Message ID | 20230714150551.3431226-1-kai.kang@windriver.com |
---|---|
State | New |
Headers | show |
Series | [mickledore] libx11: fix CVE-2023-3138 | expand |
This is being handled with a stable branch version bump which is in the current test queue: "libx11: upgrade 1.8.5 -> 1.8.6" Steve On Fri, Jul 14, 2023 at 5:05 AM Kai Kang <kai.kang@eng.windriver.com> wrote: > > From: Kai Kang <kai.kang@windriver.com> > > CVE: CVE-2023-3138 > > Backport patch to fix CVE-2023-3138 for libx11. > > Signed-off-by: Kai Kang <kai.kang@windriver.com> > --- > .../xorg-lib/libx11/CVE-2023-3138.patch | 113 ++++++++++++++++++ > .../recipes-graphics/xorg-lib/libx11_1.8.5.bb | 4 +- > 2 files changed, 116 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch > > diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch > new file mode 100644 > index 0000000000..0d9397dd95 > --- /dev/null > +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch > @@ -0,0 +1,113 @@ > +From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001 > +From: Alan Coopersmith <alan.coopersmith@oracle.com> > +Date: Sat, 10 Jun 2023 16:30:07 -0700 > +Subject: [PATCH] InitExt.c: Add bounds checks for extension request, event, & > + error codes > + > +Fixes CVE-2023-3138: X servers could return values from XQueryExtension > +that would cause Xlib to write entries out-of-bounds of the arrays to > +store them, though this would only overwrite other parts of the Display > +struct, not outside the bounds allocated for that structure. > + > +Reported-by: Gregory James DUCK <gjduck@gmail.com> > +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> > + > +CVE: CVE-2023-3138 > +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/304a654] > + > +Signed-off-by: Kai Kang <kai.kang@windriver.com> > +--- > + src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++ > + 1 file changed, 42 insertions(+) > + > +diff --git a/src/InitExt.c b/src/InitExt.c > +index 4de46f15..afc00a6b 100644 > +--- a/src/InitExt.c > ++++ b/src/InitExt.c > +@@ -33,6 +33,18 @@ from The Open Group. > + #include <X11/Xos.h> > + #include <stdio.h> > + > ++/* The X11 protocol spec reserves events 64 through 127 for extensions */ > ++#ifndef LastExtensionEvent > ++#define LastExtensionEvent 127 > ++#endif > ++ > ++/* The X11 protocol spec reserves requests 128 through 255 for extensions */ > ++#ifndef LastExtensionRequest > ++#define FirstExtensionRequest 128 > ++#define LastExtensionRequest 255 > ++#endif > ++ > ++ > + /* > + * This routine is used to link a extension in so it will be called > + * at appropriate times. > +@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent( > + WireToEventType proc) /* routine to call when converting event */ > + { > + register WireToEventType oldproc; > ++ if (event_number < 0 || > ++ event_number > LastExtensionEvent) { > ++ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", > ++ event_number); > ++ return (WireToEventType)_XUnknownWireEvent; > ++ } > + if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent; > + LockDisplay (dpy); > + oldproc = dpy->event_vec[event_number]; > +@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie( > + ) > + { > + WireToEventCookieType oldproc; > ++ if (extension < FirstExtensionRequest || > ++ extension > LastExtensionRequest) { > ++ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", > ++ extension); > ++ return (WireToEventCookieType)_XUnknownWireEventCookie; > ++ } > + if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie; > + LockDisplay (dpy); > + oldproc = dpy->generic_event_vec[extension & 0x7F]; > +@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie( > + ) > + { > + CopyEventCookieType oldproc; > ++ if (extension < FirstExtensionRequest || > ++ extension > LastExtensionRequest) { > ++ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", > ++ extension); > ++ return (CopyEventCookieType)_XUnknownCopyEventCookie; > ++ } > + if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie; > + LockDisplay (dpy); > + oldproc = dpy->generic_event_copy_vec[extension & 0x7F]; > +@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire( > + EventToWireType