* [PATCH][dunfell 2/3] qemu: fix CVE-2020-14364 CVE-2020-14415
2020-09-08 13:07 [PATCH][dunfell 1/3] xserver-xorg: fix CVE-2020-14347 Lee Chee Yang
@ 2020-09-08 13:07 ` Lee Chee Yang
2020-09-08 13:07 ` [PATCH][dunfell 3/3] libx11 : fix CVE-2020-14344 Lee Chee Yang
1 sibling, 0 replies; 3+ messages in thread
From: Lee Chee Yang @ 2020-09-08 13:07 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
meta/recipes-devtools/qemu/qemu.inc | 2 +
.../qemu/qemu/CVE-2020-14364.patch | 93 +++++++++++++++++++
.../qemu/qemu/CVE-2020-14415.patch | 37 ++++++++
3 files changed, 132 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-14415.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 49dbb1c13d..e0ea5ad477 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -45,6 +45,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2020-13800.patch \
file://CVE-2020-13362.patch \
file://CVE-2020-15863.patch \
+ file://CVE-2020-14364.patch \
+ file://CVE-2020-14415.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch
new file mode 100644
index 0000000000..8333025a32
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch
@@ -0,0 +1,93 @@
+From b946434f2659a182afc17e155be6791ebfb302eb Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 25 Aug 2020 07:36:36 +0200
+Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364)
+
+Store calculated setup_len in a local variable, verify it, and only
+write it to the struct (USBDevice->setup_len) in case it passed the
+sanity checks.
+
+This prevents other code (do_token_{in,out} functions specifically)
+from working with invalid USBDevice->setup_len values and overrunning
+the USBDevice->setup_buf[] buffer.
+
+Fixes: CVE-2020-14364
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Tested-by: Gonglei <arei.gonglei@huawei.com>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Message-id: 20200825053636.29648-1-kraxel@redhat.com
+
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=patch;h=b946434f2659a182afc17e155be6791ebfb302eb]
+CVE: CVE-2020-14364
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/usb/core.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/hw/usb/core.c b/hw/usb/core.c
+index 5abd128..5234dcc 100644
+--- a/hw/usb/core.c
++++ b/hw/usb/core.c
+@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream)
+ static void do_token_setup(USBDevice *s, USBPacket *p)
+ {
+ int request, value, index;
++ unsigned int setup_len;
+
+ if (p->iov.size != 8) {
+ p->status = USB_RET_STALL;
+@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
+ usb_packet_copy(p, s->setup_buf, p->iov.size);
+ s->setup_index = 0;
+ p->actual_length = 0;
+- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
+- if (s->setup_len > sizeof(s->data_buf)) {
++ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
++ if (setup_len > sizeof(s->data_buf)) {
+ fprintf(stderr,
+ "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+- s->setup_len, sizeof(s->data_buf));
++ setup_len, sizeof(s->data_buf));
+ p->status = USB_RET_STALL;
+ return;
+ }
++ s->setup_len = setup_len;
+
+ request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+ value = (s->setup_buf[3] << 8) | s->setup_buf[2];
+@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p)
+ static void do_parameter(USBDevice *s, USBPacket *p)
+ {
+ int i, request, value, index;
++ unsigned int setup_len;
+
+ for (i = 0; i < 8; i++) {
+ s->setup_buf[i] = p->parameter >> (i*8);
+ }
+
+ s->setup_state = SETUP_STATE_PARAM;
+- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
+ s->setup_index = 0;
+
+ request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+ value = (s->setup_buf[3] << 8) | s->setup_buf[2];
+ index = (s->setup_buf[5] << 8) | s->setup_buf[4];
+
+- if (s->setup_len > sizeof(s->data_buf)) {
++ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
++ if (setup_len > sizeof(s->data_buf)) {
+ fprintf(stderr,
+ "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+- s->setup_len, sizeof(s->data_buf));
++ setup_len, sizeof(s->data_buf));
+ p->status = USB_RET_STALL;
+ return;
+ }
++ s->setup_len = setup_len;
+
+ if (p->pid == USB_TOKEN_OUT) {
+ usb_packet_copy(p, s->data_buf, s->setup_len);
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-14415.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-14415.patch
new file mode 100644
index 0000000000..dca2f90a49
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-14415.patch
@@ -0,0 +1,37 @@
+From 7a4ede0047a8613b0e3b72c9d351038f013dd357 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 20 Jan 2020 11:18:04 +0100
+Subject: [PATCH] audio/oss: fix buffer pos calculation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Fixes: 3ba4066d085f ("ossaudio: port to the new audio backend api")
