aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2020-10-22 10:58:59 -0300
committerLeo <thinkabit.ukim@gmail.com>2020-10-22 11:01:15 -0300
commit88af7b2383f71ae26ce4f9b978a3a786e3957e9c (patch)
tree6285eb470bee01c83e617af0f5b897757c0c4780
parentbd0c62f6b9c88da21a1df03c538b4ad5feae4ec1 (diff)
downloadaports-88af7b2383f71ae26ce4f9b978a3a786e3957e9c.tar.gz
aports-88af7b2383f71ae26ce4f9b978a3a786e3957e9c.tar.bz2
aports-88af7b2383f71ae26ce4f9b978a3a786e3957e9c.tar.xz
main/xorg-server: fix various CVEs
-rw-r--r--main/xorg-server/APKBUILD18
-rw-r--r--main/xorg-server/CVE-2020-14345.patch178
-rw-r--r--main/xorg-server/CVE-2020-14346.patch31
-rw-r--r--main/xorg-server/CVE-2020-14361.patch31
-rw-r--r--main/xorg-server/CVE-2020-14362.patch65
5 files changed, 321 insertions, 2 deletions
diff --git a/main/xorg-server/APKBUILD b/main/xorg-server/APKBUILD
index 767e58f190..8577904393 100644
--- a/main/xorg-server/APKBUILD
+++ b/main/xorg-server/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=xorg-server
pkgver=1.20.3
-pkgrel=1
+pkgrel=2
pkgdesc="X.Org X servers"
url="http://xorg.freedesktop.org"
arch="all"
@@ -61,10 +61,19 @@ source="https://www.x.org/releases/individual/xserver/$pkgname-$pkgver.tar.bz2
autoconfig-sis.patch
fix-musl-arm.patch
20-modules.conf
+ CVE-2020-14345.patch
+ CVE-2020-14346.patch
+ CVE-2020-14361.patch
+ CVE-2020-14362.patch
"
builddir="$srcdir"/$pkgname-$pkgver
# secfixes:
+# 1.20.3-r2:
+# - CVE-2020-14345
+# - CVE-2020-14346
+# - CVE-2020-14361
+# - CVE-2020-14362
# 1.20.3-r0:
# - CVE-2018-14665
# 1.19.5-r0:
@@ -181,8 +190,13 @@ xwayland() {
mv "$pkgdir"/usr/bin/Xwayland "$subpkgdir"/usr/bin/
}
+
sha512sums="ee44554f86df4297f54c5871fe7a18954eeef4338775a25f36d6577b279c4775f61128da71b86cfaeadcc080838d6749dede138d4db178866579da2056543fba xorg-server-1.20.3.tar.bz2
4dcaa60fbfc61636e7220a24a72bba19984a6dc752061cb40b1bd566c0e614d08927b6c223ffaaaa05636765fddacdc3113fde55d25fd09cd0c786ff44f51447 autoconfig-nvidia.patch
30a78f4278edd535c45ee3f80933427cb029a13abaa4b041f816515fdd8f64f00b9c6aef50d4eba2aaf0d4f333e730399864fd97fa18891273601c77a6637200 autoconfig-sis.patch
b799e757a22a61ac283adbd7a8df1ad4eccce0bb6cac38a0c962ba8438bba3cf6637a65bb64859e7b32399fca672283a49960207e186c271ba574580de360d09 fix-musl-arm.patch
-95036f2452732cc31f6b646da9f46b7be30f4c9392724386b02f67fece1f506b00e15d14cbd8cf0ce75ca1fd144b4bea7e59288d4aaf4d6c1e06e5168931eb67 20-modules.conf"
+95036f2452732cc31f6b646da9f46b7be30f4c9392724386b02f67fece1f506b00e15d14cbd8cf0ce75ca1fd144b4bea7e59288d4aaf4d6c1e06e5168931eb67 20-modules.conf
+3e411cb0af272b3f89ce9b8bb7e35eef703b4a01d8722331aaf3d365cd7867a28deee8d5224ceb8fe0cd63e9cf600f05d7360aa5ffb4c0ae2655e80e6430f7f9 CVE-2020-14345.patch
+6981bb37302e6c6afc6e389698eef1e1021577a6ac54a81ec0470cc198a975274db8a2b6d9ecd0b22a1c8bb6aff07d37030c3cd451467452e6a05203f942e296 CVE-2020-14346.patch
+4acf43c8a08a3ee3012cf9ae1af517bf8f7cc493316e6d9f5b55f39b205f22406b757618024e70ed98f9c56baa238ed166bcf8aa26995d33183e1e323c48f9c8 CVE-2020-14361.patch
+0fa92233e405b74de6dc4ee144d995581f0ab7fbf7ee5f8410e4a842496724ac9425ed6406881d005e4fc70d01d4d05c4aff83491683f3e270e9ba360cb94d52 CVE-2020-14362.patch"
diff --git a/main/xorg-server/CVE-2020-14345.patch b/main/xorg-server/CVE-2020-14345.patch
new file mode 100644
index 0000000000..677bcbce38
--- /dev/null
+++ b/main/xorg-server/CVE-2020-14345.patch
@@ -0,0 +1,178 @@
+From f7cd1276bbd4fe3a9700096dec33b52b8440788d Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:46:32 +0200
+Subject: [PATCH] Correct bounds checking in XkbSetNames()
+
+CVE-2020-14345 / ZDI 11428
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ xkb/xkb.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 48 insertions(+)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index d93078a6e3..8e016cd746 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -152,6 +152,19 @@ static RESTYPE RT_XKBCLIENT;
+ #define CHK_REQ_KEY_RANGE(err,first,num,r) \
+ CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue)
+
++static Bool
++_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) {
++ char *cstuff = (char *)stuff;
++ char *cfrom = (char *)from;
++ char *cto = (char *)to;
++
++ return cfrom < cto &&
++ cfrom >= cstuff &&
++ cfrom < cstuff + ((size_t)client->req_len << 2) &&
++ cto >= cstuff &&
++ cto <= cstuff + ((size_t)client->req_len << 2);
