Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [git commit] package/x11r7/xserver_xorg-server: security bump to version 21.1.10
@ 2024-01-01 20:37 Thomas Petazzoni via buildroot
  2024-01-10 20:03 ` Peter Korsgaard
  0 siblings, 1 reply; 2+ messages in thread
From: Thomas Petazzoni via buildroot @ 2024-01-01 20:37 UTC (permalink / raw)
  To: buildroot

commit: https://git.buildroot.net/buildroot/commit/?id=9b62f5905e9f9d47363983a5bd7ef8672b21cca6
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master

Fixes the following security issues:

1) CVE-2023-6377: X.Org server: Out-of-bounds memory write in XKB button actions

A device has XKB button actions for each button on the device.  When a
logical device switch happens (e.g.  moving from a touchpad to a mouse), the
server re-calculates the information available on the respective master
device (typically the Virtual Core Pointer).  This re-calculation only
allocated enough memory for a single XKB action rather instead of enough for
the newly active physical device's number of button.  As a result, querying
or changing the XKB button actions results in out-of-bounds memory reads and
writes.

This may lead to local privilege escalation if the server is run as root or
remote code execution (e.g. x11 over ssh).

2) CVE-2023-6478: X.Org server: Out-of-bounds memory read in
RRChangeOutputProperty and RRChangeProviderProperty

This fixes an OOB read and the resulting information disclosure.

Length calculation for the request was clipped to a 32-bit integer.  With
the correct stuff->nUnits value the expected request size was truncated,
passing the REQUEST_FIXED_SIZE check.

The server then proceeded with reading at least stuff->nUnits bytes
(depending on stuff->format) from the request and stuffing whatever it finds
into the property.  In the process it would also allocate at least
stuff->nUnits bytes, i.e.  4GB.

See also CVE-2022-46344 where this issue was fixed for other requests.

For more details, see the advisory:
https://lists.x.org/archives/xorg-announce/2023-December/003435.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/x11r7/xserver_xorg-server/xserver_xorg-server.hash | 6 +++---
 package/x11r7/xserver_xorg-server/xserver_xorg-server.mk   | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/x11r7/xserver_xorg-server/xserver_xorg-server.hash b/package/x11r7/xserver_xorg-server/xserver_xorg-server.hash
index ccd7cc74fa..de93b11927 100644
--- a/package/x11r7/xserver_xorg-server/xserver_xorg-server.hash
+++ b/package/x11r7/xserver_xorg-server/xserver_xorg-server.hash
@@ -1,5 +1,5 @@
-# From https://lists.x.org/archives/xorg-announce/2023-October/003431.html
-sha256  ff697be2011b4c4966b7806929e51b7a08e9d33800d505305d26d9ccde4b533a  xorg-server-21.1.9.tar.xz
-sha512  9044e1b9222616fb63aea444b75f4ca6582edb7d899018f8ea30359e57edf04b1555e69397ebc4d288f7e36d6b82a54dde3895f11d414573d229e908ac17bfe8  xorg-server-21.1.9.tar.xz
+# From https://lists.x.org/archives/xorg-announce/2023-December/003436.html
+sha256  ceb0b3a2efc57ac3ccf388d3dc88b97615068639fb284d469689ae3d105611d0  xorg-server-21.1.10.tar.xz
+sha512  8135d9b7c0c71f427ba0a3b80741fee4f6ae195779399b73261a00858882f3516e367a08e2da1403734b04eacabae9aa231e5375eff23b57a3ff764e9caf8926  xorg-server-21.1.10.tar.xz
 # Locally calculated
 sha256  4cc0447a22635c7b2f1a93fec4aa94f1970fadeb72a063de006b51cf4963a06f  COPYING
diff --git a/package/x11r7/xserver_xorg-server/xserver_xorg-server.mk b/package/x11r7/xserver_xorg-server/xserver_xorg-server.mk
index cf0e688c36..4ac4283e4b 100644
--- a/package/x11r7/xserver_xorg-server/xserver_xorg-server.mk
+++ b/package/x11r7/xserver_xorg-server/xserver_xorg-server.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-XSERVER_XORG_SERVER_VERSION = 21.1.9
+XSERVER_XORG_SERVER_VERSION = 21.1.10
 XSERVER_XORG_SERVER_SOURCE = xorg-server-$(XSERVER_XORG_SERVER_VERSION).tar.xz
 XSERVER_XORG_SERVER_SITE = https://xorg.freedesktop.org/archive/individual/xserver
 XSERVER_XORG_SERVER_LICENSE = MIT
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [Buildroot] [git commit] package/x11r7/xserver_xorg-server: security bump to version 21.1.10
  2024-01-01 20:37 [Buildroot] [git commit] package/x11r7/xserver_xorg-server: security bump to version 21.1.10 Thomas Petazzoni via buildroot
@ 2024-01-10 20:03 ` Peter Korsgaard
  0 siblings, 0 replies; 2+ messages in thread
From: Peter Korsgaard @ 2024-01-10 20:03 UTC (permalink / raw)
  To: Thomas Petazzoni via buildroot; +Cc: Thomas Petazzoni

>>>>> "Thomas" == Thomas Petazzoni via buildroot <buildroot@buildroot.org> writes:

 > commit: https://git.buildroot.net/buildroot/commit/?id=9b62f5905e9f9d47363983a5bd7ef8672b21cca6
 > branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master

 > Fixes the following security issues:

 > 1) CVE-2023-6377: X.Org server: Out-of-bounds memory write in XKB button actions

 > A device has XKB button actions for each button on the device.  When a
 > logical device switch happens (e.g.  moving from a touchpad to a mouse), the
 > server re-calculates the information available on the respective master
 > device (typically the Virtual Core Pointer).  This re-calculation only
 > allocated enough memory for a single XKB action rather instead of enough for
 > the newly active physical device's number of button.  As a result, querying
 > or changing the XKB button actions results in out-of-bounds memory reads and
 > writes.

 > This may lead to local privilege escalation if the server is run as root or
 > remote code execution (e.g. x11 over ssh).

 > 2) CVE-2023-6478: X.Org server: Out-of-bounds memory read in
 > RRChangeOutputProperty and RRChangeProviderProperty

 > This fixes an OOB read and the resulting information disclosure.

 > Length calculation for the request was clipped to a 32-bit integer.  With
 > the correct stuff->nUnits value the expected request size was truncated,
 > passing the REQUEST_FIXED_SIZE check.

 > The server then proceeded with reading at least stuff->nUnits bytes
 > (depending on stuff->format) from the request and stuffing whatever it finds
 > into the property.  In the process it would also allocate at least
 >stuff-> nUnits bytes, i.e.  4GB.

 > See also CVE-2022-46344 where this issue was fixed for other requests.

 > For more details, see the advisory:
 > https://lists.x.org/archives/xorg-announce/2023-December/003435.html

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Committed to 2023.02.x and 2023.11.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-01-10 20:03 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-01-01 20:37 [Buildroot] [git commit] package/x11r7/xserver_xorg-server: security bump to version 21.1.10 Thomas Petazzoni via buildroot
2024-01-10 20:03 ` Peter Korsgaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox