Message ID | 20211229013051.36342-1-kai.kang@windriver.com |
---|---|
Headers | show |
Series | Fix CVEs of xserver-xorg | expand |
On 12/29/21 9:30 AM, kai wrote: > From: Kai Kang <kai.kang@windriver.com> > > Backport patch to fix CVE-2021-4008 for xserver-xorg. > > CVE: CVE-2021-4008 Ping. Kai > > Signed-off-by: Kai Kang <kai.kang@windriver.com> > --- > .../xserver-xorg/CVE-2021-4008.patch | 59 +++++++++++++++++++ > .../xorg-xserver/xserver-xorg_1.20.10.bb | 1 + > 2 files changed, 60 insertions(+) > create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch > > diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch > new file mode 100644 > index 0000000000..3277be0185 > --- /dev/null > +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch > @@ -0,0 +1,59 @@ > +Backport patch to fix CVE-2021-4008. > + > +CVE: CVE-2021-4008 > +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ebce7e2] > + > +Signed-off-by: Kai Kang <kai.kang@windriver.com> > + > +From ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60 Mon Sep 17 00:00:00 2001 > +From: Povilas Kanapickas <povilas@radix.lt> > +Date: Tue, 14 Dec 2021 15:00:03 +0200 > +Subject: [PATCH] render: Fix out of bounds access in > + SProcRenderCompositeGlyphs() > + > +ZDI-CAN-14192, CVE-2021-4008 > + > +This vulnerability was discovered and the fix was suggested by: > +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative > + > +Signed-off-by: Povilas Kanapickas <povilas@radix.lt> > +--- > + render/render.c | 9 +++++++++ > + 1 file changed, 9 insertions(+) > + > +diff --git a/render/render.c b/render/render.c > +index c376090ca..456f156d4 100644 > +--- a/render/render.c > ++++ b/render/render.c > +@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client) > + > + i = elt->len; > + if (i == 0xff) { > ++ if (buffer + 4 > end) { > ++ return BadLength; > ++ } > + swapl((int *) buffer); > + buffer += 4; > + } > +@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client) > + buffer += i; > + break; > + case 2: > ++ if (buffer + i * 2 > end) { > ++ return BadLength; > ++ } > + while (i--) { > + swaps((short *) buffer); > + buffer += 2; > + } > + break; > + case 4: > ++ if (buffer + i * 4 > end) { > ++ return BadLength; > ++ } > + while (i--) { > + swapl((int *) buffer); > + buffer += 4; > +-- > +GitLab > + > diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb > index e0551fa999..9a7aa1ed9a 100644 > --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb > +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb > @@ -9,6 +9,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat > file://0001-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch \ > file://CVE-2021-3472.patch \ > file://0001-hw-xwayland-Makefile.am-fix-build-without-glx.patch \ > + file://CVE-2021-4008.patch \ > " > SRC_URI[sha256sum] = "977420c082450dc808de301ef56af4856d653eea71519a973c3490a780cb7c99" > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#160043): https://lists.openembedded.org/g/openembedded-core/message/160043 > Mute This Topic: https://lists.openembedded.org/mt/88007524/3616933 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [kai.kang@windriver.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Fri, 2022-01-07 at 10:56 +0800, kai wrote: > On 12/29/21 9:30 AM, kai wrote: > > > From: Kai Kang <kai.kang@windriver.com> > > > > Backport patch to fix CVE-2021-4008 for xserver-xorg. > > > > CVE: CVE-2021-4008 > Ping. > Kai > This is in this week's pull request and should get merged soon. Thanks, Anuj > > > > Signed-off-by: Kai Kang <kai.kang@windriver.com> > > --- > > .../xserver-xorg/CVE-2021-4008.patch | 59 > > +++++++++++++++++++ > > .../xorg-xserver/xserver-xorg_1.20.10.bb | 1 + > > 2 files changed, 60 insertions(+) > > create mode 100644 meta/recipes-graphics/xorg-xserver/xserver- > > xorg/CVE-2021-4008.patch > > > > diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE- > > 2021-4008.patch b/meta/recipes-graphics/xorg-xserver/xserver- > > xorg/CVE-2021-4008.patch > > new file mode 100644 > > index 0000000000..3277be0185 > > --- /dev/null > > +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021- > > 4008.patch > > @@ -0,0 +1,59 @@ > > +Backport patch to fix CVE-2021-4008. > > + > > +CVE: CVE-2021-4008 > > +Upstream-Status: Backport > > [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ebce7e2] > > + > > +Signed-off-by: Kai Kang <kai.kang@windriver.com> > > + > > +From ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60 Mon Sep 17 00:00:00 > > 2001 > > +From: Povilas Kanapickas <povilas@radix.lt> > > +Date: Tue, 14 Dec 2021 15:00:03 +0200 > > +Subject: [PATCH] render: Fix out of bounds access in > > + SProcRenderCompositeGlyphs() > > + > > +ZDI-CAN-14192, CVE-2021-4008 > > + > > +This vulnerability was discovered and the fix was suggested by: > > +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative > > + > > +Signed-off-by: Povilas Kanapickas <povilas@radix.lt> > > +--- > > + render/render.c | 9 +++++++++ > > + 1 file changed, 9 insertions(+) > > + > > +diff --git a/render/render.c b/render/render.c > > +index c376090ca..456f156d4 100644 > > +--- a/render/render.c > > ++++ b/render/render.c > > +@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client) > > + > > + i = elt->len; > > + if (i == 0xff) { > > ++ if (buffer + 4 > end) { > > ++ return BadLength; > > ++ } > > + swapl((int *) buffer); > > + buffer += 4; > > + } > > +@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr > > client) > > + buffer += i; > > + break; > > + case 2: > > ++ if (buffer + i * 2 > end) { > > ++ return BadLength; > > ++ } > > + while (i--) { > > + swaps((short *) buffer); > > + buffer += 2; > > + } > > + break; > > + case 4: > > ++ if (buffer + i * 4 > end) { > > ++ return BadLength; > > ++ } > > + while (i--) { > > + swapl((int *) buffer); > > + buffer += 4; > > +-- > > +GitLab > > + > > diff --git a/meta/recipes-graphics/xorg-xserver/xserver- > > xorg_1.20.10.bb b/meta/recipes-graphics/xorg-xserver/xserver- > > xorg_1.20.10.bb > > index e0551fa999..9a7aa1ed9a 100644 > > --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb > > +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb > > @@ -9,6 +9,7 @@ SRC_URI += > > "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.p > > at > > file://0001-Fix-segfault-on-probing-a-non-PCI-platform- > > device-on.patch \ > > file://CVE-2021-3472.patch \ > > > > file://0001-hw-xwayland-Makefile.am-fix-build-without-glx.patch \ > > + file://CVE-2021-4008.patch \ > > " > > SRC_URI[sha256sum] = > > "977420c082450dc808de301ef56af4856d653eea71519a973c3490a780cb7c99" > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#160247): > https://lists.openembedded.org/g/openembedded-core/message/160247 > Mute This Topic: https://lists.openembedded.org/mt/88254273/3616702 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: > https://lists.openembedded.org/g/openembedded-core/unsub [ > anuj.mittal@intel.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On 1/7/22 3:51 PM, Mittal, Anuj wrote: > On Fri, 2022-01-07 at 10:56 +0800, kai wrote: >> On 12/29/21 9:30 AM, kai wrote: >> >>> From: Kai Kang <kai.kang@windriver.com> >>> >>> Backport patch to fix CVE-2021-4008 for xserver-xorg. >>> >>> CVE: CVE-2021-4008 >> Ping. >> Kai >> > This is in this week's pull request and should get merged soon. Thanks. Kai > > Thanks, > > Anuj > >>> Signed-off-by: Kai Kang <kai.kang@windriver.com> >>> --- >>> .../xserver-xorg/CVE-2021-4008.patch | 59 >>> +++++++++++++++++++ >>> .../xorg-xserver/xserver-xorg_1.20.10.bb | 1 + >>> 2 files changed, 60 insertions(+) >>> create mode 100644 meta/recipes-graphics/xorg-xserver/xserver- >>> xorg/CVE-2021-4008.patch >>> >>> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE- >>> 2021-4008.patch b/meta/recipes-graphics/xorg-xserver/xserver- >>> xorg/CVE-2021-4008.patch >>> new file mode 100644 >>> index 0000000000..3277be0185 >>> --- /dev/null >>> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021- >>> 4008.patch >>> @@ -0,0 +1,59 @@ >>> +Backport patch to fix CVE-2021-4008. >>> + >>> +CVE: CVE-2021-4008 >>> +Upstream-Status: Backport >>> [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ebce7e2] >>> + >>> +Signed-off-by: Kai Kang <kai.kang@windriver.com> >>> + >>> +From ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60 Mon Sep 17 00:00:00 >>> 2001 >>> +From: Povilas Kanapickas <povilas@radix.lt> >>> +Date: Tue, 14 Dec 2021 15:00:03 +0200 >>> +Subject: [PATCH] render: Fix out of bounds access in >>> + SProcRenderCompositeGlyphs() >>> + >>> +ZDI-CAN-14192, CVE-2021-4008 >>> + >>> +This vulnerability was discovered and the fix was suggested by: >>> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative >>> + >>> +Signed-off-by: Povilas Kanapickas <povilas@radix.lt> >>> +--- >>> + render/render.c | 9 +++++++++ >>> + 1 file changed, 9 insertions(+) >>> + >>> +diff --git a/render/render.c b/render/render.c >>> +index c376090ca..456f156d4 100644 >>> +--- a/render/render.c >>> ++++ b/render/render.c >>> +@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client) >>> + >>> + i = elt->len; >>> + if (i == 0xff) { >>> ++ if (buffer + 4 > end) { >>> ++ return BadLength; >>> ++ } >>> + swapl((int *) buffer); >>> + buffer += 4; >>> + } >>> +@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr >>> client) >>> + buffer += i; >>> + break; >>> + case 2: >>> ++ if (buffer + i * 2 > end) { >>> ++ return BadLength; >>> ++ } >>> + while (i--) { >>> + swaps((short *) buffer); >>> + buffer += 2; >>> + } >>> + break; >>> + case 4: >>> ++ if (buffer + i * 4 > end) { >>> ++ return BadLength; >>> ++ } >>> + while (i--) { >>> + swapl((int *) buffer); >>> + buffer += 4; >>> +-- >>> +GitLab >>> + >>> diff --git a/meta/recipes-graphics/xorg-xserver/xserver- >>> xorg_1.20.10.bb b/meta/recipes-graphics/xorg-xserver/xserver- >>> xorg_1.20.10.bb >>> index e0551fa999..9a7aa1ed9a 100644 >>> --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb >>> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb >>> @@ -9,6 +9,7 @@ SRC_URI += >>> "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.p >>> at >>> file://0001-Fix-segfault-on-probing-a-non-PCI-platform- >>> device-on.patch \ >>> file://CVE-2021-3472.patch \ >>> >>> file://0001-hw-xwayland-Makefile.am-fix-build-without-glx.patch \ >>> + file://CVE-2021-4008.patch \ >>> " >>> SRC_URI[sha256sum] = >>> "977420c082450dc808de301ef56af4856d653eea71519a973c3490a780cb7c99" >>> >>> >>> >>> >>> >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> View/Reply Online (#160247): >> https://lists.openembedded.org/g/openembedded-core/message/160247 >> Mute This Topic: https://lists.openembedded.org/mt/88254273/3616702 >> Group Owner: openembedded-core+owner@lists.openembedded.org >> Unsubscribe: >> https://lists.openembedded.org/g/openembedded-core/unsub [ >> anuj.mittal@intel.com] >> -=-=-=-=-=-=-=-=-=-=-=- >>
From: Kai Kang <kai.kang@windriver.com> Kai Kang (4): xserver-xorg: fix CVE-2021-4008 xserver-xorg: fix CVE-2021-4009 xserver-xorg: fix CVE-2021-4010 xserver-xorg: fix CVE-2021-4011 .../xserver-xorg/CVE-2021-4008.patch | 59 +++++++++++++++++++ .../xserver-xorg/CVE-2021-4009.patch | 50 ++++++++++++++++ .../xserver-xorg/CVE-2021-4010.patch | 39 ++++++++++++ .../xserver-xorg/CVE-2021-4011.patch | 40 +++++++++++++ .../xorg-xserver/xserver-xorg_1.20.10.bb | 4 ++ 5 files changed, 192 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4009.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4010.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4011.patch