Julien Cristau pushed to branch debian-unstable at X Strike Force / xserver / xorg-server
Commits: 6321383c by Povilas Kanapickas at 2021-12-14T14:34:27+01:00 record: Fix out of bounds access in SwapCreateRegister() ZDI-CAN-14952, CVE-2021-4011 This vulnerability was discovered and the fix was suggested by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Povilas Kanapickas <povi...@radix.lt> (cherry picked from commit e56f61c79fc3cee26d83cda0f84ae56d5979f768) - - - - - 83f8b3a6 by Povilas Kanapickas at 2021-12-14T14:34:27+01:00 xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier() ZDI-CAN-14950, CVE-2021-4009 This vulnerability was discovered and the fix was suggested by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Povilas Kanapickas <povi...@radix.lt> (cherry picked from commit b5196750099ae6ae582e1f46bd0a6dad29550e02) - - - - - 92a6c39a by Povilas Kanapickas at 2021-12-14T14:34:27+01:00 Xext: Fix out of bounds access in SProcScreenSaverSuspend() ZDI-CAN-14951, CVE-2021-4010 This vulnerability was discovered and the fix was suggested by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Povilas Kanapickas <povi...@radix.lt> (cherry picked from commit 6c4c53010772e3cb4cb8acd54950c8eec9c00d21) - - - - - b0ca9791 by Povilas Kanapickas at 2021-12-14T14:34:27+01:00 render: Fix out of bounds access in SProcRenderCompositeGlyphs() ZDI-CAN-14192, CVE-2021-4008 This vulnerability was discovered and the fix was suggested by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Povilas Kanapickas <povi...@radix.lt> (cherry picked from commit ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60) - - - - - 40a2a9bd by Julien Cristau at 2021-12-14T14:38:47+01:00 Add changelog entry - - - - - 5 changed files: - Xext/saver.c - debian/changelog - record/record.c - render/render.c - xfixes/cursor.c Changes: ===================================== Xext/saver.c ===================================== @@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client) REQUEST(xScreenSaverSuspendReq); swaps(&stuff->length); - swapl(&stuff->suspend); REQUEST_SIZE_MATCH(xScreenSaverSuspendReq); + swapl(&stuff->suspend); return ProcScreenSaverSuspend(client); } ===================================== debian/changelog ===================================== @@ -1,3 +1,13 @@ +xorg-server (2:1.20.13-3) unstable; urgency=high + + * Team upload. + * record: Fix out of bounds access in SwapCreateRegister() [CVE-2021-4011] + * xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier() [CVE-2021-4009] + * Xext: Fix out of bounds access in SProcScreenSaverSuspend() [CVE-2021-4010] + * render: Fix out of bounds access in SProcRenderCompositeGlyphs() [CVE-2021-4008] + + -- Julien Cristau <jcris...@debian.org> Tue, 14 Dec 2021 14:38:21 +0100 + xorg-server (2:1.20.13-2) unstable; urgency=medium * Upload to unstable. ===================================== record/record.c ===================================== @@ -2515,8 +2515,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff) swapl(pClientID); } if (stuff->nRanges > - client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) - - stuff->nClients) + (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) + - stuff->nClients) / bytes_to_int32(sz_xRecordRange)) return BadLength; RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); return Success; ===================================== render/render.c ===================================== @@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client) i = elt->len; if (i == 0xff) { + if (buffer + 4 > end) { + return BadLength; + } swapl((int *) buffer); buffer += 4; } @@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client) buffer += i; break; case 2: + if (buffer + i * 2 > end) { + return BadLength; + } while (i--) { swaps((short *) buffer); buffer += 2; } break; case 4: + if (buffer + i * 4 > end) { + return BadLength; + } while (i--) { swapl((int *) buffer); buffer += 4; ===================================== xfixes/cursor.c ===================================== @@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client) { REQUEST(xXFixesCreatePointerBarrierReq); - REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); + REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, + pad_to_int32(stuff->num_devices * sizeof(CARD16))); LEGAL_NEW_RESOURCE(stuff->barrier, client); return XICreatePointerBarrier(client, stuff); @@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client) swaps(&stuff->length); swaps(&stuff->num_devices); - REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); + REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, + pad_to_int32(stuff->num_devices * sizeof(CARD16))); swapl(&stuff->barrier); swapl(&stuff->window); View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/-/compare/774feb0b71ce781a4a5b59b3cf25dd77aaa6c2ac...40a2a9bdf9c731d1eb3ede7d896a2ea478b54598 -- View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/-/compare/774feb0b71ce781a4a5b59b3cf25dd77aaa6c2ac...40a2a9bdf9c731d1eb3ede7d896a2ea478b54598 You're receiving this email because of your account on salsa.debian.org.