Module Name: xsrc
Committed By: mrg
Date: Sat Oct 28 18:44:38 UTC 2023
Modified Files:
xsrc/external/mit/xorg-server.old/dist/Xi: xiproperty.c
xsrc/external/mit/xorg-server.old/dist/dix: enterleave.h
xsrc/external/mit/xorg-server.old/dist/include: eventstr.h
xsrc/external/mit/xorg-server.old/dist/mi: mipointer.c
xsrc/external/mit/xorg-server.old/dist/os: auth.c
xsrc/external/mit/xorg-server.old/dist/randr: rrproperty.c
Log Message:
merge security fixes from xorg-server 21.1.9 into xorg-server 10.
Fixes CVE-2023-5367 and CVE-2023-5380.
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1 -r1.2 \
xsrc/external/mit/xorg-server.old/dist/Xi/xiproperty.c
cvs rdiff -u -r1.1.1.1 -r1.2 \
xsrc/external/mit/xorg-server.old/dist/dix/enterleave.h
cvs rdiff -u -r1.1.1.1 -r1.2 \
xsrc/external/mit/xorg-server.old/dist/include/eventstr.h
cvs rdiff -u -r1.1.1.1 -r1.2 \
xsrc/external/mit/xorg-server.old/dist/mi/mipointer.c
cvs rdiff -u -r1.3 -r1.4 xsrc/external/mit/xorg-server.old/dist/os/auth.c
cvs rdiff -u -r1.1.1.1 -r1.2 \
xsrc/external/mit/xorg-server.old/dist/randr/rrproperty.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/xorg-server.old/dist/Xi/xiproperty.c
diff -u xsrc/external/mit/xorg-server.old/dist/Xi/xiproperty.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/Xi/xiproperty.c:1.2
--- xsrc/external/mit/xorg-server.old/dist/Xi/xiproperty.c:1.1.1.1 Thu Jun 9 09:07:56 2016
+++ xsrc/external/mit/xorg-server.old/dist/Xi/xiproperty.c Sat Oct 28 18:44:37 2023
@@ -753,7 +753,7 @@ XIChangeDeviceProperty (DeviceIntPtr dev
XIDestroyDeviceProperty (prop);
return BadAlloc;
}
- new_value.size = len;
+ new_value.size = total_len;
new_value.type = type;
new_value.format = format;
@@ -770,7 +770,7 @@ XIChangeDeviceProperty (DeviceIntPtr dev
case PropModePrepend:
new_data = new_value.data;
old_data = (pointer) (((char *) new_value.data) +
- (prop_value->size * size_in_bytes));
+ (len * size_in_bytes));
break;
}
if (new_data)
Index: xsrc/external/mit/xorg-server.old/dist/dix/enterleave.h
diff -u xsrc/external/mit/xorg-server.old/dist/dix/enterleave.h:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/dix/enterleave.h:1.2
--- xsrc/external/mit/xorg-server.old/dist/dix/enterleave.h:1.1.1.1 Thu Jun 9 09:07:56 2016
+++ xsrc/external/mit/xorg-server.old/dist/dix/enterleave.h Sat Oct 28 18:44:37 2023
@@ -76,8 +76,6 @@ extern void EnterWindow(DeviceIntPtr dev
WindowPtr win,
int mode);
-extern void LeaveWindow(DeviceIntPtr dev);
-
extern void CoreFocusEvent(DeviceIntPtr kbd,
int type,
int mode,
Index: xsrc/external/mit/xorg-server.old/dist/include/eventstr.h
diff -u xsrc/external/mit/xorg-server.old/dist/include/eventstr.h:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/include/eventstr.h:1.2
--- xsrc/external/mit/xorg-server.old/dist/include/eventstr.h:1.1.1.1 Thu Jun 9 09:08:00 2016
+++ xsrc/external/mit/xorg-server.old/dist/include/eventstr.h Sat Oct 28 18:44:37 2023
@@ -243,4 +243,7 @@ union _InternalEvent {
#endif
};
+extern void
+LeaveWindow(DeviceIntPtr dev);
+
#endif
Index: xsrc/external/mit/xorg-server.old/dist/mi/mipointer.c
diff -u xsrc/external/mit/xorg-server.old/dist/mi/mipointer.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/mi/mipointer.c:1.2
--- xsrc/external/mit/xorg-server.old/dist/mi/mipointer.c:1.1.1.1 Thu Jun 9 09:08:00 2016
+++ xsrc/external/mit/xorg-server.old/dist/mi/mipointer.c Sat Oct 28 18:44:38 2023
@@ -41,6 +41,8 @@ in this Software without prior written a
# include "inputstr.h"
# include "inpututils.h"
+# include "eventstr.h"
+
DevPrivateKeyRec miPointerScreenKeyRec;
#define GetScreenPrivate(s) ((miPointerScreenPtr) \
@@ -318,8 +320,21 @@ miPointerWarpCursor (DeviceIntPtr pDev,
#ifdef PANORAMIX
&& noPanoramiXExtension
#endif
- )
- UpdateSpriteForScreen (pDev, pScreen) ;
+ ) {
+ DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
+ /* Hack for CVE-2023-5380: if we're moving
+ * screens PointerWindows[] keeps referring to the
+ * old window. If that gets destroyed we have a UAF
+ * bug later. Only happens when jumping from a window
+ * to the root window on the other screen.
+ * Enter/Leave events are incorrect for that case but
+ * too niche to fix.
+ */
+ LeaveWindow(pDev);
+ if (master)
+ LeaveWindow(master);
+ UpdateSpriteForScreen(pDev, pScreen);
+ }
}
/*
Index: xsrc/external/mit/xorg-server.old/dist/os/auth.c
diff -u xsrc/external/mit/xorg-server.old/dist/os/auth.c:1.3 xsrc/external/mit/xorg-server.old/dist/os/auth.c:1.4
--- xsrc/external/mit/xorg-server.old/dist/os/auth.c:1.3 Wed Mar 8 07:44:16 2017
+++ xsrc/external/mit/xorg-server.old/dist/os/auth.c Sat Oct 28 18:44:38 2023
@@ -45,9 +45,7 @@ from The Open Group.
#ifdef WIN32
#include <X11/Xw32defs.h>
#endif
-#ifdef HAVE_LIBBSD
-#include <bsd/stdlib.h> /* for arc4random_buf() */
-#endif
+#include <stdlib.h> /* for arc4random_buf() */
struct protocol {
unsigned short name_length;
Index: xsrc/external/mit/xorg-server.old/dist/randr/rrproperty.c
diff -u xsrc/external/mit/xorg-server.old/dist/randr/rrproperty.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/randr/rrproperty.c:1.2
--- xsrc/external/mit/xorg-server.old/dist/randr/rrproperty.c:1.1.1.1 Thu Jun 9 09:08:01 2016
+++ xsrc/external/mit/xorg-server.old/dist/randr/rrproperty.c Sat Oct 28 18:44:38 2023
@@ -190,7 +190,7 @@ RRChangeOutputProperty (RROutputPtr outp
RRDestroyOutputProperty (prop);
return BadAlloc;
}
- new_value.size = len;
+ new_value.size = total_len;
new_value.type = type;
new_value.format = format;
@@ -207,7 +207,7 @@ RRChangeOutputProperty (RROutputPtr outp
case PropModePrepend:
new_data = new_value.data;
old_data = (pointer) (((char *) new_value.data) +
- (prop_value->size * size_in_bytes));
+ (len * size_in_bytes));
break;
}
if (new_data)