+Reported-by: ziming zhang <ezrakiez@gmail.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-Id: <20200120101804.29578-1-kraxel@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=7a4ede0047a8613b0e3b72c9d351038f013dd357]
+CVE: CVE-2020-14415
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ audio/ossaudio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/audio/ossaudio.c b/audio/ossaudio.c
+index c43faee..9456491 100644
+--- a/audio/ossaudio.c
++++ b/audio/ossaudio.c
+@@ -420,7 +420,7 @@ static size_t oss_write(HWVoiceOut *hw, void *buf, size_t len)
+ size_t to_copy = MIN(len, hw->size_emul - hw->pos_emul);
+ memcpy(hw->buf_emul + hw->pos_emul, buf, to_copy);
+
+- hw->pos_emul = (hw->pos_emul + to_copy) % hw->pos_emul;
++ hw->pos_emul = (hw->pos_emul + to_copy) % hw->size_emul;
+ buf += to_copy;
+ len -= to_copy;
+ }
+--
+1.8.3.1
+
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread* [PATCH][dunfell 3/3] libx11 : fix CVE-2020-14344
2020-09-08 13:07 [PATCH][dunfell 1/3] xserver-xorg: fix CVE-2020-14347 Lee Chee Yang
2020-09-08 13:07 ` [PATCH][dunfell 2/3] qemu: fix CVE-2020-14364 CVE-2020-14415 Lee Chee Yang
@ 2020-09-08 13:07 ` Lee Chee Yang
1 sibling, 0 replies; 3+ messages in thread
From: Lee Chee Yang @ 2020-09-08 13:07 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
fix CVE-2020-14344 with squashed patch.
squashed patch include below patch,
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1703b9f3435079d3c6021e1ee2ec34fd4978103d
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/2fcfcc49f3b1be854bb9085993a01d17c62acf60
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/388b303c62aa35a245f1704211a023440ad2c488
also include fix to issue introduced in above patch
(388b303c62aa35a245f1704211a023440ad2c488)
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/93fce3f4e79cbc737d6468a4f68ba3de1b83953b
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
.../xorg-lib/libx11/CVE-2020-14344.patch | 321 ++++++++++++++++++
.../recipes-graphics/xorg-lib/libx11_1.6.9.bb | 4 +-
2 files changed, 324 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2020-14344.patch
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2020-14344.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2020-14344.patch
new file mode 100644
index 0000000000..9d07202b06
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2020-14344.patch
@@ -0,0 +1,321 @@
+From f64388ed036b6668686ad5448bc7d4f73b35e1c7 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Fri, 24 Jul 2020 21:09:10 +0200
+Subject: [PATCH] Fix CVE-2020-14344
+
+This is a squashed of below commit:
+
+commit 1 :-
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1703b9f3435079d3c6021e1ee2ec34fd4978103d
+Change the data_len parameter of _XimAttributeToValue() to CARD16
+
+It's coming from a length in the protocol (unsigned) and passed
+to functions that expect unsigned int parameters (_XCopyToArg()
+and memcpy()).
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Todd Carson <toc@daybefore.net>
+
+commit 2 :-
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
+Zero out buffers in functions
+
+It looks like uninitialized stack or heap memory can leak
+out via padding bytes.
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+
+commit 3 :-
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/2fcfcc49f3b1be854bb9085993a01d17c62acf60
+Fix more unchecked lengths
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+
+commit 4 :-
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/388b303c62aa35a245f1704211a023440ad2c488
+fix integer overflows in _XimAttributeToValue()
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+
+commit 5 :-
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/93fce3f4e79cbc737d6468a4f68ba3de1b83953b
+Fix size calculation in `_XimAttributeToValue`.
+
+The check here guards the read below.
+For `XimType_XIMStyles`, these are `num` of `CARD32` and for `XimType_XIMHotKeyTriggers`
+these are `num` of `XIMTRIGGERKEY` ref[1] which is defined as 3 x `CARD32`.
+(There are data after the `XIMTRIGGERKEY` according to the spec but they are not read by this
+function and doesn't need to be checked.)
+
+The old code here used the native datatype size instead of the wire protocol size causing
+the check to always fail.
+
+Also fix the size calculation for the header (size). It is 2 x CARD16 for both types
+despite the unused `CARD16` for `XimType_XIMStyles`.
+
+[1] https://www.x.org/releases/X11R7.6/doc/libX11/specs/XIM/xim.html#Input_Method_Styles
+
+This fixes a regression caused by 388b303c62aa35a245f1704211a023440ad2c488 in 1.6.10.
+
+Fix #116
+
+Upstream-Status: Backport
+[ https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1703b9f3435079d3c6021e1ee2ec34fd4978103d
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/2fcfcc49f3b1be854bb9085993a01d17c62acf60
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/388b303c62aa35a245f1704211a023440ad2c488
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/93fce3f4e79cbc737d6468a4f68ba3de1b83953b ]
+CVE: CVE-2020-14344
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ modules/im/ximcp/imDefIc.c | 6 ++++--
+ modules/im/ximcp/imDefIm.c | 25 +++++++++++++++++--------
+ modules/im/ximcp/imRmAttr.c | 31 +++++++++++++++++++++++--------
+ 3 files changed, 44 insertions(+), 18 deletions(-)
+
+diff --git a/modules/im/ximcp/imDefIc.c b/modules/im/ximcp/imDefIc.c
+index 7564dbad..d552aa9e 100644
+--- a/modules/im/ximcp/imDefIc.c
++++ b/modules/im/ximcp/imDefIc.c
+@@ -350,7 +350,7 @@ _XimProtoGetICValues(
+ + sizeof(INT16)
+ + XIM_PAD(2 + buf_size);
+
+- if (!(buf = Xmalloc(buf_size)))
++ if (!(buf = Xcalloc(buf_size, 1)))
+ return arg->name;
+ buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+
+@@ -708,6 +708,7 @@ _XimProtoSetICValues(
+ #endif /* XIM_CONNECTABLE */
+
+ _XimGetCurrentICValues(ic, &ic_values);
++ memset(tmp_buf, 0, sizeof(tmp_buf32));
+ buf = tmp_buf;
+ buf_size = XIM_HEADER_SIZE
+ + sizeof(CARD16) + sizeof(CARD16) + sizeof(INT16) + sizeof(CARD16);
+@@ -730,7 +731,7 @@ _XimProtoSetICValues(
+
+ buf_size += ret_len;
+ if (buf == tmp_buf) {
+- if (!(tmp = Xmalloc(buf_size + data_len))) {
++ if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+ return tmp_name;
+ }
+ memcpy(tmp, buf, buf_size);
+@@ -740,6 +741,7 @@ _XimProtoSetICValues(
+ Xfree(buf);
+ return tmp_name;
+ }
++ memset(&tmp[buf_size], 0, data_len);
+ buf = tmp;
+ }
+ }
+diff --git a/modules/im/ximcp/imDefIm.c b/modules/im/ximcp/imDefIm.c
+index cf922e48..d0329b54 100644
+--- a/modules/im/ximcp/imDefIm.c
++++ b/modules/im/ximcp/imDefIm.c
+@@ -62,6 +62,7 @@ PERFORMANCE OF THIS SOFTWARE.
+ #include "XimTrInt.h"
+ #include "Ximint.h"
+
++#include <limits.h>
+
+ int
+ _XimCheckDataSize(
+@@ -807,12 +808,16 @@ _XimOpen(
+ int buf_size;
+ int ret_code;
+ char *locale_name;
++ size_t locale_len;
+
+ locale_name = im->private.proto.locale_name;
+- len = strlen(locale_name);
+- buf_b[0] = (BYTE)len; /* length of locale name */
+- (void)strcpy((char *)&buf_b[1], locale_name); /* locale name */
+- len += sizeof(BYTE); /* sizeof length */
++ locale_len = strlen(locale_name);
++ if (locale_len > UCHAR_MAX)
++ return False;
++ memset(buf32, 0, sizeof(buf32));
++ buf_b[0] = (BYTE)locale_len; /* length of locale name */
++ memcpy(&buf_b[1], locale_name, locale_len); /* locale name */
++ len = (INT16)(locale_len + sizeof(BYTE)); /* sizeof length */
+ XIM_SET_PAD(buf_b, len); /* pad */
+
+ _XimSetHeader((XPointer)buf, XIM_OPEN, 0, &len);
+@@ -1287,6 +1292,7 @@ _XimProtoSetIMValues(
+ #endif /* XIM_CONNECTABLE */
+
+ _XimGetCurrentIMValues(im, &im_values);
++ memset(tmp_buf, 0, sizeof(tmp_buf32));
+ buf = tmp_buf;
+ buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);
+ data_len = BUFSIZE - buf_size;
+@@ -1307,7 +1313,7 @@ _XimProtoSetIMValues(
+
+ buf_size += ret_len;
+ if (buf == tmp_buf) {
+- if (!(tmp = Xmalloc(buf_size + data_len))) {
++ if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+ return arg->name;
+ }
+ memcpy(tmp, buf, buf_size);
+@@ -1317,6 +1323,7 @@ _XimProtoSetIMValues(
+ Xfree(buf);
+ return arg->name;
+ }
++ memset(&tmp[buf_size], 0, data_len);
+ buf = tmp;
+ }
+ }
+@@ -1458,7 +1465,7 @@ _XimProtoGetIMValues(
+ + sizeof(INT16)
+ + XIM_PAD(buf_size);
+
+- if (!(buf = Xmalloc(buf_size)))
++ if (!(buf = Xcalloc(buf_size, 1)))
+ return arg->name;
+ buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+