++}
++
+ /***====================================================================***/
+
+ int
+@@ -4048,6 +4061,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ client->errorValue = _XkbErrCode2(0x04, stuff->firstType);
+ return BadAccess;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nTypes))
++ return BadLength;
+ old = tmp;
+ tmp = _XkbCheckAtoms(tmp, stuff->nTypes, client->swapped, &bad);
+ if (!tmp) {
+@@ -4077,6 +4092,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ }
+ width = (CARD8 *) tmp;
+ tmp = (CARD32 *) (((char *) tmp) + XkbPaddedSize(stuff->nKTLevels));
++ if (!_XkbCheckRequestBounds(client, stuff, width, tmp))
++ return BadLength;
+ type = &xkb->map->types[stuff->firstKTLevel];
+ for (i = 0; i < stuff->nKTLevels; i++, type++) {
+ if (width[i] == 0)
+@@ -4086,6 +4103,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ type->num_levels, width[i]);
+ return BadMatch;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + width[i]))
++ return BadLength;
+ tmp = _XkbCheckAtoms(tmp, width[i], client->swapped, &bad);
+ if (!tmp) {
+ client->errorValue = bad;
+@@ -4098,6 +4117,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ client->errorValue = 0x08;
+ return BadMatch;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp,
++ tmp + Ones(stuff->indicators)))
++ return BadLength;
+ tmp = _XkbCheckMaskedAtoms(tmp, XkbNumIndicators, stuff->indicators,
+ client->swapped, &bad);
+ if (!tmp) {
+@@ -4110,6 +4132,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ client->errorValue = 0x09;
+ return BadMatch;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp,
++ tmp + Ones(stuff->virtualMods)))
++ return BadLength;
+ tmp = _XkbCheckMaskedAtoms(tmp, XkbNumVirtualMods,
+ (CARD32) stuff->virtualMods,
+ client->swapped, &bad);
+@@ -4123,6 +4148,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ client->errorValue = 0x0a;
+ return BadMatch;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp,
++ tmp + Ones(stuff->groupNames)))
++ return BadLength;
+ tmp = _XkbCheckMaskedAtoms(tmp, XkbNumKbdGroups,
+ (CARD32) stuff->groupNames,
+ client->swapped, &bad);
+@@ -4144,9 +4172,14 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ stuff->nKeys);
+ return BadValue;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nKeys))
++ return BadLength;
+ tmp += stuff->nKeys;
+ }
+ if ((stuff->which & XkbKeyAliasesMask) && (stuff->nKeyAliases > 0)) {
++ if (!_XkbCheckRequestBounds(client, stuff, tmp,
++ tmp + (stuff->nKeyAliases * 2)))
++ return BadLength;
+ tmp += stuff->nKeyAliases * 2;
+ }
+ if (stuff->which & XkbRGNamesMask) {
+@@ -4154,6 +4187,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
+ client->errorValue = _XkbErrCode2(0x0d, stuff->nRadioGroups);
+ return BadValue;
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp,
++ tmp + stuff->nRadioGroups))
++ return BadLength;
+ tmp = _XkbCheckAtoms(tmp, stuff->nRadioGroups, client->swapped, &bad);
+ if (!tmp) {
+ client->errorValue = bad;
+@@ -4347,6 +4383,8 @@ ProcXkbSetNames(ClientPtr client)
+ /* check device-independent stuff */
+ tmp = (CARD32 *) &stuff[1];
+
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbKeycodesNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
+@@ -4354,6 +4392,8 @@ ProcXkbSetNames(ClientPtr client)
+ return BadAtom;
+ }
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbGeometryNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
+@@ -4361,6 +4401,8 @@ ProcXkbSetNames(ClientPtr client)
+ return BadAtom;
+ }
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbSymbolsNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
+@@ -4368,6 +4410,8 @@ ProcXkbSetNames(ClientPtr client)
+ return BadAtom;
+ }
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbPhysSymbolsNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
+@@ -4375,6 +4419,8 @@ ProcXkbSetNames(ClientPtr client)
+ return BadAtom;
+ }
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbTypesNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
+@@ -4382,6 +4428,8 @@ ProcXkbSetNames(ClientPtr client)
+ return BadAtom;
+ }
+ }
++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
++ return BadLength;
+ if (stuff->which & XkbCompatNameMask) {
+ tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
+ if (!tmp) {
+--
+GitLab
+
