Julien Cristau pushed to branch debian-unstable at X Strike Force / xserver /
xorg-server
Commits:
6321383c by Povilas Kanapickas at 2021-12-14T14:34:27+01:00
record: Fix out of bounds access in SwapCreateRegister()
ZDI-CAN-14952, CVE-2021-4011
This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Povilas Kanapickas <povi...@radix.lt>
(cherry picked from commit e56f61c79fc3cee26d83cda0f84ae56d5979f768)
- - - - -
83f8b3a6 by Povilas Kanapickas at 2021-12-14T14:34:27+01:00
xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier()
ZDI-CAN-14950, CVE-2021-4009
This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Povilas Kanapickas <povi...@radix.lt>
(cherry picked from commit b5196750099ae6ae582e1f46bd0a6dad29550e02)
- - - - -
92a6c39a by Povilas Kanapickas at 2021-12-14T14:34:27+01:00
Xext: Fix out of bounds access in SProcScreenSaverSuspend()
ZDI-CAN-14951, CVE-2021-4010
This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Povilas Kanapickas <povi...@radix.lt>
(cherry picked from commit 6c4c53010772e3cb4cb8acd54950c8eec9c00d21)
- - - - -
b0ca9791 by Povilas Kanapickas at 2021-12-14T14:34:27+01:00
render: Fix out of bounds access in SProcRenderCompositeGlyphs()
ZDI-CAN-14192, CVE-2021-4008
This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Povilas Kanapickas <povi...@radix.lt>
(cherry picked from commit ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60)
- - - - -
40a2a9bd by Julien Cristau at 2021-12-14T14:38:47+01:00
Add changelog entry
- - - - -
5 changed files:
- Xext/saver.c
- debian/changelog
- record/record.c
- render/render.c
- xfixes/cursor.c
Changes:
=====================================
Xext/saver.c
=====================================
@@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client)
REQUEST(xScreenSaverSuspendReq);
swaps(&stuff->length);
- swapl(&stuff->suspend);
REQUEST_SIZE_MATCH(xScreenSaverSuspendReq);
+ swapl(&stuff->suspend);
return ProcScreenSaverSuspend(client);
}
=====================================
debian/changelog
=====================================
@@ -1,3 +1,13 @@
+xorg-server (2:1.20.13-3) unstable; urgency=high
+
+ * Team upload.
+ * record: Fix out of bounds access in SwapCreateRegister() [CVE-2021-4011]
+ * xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier()
[CVE-2021-4009]
+ * Xext: Fix out of bounds access in SProcScreenSaverSuspend() [CVE-2021-4010]
+ * render: Fix out of bounds access in SProcRenderCompositeGlyphs()
[CVE-2021-4008]
+
+ -- Julien Cristau <jcris...@debian.org> Tue, 14 Dec 2021 14:38:21 +0100
+
xorg-server (2:1.20.13-2) unstable; urgency=medium
* Upload to unstable.
=====================================
record/record.c
=====================================
@@ -2515,8 +2515,8 @@ SwapCreateRegister(ClientPtr client,
xRecordRegisterClientsReq * stuff)
swapl(pClientID);
}
if (stuff->nRanges >
- client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
- - stuff->nClients)
+ (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
+ - stuff->nClients) / bytes_to_int32(sz_xRecordRange))
return BadLength;
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
return Success;
=====================================
render/render.c
=====================================
@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client)
i = elt->len;
if (i == 0xff) {
+ if (buffer + 4 > end) {
+ return BadLength;
+ }
swapl((int *) buffer);
buffer += 4;
}
@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client)
buffer += i;
break;
case 2:
+ if (buffer + i * 2 > end) {
+ return BadLength;
+ }
while (i--) {
swaps((short *) buffer);
buffer += 2;
}
break;
case 4:
+ if (buffer + i * 4 > end) {
+ return BadLength;
+ }
while (i--) {
swapl((int *) buffer);
buffer += 4;
=====================================
xfixes/cursor.c
=====================================
@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client)
{
REQUEST(xXFixesCreatePointerBarrierReq);
- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
pad_to_int32(stuff->num_devices));
+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
LEGAL_NEW_RESOURCE(stuff->barrier, client);
return XICreatePointerBarrier(client, stuff);
@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
swaps(&stuff->length);
swaps(&stuff->num_devices);
- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
pad_to_int32(stuff->num_devices));
+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
swapl(&stuff->barrier);
swapl(&stuff->window);
View it on GitLab:
https://salsa.debian.org/xorg-team/xserver/xorg-server/-/compare/774feb0b71ce781a4a5b59b3cf25dd77aaa6c2ac...40a2a9bdf9c731d1eb3ede7d896a2ea478b54598
--
View it on GitLab:
https://salsa.debian.org/xorg-team/xserver/xorg-server/-/compare/774feb0b71ce781a4a5b59b3cf25dd77aaa6c2ac...40a2a9bdf9c731d1eb3ede7d896a2ea478b54598
You're receiving this email because of your account on salsa.debian.org.
