[dunfell,v2] libx11: fix CVE-2022-3555 memory leak in _XFreeX11XCBStructure() of xcb_disp.c

From: Vivek Kumbhar <vkumbhar@mvista.com>

Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8a368d808fec166b5fb3dfe6312aab22c7ee20af]

Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
---
 .../xorg-lib/libx11/CVE-2022-3555.patch       | 38 +++++++++++++++++++
 .../recipes-graphics/xorg-lib/libx11_1.6.9.bb |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch

Hi all,

When I see the below link from NVD, latest analysis shows that this CVE is nota security bug.
Link - https://nvd.nist.gov/vuln/detail/CVE-2022-3555

I have a question to all that do we really need to fix this as security issue?

@Steve, What do you suggest?
I have also come across some other CVEs for binutils which were rejected by NVD. The thing is NVD rejected these CVEs, but it is still showing as Unpatched by cve-tool in Yocto.
https://nvd.nist.gov/vuln/detail/CVE-2022-38126
https://nvd.nist.gov/vuln/detail/CVE-2022-38127
https://nvd.nist.gov/vuln/detail/CVE-2022-38128


Thanks,

Best Regards,

Ranjitsinh Rathod
Technical Leader |  | KPIT Technologies Ltd.
Cellphone: +91-84606 92403

On Thu, Nov 17, 2022 at 12:19 AM Ranjitsinh Rathod <
Ranjitsinh.Rathod@kpit.com> wrote:

> Hi all,
>
> When I see the below link from NVD, latest analysis shows that this CVE is
> nota security bug.
> Link - https://nvd.nist.gov/vuln/detail/CVE-2022-3555
>
> I have a question to all that do we really need to fix this as security
> issue?
>

No, I think you may be working from an old CVE report.  If you check the
weekly report from Sun 06 Nov 2022 you'll
see that the database was updated and this CVE (and one other) have been
removed:

https://lists.openembedded.org/g/openembedded-core/message/172763

I have also come across some other CVEs for binutils which were rejected by
> NVD. The thing is NVD rejected these CVEs, but it is still showing as
> Unpatched by cve-tool in Yocto.
> https://nvd.nist.gov/vuln/detail/CVE-2022-38126
> https://nvd.nist.gov/vuln/detail/CVE-2022-38127
> https://nvd.nist.gov/vuln/detail/CVE-2022-38128
>

Same situation here, the database was recently updated and these CVEs
removed.  See Sun 13 Nov 2022 report:

https://lists.openembedded.org/g/openembedded-core/message/173190

Steve




> Thanks,
>
> Best Regards,
>
> *Ranjitsinh Rathod*
> Technical Leader |  | KPIT Technologies Ltd.
> Cellphone: +91-84606 92403
>
> *__________________________________________ *KPIT <http://www.kpit.com/> |
>  Follow us on LinkedIn <http://www.kpit.com/linkedin>
>
> <https://www.kpit.com/TheNewBrand>
> ------------------------------
> *From:* openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org> on behalf of vkumbhar via
> lists.openembedded.org <vkumbhar=mvista.com@lists.openembedded.org>
> *Sent:* Thursday, November 17, 2022 11:55 AM
> *To:* openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org>
> *Cc:* Vivek Kumbhar <vkumbhar@mvista.com>
> *Subject:* [OE-core][dunfell][PATCH v2] libx11: fix CVE-2022-3555 memory
> leak in _XFreeX11XCBStructure() of xcb_disp.c
>
> Caution: This email originated from outside of the KPIT. Do not click
> links or open attachments unless you recognize the sender and know the
> content is safe.
>
> From: Vivek Kumbhar <vkumbhar@mvista.com>
>
> Upstream-Status: Backport [
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.freedesktop.org%2Fxorg%2Flib%2Flibx11%2F-%2Fcommit%2F8a368d808fec166b5fb3dfe6312aab22c7ee20af&amp;data=05%7C01%7Cranjitsinh.rathod%40kpit.com%7C3e0855325f3b4933ce4108dac864a287%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C638042631831458383%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=unGI59Cc2Rqxlr3JY6eu%2BU72w5p%2FmZOpcn5b7WhNlno%3D&amp;reserved=0
> ]
>
> Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> ---
>  .../xorg-lib/libx11/CVE-2022-3555.patch       | 38 +++++++++++++++++++
>  .../recipes-graphics/xorg-lib/libx11_1.6.9.bb |  1 +
>  2 files changed, 39 insertions(+)
>  create mode 100644
> meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch
>
> diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch
> b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch
> new file mode 100644
> index 0000000000..82309e7f62
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch
> @@ -0,0 +1,38 @@
> +From 5f43fbe704d32a6934bb3b3957feb85c20414ad9 Mon Sep 17 00:00:00 2001
> +From: Vivek Kumbhar <vkumbhar@mvista.com>
> +Date: Thu, 17 Nov 2022 11:33:01 +0530
> +Subject: [PATCH] CVE-2022-3555
> +
> +Upstream-Status: Backport [
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.freedesktop.org%2Fxorg%2Flib%2Flibx11%2F-%2Fcommit%2F8a368d808fec166b5fb3dfe6312aab22c7ee20af&amp;data=05%7C01%7Cranjitsinh.rathod%40kpit.com%7C3e0855325f3b4933ce4108dac864a287%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C638042631831458383%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=unGI59Cc2Rqxlr3JY6eu%2BU72w5p%2FmZOpcn5b7WhNlno%3D&amp;reserved=0
> ]
> +CVE: CVE-2022-3555
> +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> +
> +Fix two memory leaks in _XFreeX11XCBStructure()
> +
> +Even when XCloseDisplay() was called, some memory was leaked.
> +
> +XCloseDisplay() calls _XFreeDisplayStructure(), which calls
> +_XFreeX11XCBStructure().
> +
> +However, _XFreeX11XCBStructure() did not destroy the condition variables,
> +resulting in the leaking of some 40 bytes.
> +---
> + src/xcb_disp.c | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/src/xcb_disp.c b/src/xcb_disp.c
> +index 0fa40de..03fa1e8 100644
> +--- a/src/xcb_disp.c
> ++++ b/src/xcb_disp.c
> +@@ -102,6 +102,8 @@ void _XFreeX11XCBStructure(Display *dpy)
> +               dpy->xcb->pending_requests = tmp->next;
> +               free(tmp);
> +       }
> ++      xcondition_clear(dpy->xcb->event_notify);
> ++      xcondition_clear(dpy->xcb->reply_notify);
> +       xcondition_free(dpy->xcb->event_notify);
> +       xcondition_free(dpy->xcb->reply_notify);
> +       Xfree(dpy->xcb);
> +--
> +2.25.1
> +
> diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
> b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
> index 72ab1d4150..ad3fab1204 100644
> --- a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
> +++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
> @@ -17,6 +17,7 @@ SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \
>              file://CVE-2020-14363.patch \
>              file://CVE-2021-31535.patch \
>              file://CVE-2022-3554.patch \
> +            file://CVE-2022-3555.patch \
>  "
>
>  SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2"
> --
> 2.25.1
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>