proc) /* routine to call when converting event */ > + { > + register EventToWireType oldproc; > ++ if (event_number < 0 || > ++ event_number > LastExtensionEvent) { > ++ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", > ++ event_number); > ++ return (EventToWireType)_XUnknownNativeEvent; > ++ } > + if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent; > + LockDisplay (dpy); > + oldproc = dpy->wire_vec[event_number]; > +@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError( > + WireToErrorType proc) /* routine to call when converting error */ > + { > + register WireToErrorType oldproc = NULL; > ++ if (error_number < 0 || > ++ error_number > LastExtensionError) { > ++ fprintf(stderr, "Xlib: ignoring invalid extension error %d\n", > ++ error_number); > ++ return (WireToErrorType)_XDefaultWireError; > ++ } > + if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError; > + LockDisplay (dpy); > + if (!dpy->error_vec) { > +-- > +GitLab > + > diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.8.5.bb b/meta/recipes-graphics/xorg-lib/libx11_1.8.5.bb > index cf2e29471a..028a757d39 100644 > --- a/meta/recipes-graphics/xorg-lib/libx11_1.8.5.bb > +++ b/meta/recipes-graphics/xorg-lib/libx11_1.8.5.bb > @@ -22,7 +22,9 @@ PE = "1" > > XORG_PN = "libX11" > > -SRC_URI += "file://disable_tests.patch" > +SRC_URI += "file://disable_tests.patch \ > + file://CVE-2023-3138.patch \ > + " > > SRC_URI[sha256sum] = "e362c6f03c793171becd1ce2078c64789504c7d7ff48ee40a76ff76b59f6b561" > > -- > 2.34.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#184270): https://lists.openembedded.org/g/openembedded-core/message/184270 > Mute This Topic: https://lists.openembedded.org/mt/100142997/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On 7/15/23 00:13, Steve Sakoman wrote: > This is being handled with a stable branch version bump which is in > the current test queue: "libx11: upgrade 1.8.5 -> 1.8.6" OK. Thanks. Kai > > Steve > > On Fri, Jul 14, 2023 at 5:05 AM Kai Kang <kai.kang@eng.windriver.com> wrote: >> From: Kai Kang <kai.kang@windriver.com> >> >> CVE: CVE-2023-3138 >> >> Backport patch to fix CVE-2023-3138 for libx11. >> >> Signed-off-by: Kai Kang <kai.kang@windriver.com> >> --- >> .../xorg-lib/libx11/CVE-2023-3138.patch | 113 ++++++++++++++++++ >> .../recipes-graphics/xorg-lib/libx11_1.8.5.bb | 4 +- >> 2 files changed, 116 insertions(+), 1 deletion(-) >> create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch >> >> diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch >> new file mode 100644 >> index 0000000000..0d9397dd95 >> --- /dev/null >> +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch >> @@ -0,0 +1,113 @@ >> +From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001 >> +From: Alan Coopersmith <alan.coopersmith@oracle.com> >> +Date: Sat, 10 Jun 2023 16:30:07 -0700 >> +Subject: [PATCH] InitExt.c: Add bounds checks for extension request, event, & >> + error codes >> + >> +Fixes CVE-2023-3138: X servers could return values from XQueryExtension >> +that would cause Xlib to write entries out-of-bounds of the arrays to >> +store them, though this would only overwrite other parts of the Display >> +struct, not outside the bounds allocated for that structure. >> + >> +Reported-by: Gregory James DUCK <gjduck@gmail.com> >> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> >> + >> +CVE: CVE-2023-3138 >> +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/304a654] >> + >> +Signed-off-by: Kai Kang <kai.kang@windriver.com> >> +--- >> + src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++ >> + 1 file changed, 42 insertions(+) >> + >> +diff --git a/src/InitExt.c b/src/InitExt.c >> +index 4de46f15..afc00a6b 100644 >> +--- a/src/InitExt.c >> ++++ b/src/InitExt.c >> +@@ -33,6 +33,18 @@ from The Open Group. >> + #include <X11/Xos.h> >> + #include <stdio.h> >> + >> ++/* The X11 protocol spec reserves events 64 through 127 for extensions */ >> ++#ifndef LastExtensionEvent >> ++#define LastExtensionEvent 127 >> ++#endif >> ++ >> ++/* The X11 protocol spec reserves requests 128 through 255 for extensions */ >> ++#ifndef