deleted file mode 100644
@@ -1,132 +0,0 @@
-From 446ff2d3177087b8173fa779fa5b77a2a128988b Mon Sep 17 00:00:00 2001
-From: Matthieu Herrb <matthieu@herrb.eu>
-Date: Thu, 12 Nov 2020 19:15:07 +0100
-Subject: [PATCH] Check SetMap request length carefully.
-
-Avoid out of bounds memory accesses on too short request.
-
-ZDI-CAN 11572 / CVE-2020-14360
-
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
-
-Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
-
-Upstream-Status: Backport
-https://gitlab.freedesktop.org/xorg/xserver/-/commit/446ff2d3177087b8173fa779fa5b77a2a128988b
-CVE: CVE-2020-14360
-Signed-off-by: Armin Kuster <akuster@mvista.com>
----
- xkb/xkb.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 92 insertions(+)
-
-Index: xorg-server-1.20.8/xkb/xkb.c
-===================================================================
---- xorg-server-1.20.8.orig/xkb/xkb.c
-+++ xorg-server-1.20.8/xkb/xkb.c
-@@ -2382,6 +2382,93 @@ SetVirtualModMap(XkbSrvInfoPtr xkbi,
- return (char *) wire;
- }
-
-+#define _add_check_len(new) \
-+ if (len > UINT32_MAX - (new) || len > req_len - (new)) goto bad; \
-+ else len += new
-+
-+/**
-+ * Check the length of the SetMap request
-+ */
-+static int
-+_XkbSetMapCheckLength(xkbSetMapReq *req)
-+{
-+ size_t len = sz_xkbSetMapReq, req_len = req->length << 2;
-+ xkbKeyTypeWireDesc *keytype;
-+ xkbSymMapWireDesc *symmap;
-+ BOOL preserve;
-+ int i, map_count, nSyms;
-+
-+ if (req_len < len)
-+ goto bad;
-+ /* types */
-+ if (req->present & XkbKeyTypesMask) {
-+ keytype = (xkbKeyTypeWireDesc *)(req + 1);
-+ for (i = 0; i < req->nTypes; i++) {
-+ _add_check_len(XkbPaddedSize(sz_xkbKeyTypeWireDesc));
-+ if (req->flags & XkbSetMapResizeTypes) {
-+ _add_check_len(keytype->nMapEntries
-+ * sz_xkbKTSetMapEntryWireDesc);
-+ preserve = keytype->preserve;
-+ map_count = keytype->nMapEntries;
-+ if (preserve) {
-+ _add_check_len(map_count * sz_xkbModsWireDesc);
-+ }
-+ keytype += 1;
-+ keytype = (xkbKeyTypeWireDesc *)
-+ ((xkbKTSetMapEntryWireDesc *)keytype + map_count);
-+ if (preserve)
-+ keytype = (xkbKeyTypeWireDesc *)
-+ ((xkbModsWireDesc *)keytype + map_count);
-+ }
-+ }
-+ }
-+ /* syms */
-+ if (req->present & XkbKeySymsMask) {
-+ symmap = (xkbSymMapWireDesc *)((char *)req + len);
-+ for (i = 0; i < req->nKeySyms; i++) {
-+ _add_check_len(sz_xkbSymMapWireDesc);
-+ nSyms = symmap->nSyms;
-+ _add_check_len(nSyms*sizeof(CARD32));
-+ symmap += 1;
-+ symmap = (xkbSymMapWireDesc *)((CARD32 *)symmap + nSyms);
-+ }
-+ }
-+ /* actions */
-+ if (req->present & XkbKeyActionsMask) {
-+ _add_check_len(req->totalActs * sz_xkbActionWireDesc
-+ + XkbPaddedSize(req->nKeyActs));
-+ }
-+ /* behaviours */
-+ if (req->present & XkbKeyBehaviorsMask) {
-+ _add_check_len(req->totalKeyBehaviors * sz_xkbBehaviorWireDesc);
-+ }
-+ /* vmods */
-+ if (req->present & XkbVirtualModsMask) {
-+ _add_check_len(XkbPaddedSize(Ones(req->virtualMods)));
-+ }
-+ /* explicit */
-+ if (req->present & XkbExplicitComponentsMask) {
-+ /* two bytes per non-zero explicit componen */
-+ _add_check_len(XkbPaddedSize(req->totalKeyExplicit * sizeof(CARD16)));
-+ }
-+ /* modmap */
-+ if (req->present & XkbModifierMapMask) {
-+ /* two bytes per non-zero modmap component */
-+ _add_check_len(XkbPaddedSize(req->totalModMapKeys * sizeof(CARD16)));
-+ }
-+ /* vmodmap */
-+ if (req->present & XkbVirtualModMapMask) {
-+ _add_check_len(req->totalVModMapKeys * sz_xkbVModMapWireDesc);
-+ }
-+ if (len == req_len)
-+ return Success;
-+bad:
-+ ErrorF("[xkb] BOGUS LENGTH in SetMap: expected %ld got %ld\n",
-+ len, req_len);
-+ return BadLength;
-+}
-+
-+
- /**
- * Check if the given request can be applied to the given device but don't
- * actually do anything..
-@@ -2639,6 +2726,11 @@ ProcXkbSetMap(ClientPtr client)
- CHK_KBD_DEVICE(dev, stuff->deviceSpec, client, DixManageAccess);
- CHK_MASK_LEGAL(0x01, stuff->present, XkbAllMapComponentsMask);
-
-+ /* first verify the request length carefully */
-+ rc = _XkbSetMapCheckLength(stuff);
-+ if (rc != Success)
-+ return rc;
-+
- tmp = (char *) &stuff[1];
-
- /* Check if we can to the SetMap on the requested device. If this
deleted file mode 100644
@@ -1,102 +0,0 @@
-From 87c64fc5b0db9f62f4e361444f4b60501ebf67b9 Mon Sep 17 00:00:00 2001
-From: Matthieu Herrb <matthieu@herrb.eu>
-Date: Sun, 11 Oct 2020 17:05:09 +0200
-Subject: [PATCH] Fix XkbSetDeviceInfo() and SetDeviceIndicators() heap
- overflows
-
-ZDI-CAN 11389 / CVE-2020-25712
-
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
-
-Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
-
-Upstream-Status: Backport
-https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9
-CVE: CVE-2020-25712
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- xkb/xkb.c | 26 +++++++++++++++++++++++---
- 1 file changed, 23 insertions(+), 3 deletions(-)
-
-Index: xorg-server-1.20.8/xkb/xkb.c
-===================================================================
---- xorg-server-1.20.8.orig/xkb/xkb.c
-+++ xorg-server-1.20.8/xkb/xkb.c
-@@ -6625,7 +6625,9 @@ SetDeviceIndicators(char *wire,
- unsigned changed,
- int num,
- int *status_rtrn,
-- ClientPtr client, xkbExtensionDeviceNotify * ev)
-+ ClientPtr client,
-+ xkbExtensionDeviceNotify * ev,
-+ xkbSetDeviceInfoReq * stuff)
- {
- xkbDeviceLedsWireDesc *ledWire;
- int i;
-@@ -6646,6 +6648,11 @@ SetDeviceIndicators(char *wire,
- xkbIndicatorMapWireDesc *mapWire;
- XkbSrvLedInfoPtr sli;
-
-+ if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) {
-+ *status_rtrn = BadLength;
-+ return (char *) ledWire;
-+ }
-+
- namec = mapc = statec = 0;
- sli = XkbFindSrvLedInfo(dev, ledWire->ledClass, ledWire->ledID,
- XkbXI_IndicatorMapsMask);
-@@ -6664,6 +6671,10 @@ SetDeviceIndicators(char *wire,
- memset((char *) sli->names, 0, XkbNumIndicators * sizeof(Atom));
- for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
- if (ledWire->namesPresent & bit) {
-+ if (!_XkbCheckRequestBounds(client, stuff, atomWire, atomWire + 1)) {
-+ *status_rtrn = BadLength;
-+ return (char *) atomWire;
-+ }
- sli->names[n] = (Atom) *atomWire;
- if (sli->names[n] == None)
- ledWire->namesPresent &= ~bit;
-@@ -6681,6 +6692,10 @@ SetDeviceIndicators(char *wire,
- if (ledWire->mapsPresent) {
- for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
- if (ledWire->mapsPresent & bit) {
-+ if (!_XkbCheckRequestBounds(client, stuff, mapWire, mapWire + 1)) {
-+ *status_rtrn = BadLength;
-+ return (char *) mapWire;
-+ }
- sli->maps[n].flags = mapWire->flags;
- sli->maps[n].which_groups = mapWire->whichGroups;
- sli->maps[n].groups = mapWire->groups;
-@@ -6760,7 +6775,7 @@ _XkbSetDeviceInfoCheck(ClientPtr client,
- ed.deviceID = dev->id;
- wire = (char *) &stuff[1];
- if (stuff->change & XkbXI_ButtonActionsMask) {
-- int nBtns, sz, i;
-+ int nBtns, sz, i;
- XkbAction *acts;
- DeviceIntPtr kbd;
-
-@@ -6772,7 +6787,11 @@ _XkbSetDeviceInfoCheck(ClientPtr client,
- return BadAlloc;
- dev->button->xkb_acts = acts;
- }
-+ if (stuff->firstBtn + stuff->nBtns > nBtns)
-+ return BadValue;
- sz = stuff->nBtns * SIZEOF(xkbActionWireDesc);
-+ if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz))
-+ return BadLength;
- memcpy((char *) &acts[stuff->firstBtn], (char *) wire, sz);
