urgency=high * Non-maintainer upload by the Security Team. ===================================== debian/patches/20_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch ===================================== @@ -0,0 +1,30 @@ +From 7150ba655c0cc08fa6ded309b81265bb672f2869 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutte...@who-t.net> +Date: Wed, 25 Jan 2023 11:41:40 +1000 +Subject: [PATCH xserver] Xi: fix potential use-after-free in + DeepCopyPointerClasses + +CVE-2023-0494, ZDI-CAN 19596 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutte...@who-t.net> +--- + Xi/exevents.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/Xi/exevents.c ++++ b/Xi/exevents.c +@@ -575,8 +575,10 @@ DeepCopyPointerClasses(DeviceIntPtr from + memcpy(to->button->xkb_acts, from->button->xkb_acts, + sizeof(XkbAction)); + } +- else ++ else { + free(to->button->xkb_acts); ++ to->button->xkb_acts = NULL; ++ } + + memcpy(to->button->labels, from->button->labels, + from->button->numButtons * sizeof(Atom)); ===================================== debian/patches/series ===================================== @@ -19,3 +19,4 @@ 17_Xi-return-an-error-from-XI-property-changes-if-verif.patch 18_Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch 19_xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch +20_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/-/commit/6c4d399c47b4336b87a7fb88499f47079028be97 -- View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/-/commit/6c4d399c47b4336b87a7fb88499f47079028be97 You're receiving this email because of your account on salsa.debian.org.