LastExtensionRequest >> ++#define FirstExtensionRequest 128 >> ++#define LastExtensionRequest 255 >> ++#endif >> ++ >> ++ >> + /* >> + * This routine is used to link a extension in so it will be called >> + * at appropriate times. >> +@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent( >> + WireToEventType proc) /* routine to call when converting event */ >> + { >> + register WireToEventType oldproc; >> ++ if (event_number < 0 || >> ++ event_number > LastExtensionEvent) { >> ++ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", >> ++ event_number); >> ++ return (WireToEventType)_XUnknownWireEvent; >> ++ } >> + if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent; >> + LockDisplay (dpy); >> + oldproc = dpy->event_vec[event_number]; >> +@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie( >> + ) >> + { >> + WireToEventCookieType oldproc; >> ++ if (extension < FirstExtensionRequest || >> ++ extension > LastExtensionRequest) { >> ++ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", >> ++ extension); >> ++ return (WireToEventCookieType)_XUnknownWireEventCookie; >> ++ } >> + if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie; >> + LockDisplay (dpy); >> + oldproc = dpy->generic_event_vec[extension & 0x7F]; >> +@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie( >> + ) >> + { >> + CopyEventCookieType oldproc; >> ++ if (extension < FirstExtensionRequest || >> ++ extension > LastExtensionRequest) { >> ++ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", >> ++ extension); >> ++ return (CopyEventCookieType)_XUnknownCopyEventCookie; >> ++ } >> + if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie; >> + LockDisplay (dpy); >> + oldproc = dpy->generic_event_copy_vec[extension & 0x7F]; >> +@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire( >> + EventToWireType proc) /* routine to call when converting event */ >> + { >> + register EventToWireType oldproc; >> ++ if (event_number < 0 || >> ++ event_number > LastExtensionEvent) { >> ++ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", >> ++ event_number); >> ++ return (EventToWireType)_XUnknownNativeEvent; >> ++ } >> + if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent; >> + LockDisplay (dpy); >> + oldproc = dpy->wire_vec[event_number]; >> +@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError( >> + WireToErrorType proc) /* routine to call when converting error */ >> + { >> + register WireToErrorType oldproc = NULL; >> ++ if (error_number < 0 || >> ++ error_number > LastExtensionError) { >> ++ fprintf(stderr, "Xlib: ignoring invalid extension error %d\n", >> ++ error_number); >> ++ return (WireToErrorType)_XDefaultWireError; >> ++ } >> + if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError; >> + LockDisplay (dpy); >> + if (!dpy->error_vec) { >> +-- >> +GitLab >> + >> diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.8.5.bb b/meta/recipes-graphics/xorg-lib/libx11_1.8.5.bb >> index cf2e29471a..028a757d39 100644 >> --- a/meta/recipes-graphics/xorg-lib/libx11_1.8.5.bb >> +++ b/meta/recipes-graphics/xorg-lib/libx11_1.8.5.bb >> @@ -22,7 +22,9 @@ PE = "1" >> >> XORG_PN = "libX11" >> >> -SRC_URI += "file://disable_tests.patch" >> +SRC_URI += "file://disable_tests.patch \ >> + file://CVE-2023-3138.patch \ >> + " >> >> SRC_URI[sha256sum] = "e362c6f03c793171becd1ce2078c64789504c7d7ff48ee40a76ff76b59f6b561" >> >> -- >> 2.34.1 >> >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> View/Reply Online (#184270): https://lists.openembedded.org/g/openembedded-core/message/184270 >> Mute This Topic: https://lists.openembedded.org/mt/100142997/3620601 >> Group Owner: openembedded-core+owner@lists.openembedded.org >> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] >> -=-=-=-=-=-=-=-=-=-=-=- >>