diff --git a/main/xorg-server/CVE-2020-14346.patch b/main/xorg-server/CVE-2020-14346.patch
new file mode 100644
index 0000000000..a2b771c2cf
--- /dev/null
+++ b/main/xorg-server/CVE-2020-14346.patch
@@ -0,0 +1,31 @@
+From c940cc8b6c0a2983c1ec974f1b3f019795dd4cff Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:49:04 +0200
+Subject: [PATCH] Fix XIChangeHierarchy() integer underflow
+
+CVE-2020-14346 / ZDI-CAN-11429
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ Xi/xichangehierarchy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
+index cbdd912581..504defe566 100644
+--- a/Xi/xichangehierarchy.c
++++ b/Xi/xichangehierarchy.c
+@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
+ if (!stuff->num_changes)
+ return rc;
+
+- len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
++ len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq);
+
+ any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
+ while (stuff->num_changes--) {
+--
+GitLab
+
diff --git a/main/xorg-server/CVE-2020-14361.patch b/main/xorg-server/CVE-2020-14361.patch
new file mode 100644
index 0000000000..f17d8e7fc0
--- /dev/null
+++ b/main/xorg-server/CVE-2020-14361.patch
@@ -0,0 +1,31 @@
+From 144849ea27230962227e62a943b399e2ab304787 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:52:29 +0200
+Subject: [PATCH] Fix XkbSelectEvents() integer underflow
+
+CVE-2020-14361 ZDI-CAN 11573
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ xkb/xkbSwap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c
+index 1c1ed5ff46..50cabb90e5 100644
+--- a/xkb/xkbSwap.c
++++ b/xkb/xkbSwap.c
+@@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client)
+ register unsigned bit, ndx, maskLeft, dataLeft, size;
+
+ from.c8 = (CARD8 *) &stuff[1];
+- dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq);
++ dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq);
+ maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask));
+ for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) {
+ if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify))
+--
+GitLab
+
diff --git a/main/xorg-server/CVE-2020-14362.patch b/main/xorg-server/CVE-2020-14362.patch
new file mode 100644
index 0000000000..8f16804473
--- /dev/null
+++ b/main/xorg-server/CVE-2020-14362.patch
@@ -0,0 +1,65 @@
+From 2902b78535ecc6821cc027351818b28a5c7fdbdc Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:55:01 +0200
+Subject: [PATCH] Fix XRecordRegisterClients() Integer underflow
+
+CVE-2020-14362 ZDI-CAN-11574
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ record/record.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/record/record.c b/record/record.c
+index f2d38c877e..be154525d2 100644
+--- a/record/record.c
++++ b/record/record.c
+@@ -2500,7 +2500,7 @@ SProcRecordQueryVersion(ClientPtr client)
+ } /* SProcRecordQueryVersion */
+
+ static int _X_COLD
+-SwapCreateRegister(xRecordRegisterClientsReq * stuff)
++SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
+ {
+ int i;
+ XID *pClientID;
+@@ -2510,13 +2510,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff)
+ swapl(&stuff->nRanges);
+ pClientID = (XID *) &stuff[1];
+ if (stuff->nClients >
+- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))
++ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
+ return BadLength;
+ for (i = 0; i < stuff->nClients; i++, pClientID++) {
+ swapl(pClientID);
+ }
+ if (stuff->nRanges >
+- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
++ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
+ - stuff->nClients)
+ return BadLength;
+ RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
+@@ -2531,7 +2531,7 @@ SProcRecordCreateContext(ClientPtr client)
+
+ swaps(&stuff->length);
+ REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
+- if ((status = SwapCreateRegister((void *) stuff)) != Success)
++ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
+ return status;
+ return ProcRecordCreateContext(client);
+ } /* SProcRecordCreateContext */
+@@ -2544,7 +2544,7 @@ SProcRecordRegisterClients(ClientPtr client)
+
+ swaps(&stuff->length);
+ REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
+- if ((status = SwapCreateRegister((void *) stuff)) != Success)
++ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
+ return status;
+ return ProcRecordRegisterClients(client);
+ } /* SProcRecordRegisterClients */
+--
+GitLab
+