- wire += sz;
- ed.reason |= XkbXI_ButtonActionsMask;
-@@ -6793,7 +6812,8 @@ _XkbSetDeviceInfoCheck(ClientPtr client,
- int status = Success;
-
- wire = SetDeviceIndicators(wire, dev, stuff->change,
-- stuff->nDeviceLedFBs, &status, client, &ed);
-+ stuff->nDeviceLedFBs, &status, client, &ed,
-+ stuff);
- if (status != Success)
- return status;
- }
similarity index 84%
rename from meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.9.bb
rename to meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
@@ -5,11 +5,9 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
file://0001-test-xtest-Initialize-array-with-braces.patch \
file://sdksyms-no-build-path.patch \
file://0001-drmmode_display.c-add-missing-mi.h-include.patch \
- file://CVE-2020-14360.patch \
- file://CVE-2020-25712.patch \
"
-SRC_URI[md5sum] = "afcae2f46d47c33863cab7fd9db7279a"
-SRC_URI[sha256sum] = "e219f2e0dfe455467939149d7cd2ee53b79b512cc1d2094ae4f5c9ed9ccd3571"
+SRC_URI[md5sum] = "8cf8bd1f33e3736bc8dd279b20a32399"
+SRC_URI[sha256sum] = "977420c082450dc808de301ef56af4856d653eea71519a973c3490a780cb7c99"
CFLAGS += "-fcommon"
Remove CVE patches contained in this release. Stable branch update: bc111a2e6 (tag: xorg-server-1.20.10) xserver 1.20.10 06d1a032e Check SetMap request length carefully. 7ccb3b0ea Fix XkbSetDeviceInfo() and SetDeviceIndicators() heap overflows 440ed5948 present/wnmd: Translate update region to screen space 54f9af1c6 modesetting: keep going if a modeset fails on EnterVT bd0f53725 modesetting: check the kms state on EnterVT 5c400cae1 configure: Build hashtable for Xres and glvnd 253569a3d xwayland: Create an xwl_window for toplevel only 0811a9ff7 xwayland: non-rootless requires the wl_shell protocol b3ae038c3 glamor: Update pixmap's devKind when making it exportable d6c389cb8 os: Fix instruction pointer written in xorg_backtrace c3e4c1a0f present/wnmd: Execute copies at target_msc-1 already 96ef31e0f present/wnmd: Move up present_wnmd_queue_vblank 669e40390 present: Add present_vblank::exec_msc field dae234efd present: Move flip target_msc adjustment out of present_vblank_create 1930ed233 xwayland: Remove pending stream reference when freeing 1ac389dda xwayland: use drmGetNodeTypeFromFd for checking if a node is a render one d108c2c82 xwayland: Do not discard frame callbacks on allow commits 174cb91d8 present/wnmd: Remove dead check from present_wnmd_check_flip 51ee6e5ce xwayland: Check window pixmap in xwl_present_check_flip2 f4006d795 present/wnmd: Can't use page flipping for windows clipped by children 1e84fda20 xfree86: Take second reference for SavedCursor in xf86CursorSetCursor 8c3c8bda2 glamor: Fix glamor_poly_fill_rect_gl xRectangle::width/height handling b28c88288 include: Increase the number of max. input devices to 256. af4c84ce8 Revert "linux: Make platform device probe less fragile" 39cb95e95 Revert "linux: Fix platform device PCI detection for complex bus topologies" 4b6fce597 Revert "linux: Fix platform device probe for DT-based PCI" Signed-off-by: Steve Sakoman <steve@sakoman.com> --- .../xserver-xorg/CVE-2020-14360.patch | 132 ------------------ .../xserver-xorg/CVE-2020-25712.patch | 102 -------------- ...xorg_1.20.9.bb => xserver-xorg_1.20.10.bb} | 6 +- 3 files changed, 2 insertions(+), 238 deletions(-) delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-25712.patch rename meta/recipes-graphics/xorg-xserver/{xserver-xorg_1.20.9.bb => xserver-xorg_1.20.10.bb} (84%)