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch new file mode 100644 index 0000000000..0d9397dd95 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch @@ -0,0 +1,113 @@ +From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 10 Jun 2023 16:30:07 -0700 +Subject: [PATCH] InitExt.c: Add bounds checks for extension request, event, & + error codes + +Fixes CVE-2023-3138: X servers could return values from XQueryExtension +that would cause Xlib to write entries out-of-bounds of the arrays to +store them, though this would only overwrite other parts of the Display +struct, not outside the bounds allocated for that structure. + +Reported-by: Gregory James DUCK <gjduck@gmail.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> + +CVE: CVE-2023-3138 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/304a654] + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +--- + src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 42 insertions(+) + +diff --git a/src/InitExt.c b/src/InitExt.c +index 4de46f15..afc00a6b 100644 +--- a/src/InitExt.c ++++ b/src/InitExt.c +@@ -33,6 +33,18 @@ from The Open Group. + #include <X11/Xos.h> + #include <stdio.h> + ++/* The X11 protocol spec reserves events 64 through 127 for extensions */ ++#ifndef LastExtensionEvent ++#define LastExtensionEvent 127 ++#endif ++ ++/* The X11 protocol spec reserves requests 128 through 255 for extensions */ ++#ifndef LastExtensionRequest ++#define FirstExtensionRequest 128 ++#define LastExtensionRequest 255 ++#endif ++ ++ + /* + * This routine is used to link a extension in so it will be called + * at appropriate times. +@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent( + WireToEventType proc) /* routine to call when converting event */ + { + register WireToEventType oldproc; ++ if (event_number < 0 || ++ event_number > LastExtensionEvent) { ++ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", ++ event_number); ++ return (WireToEventType)_XUnknownWireEvent; ++ } + if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent; + LockDisplay (dpy); + oldproc = dpy->event_vec[event_number]; +@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie( + ) + { + WireToEventCookieType oldproc; ++ if (extension < FirstExtensionRequest || ++ extension > LastExtensionRequest) { ++ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", ++ extension); ++ return (WireToEventCookieType)_XUnknownWireEventCookie; ++ } + if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie; + LockDisplay (dpy); + oldproc = dpy->generic_event_vec[extension & 0x7F]; +@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie( + ) + { + CopyEventCookieType oldproc; ++ if (extension < FirstExtensionRequest || ++ extension > LastExtensionRequest) { ++ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", ++ extension); ++ return (CopyEventCookieType)_XUnknownCopyEventCookie; ++ } + if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie; + LockDisplay (dpy); + oldproc = dpy->generic_event_copy_vec[extension & 0x7F]; +@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire( + EventToWireType proc) /* routine to call when converting event */ + { + register EventToWireType oldproc; ++ if (event_number < 0 || ++ event_number > LastExtensionEvent) { ++ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", ++ event_number); ++ return (EventToWireType)_XUnknownNativeEvent; ++ } + if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent; + LockDisplay (dpy); + oldproc = dpy->wire_vec[event_number]; +@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError( + WireToErrorType proc) /* routine to call when converting error */ + { + register WireToErrorType oldproc = NULL; ++ if (error_number < 0 || ++ error_number > LastExtensionError) { ++ fprintf(stderr, "Xlib: ignoring invalid extension error %d\n", ++ error_number); ++ return (WireToErrorType)_XDefaultWireError; ++ } + if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError; + LockDisplay (dpy); + if (!dpy->error_vec) { +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.8.5.bb b/meta/recipes-graphics/xorg-lib/libx11_1.8.5.bb index cf2e29471a..028a757d39 100644 --- a/meta/recipes-graphics/xorg-lib/libx11_1.8.5.bb +++ b/meta/recipes-graphics/xorg-lib/libx11_1.8.5.bb @@ -22,7 +22,9 @@ PE = "1" XORG_PN = "libX11" -SRC_URI += "file://disable_tests.patch" +SRC_URI += "file://disable_tests.patch \ + file://CVE-2023-3138.patch \ + " SRC_URI[sha256sum] = "e362c6f03c793171becd1ce2078c64789504c7d7ff48ee40a76ff76b59f6b561"