+@@ -1720,7 +1727,7 @@ _XimEncodingNegotiation(
+ + sizeof(CARD16)
+ + detail_len;
+
+- if (!(buf = Xmalloc(XIM_HEADER_SIZE + len)))
++ if (!(buf = Xcalloc(XIM_HEADER_SIZE + len, 1)))
+ goto free_detail_ptr;
+
+ buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+@@ -1816,6 +1823,7 @@ _XimSendSavedIMValues(
+ int ret_code;
+
+ _XimGetCurrentIMValues(im, &im_values);
++ memset(tmp_buf, 0, sizeof(tmp_buf32));
+ buf = tmp_buf;
+ buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);
+ data_len = BUFSIZE - buf_size;
+@@ -1838,7 +1846,7 @@ _XimSendSavedIMValues(
+
+ buf_size += ret_len;
+ if (buf == tmp_buf) {
+- if (!(tmp = Xmalloc(buf_size + data_len))) {
++ if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+ return False;
+ }
+ memcpy(tmp, buf, buf_size);
+@@ -1848,6 +1856,7 @@ _XimSendSavedIMValues(
+ Xfree(buf);
+ return False;
+ }
++ memset(&tmp[buf_size], 0, data_len);
+ buf = tmp;
+ }
+ }
+diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
+index 9d4e4625..118f191d 100644
+--- a/modules/im/ximcp/imRmAttr.c
++++ b/modules/im/ximcp/imRmAttr.c
+@@ -29,6 +29,8 @@ PERFORMANCE OF THIS SOFTWARE.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
++
+ #include "Xlibint.h"
+ #include "Xlcint.h"
+ #include "Ximint.h"
+@@ -214,7 +216,7 @@ _XimAttributeToValue(
+ Xic ic,
+ XIMResourceList res,
+ CARD16 *data,
+- INT16 data_len,
++ CARD16 data_len,
+ XPointer value,
+ BITMASK32 mode)
+ {
+@@ -250,18 +252,24 @@ _XimAttributeToValue(
+
+ case XimType_XIMStyles:
+ {
+- INT16 num = data[0];
++ CARD16 num = data[0];
+ register CARD32 *style_list = (CARD32 *)&data[2];
+ XIMStyle *style;
+ XIMStyles *rep;
+ register int i;
+ char *p;
+- int alloc_len;
++ unsigned int alloc_len;
+
+ if (!(value))
+ return False;
+
++ if (num > (USHRT_MAX / sizeof(XIMStyle)))
++ return False;
++ if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len)
++ return False;
+ alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num;
++ if (alloc_len < sizeof(XIMStyles))
++ return False;
+ if (!(p = Xmalloc(alloc_len)))
+ return False;
+
+@@ -313,7 +321,7 @@ _XimAttributeToValue(
+
+ case XimType_XFontSet:
+ {
+- INT16 len = data[0];
++ CARD16 len = data[0];
+ char *base_name;
+ XFontSet rep = (XFontSet)NULL;
+ char **missing_list = NULL;
+@@ -324,11 +332,12 @@ _XimAttributeToValue(
+ return False;
+ if (!ic)
+ return False;
+-
++ if (len > data_len)
++ return False;
+ if (!(base_name = Xmalloc(len + 1)))
+ return False;
+
+- (void)strncpy(base_name, (char *)&data[1], (int)len);
++ (void)strncpy(base_name, (char *)&data[1], (size_t)len);
+ base_name[len] = '\0';
+
+ if (mode & XIM_PREEDIT_ATTR) {
+@@ -357,19 +366,25 @@ _XimAttributeToValue(
+
+ case XimType_XIMHotKeyTriggers:
+ {
+- INT32 num = *((CARD32 *)data);
++ CARD32 num = *((CARD32 *)data);
+ register CARD32 *key_list = (CARD32 *)&data[2];
+ XIMHotKeyTrigger *key;
+ XIMHotKeyTriggers *rep;
+ register int i;
+ char *p;
+- int alloc_len;
++ unsigned int alloc_len;
+
+ if (!(value))
+ return False;
+
++ if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger)))
++ return False;
++ if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len)
++ return False;
+ alloc_len = sizeof(XIMHotKeyTriggers)
+ + sizeof(XIMHotKeyTrigger) * num;
++ if (alloc_len < sizeof(XIMHotKeyTriggers))
++ return False;
+ if (!(p = Xmalloc(alloc_len)))
+ return False;
+
+--
+2.17.1
+
diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
index ff60a4240c..84e0e4457e 100644
--- a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
+++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
@@ -12,7 +12,9 @@ PE = "1"
SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \
file://disable_tests.patch \
- file://libx11-whitespace.patch"
+ file://libx11-whitespace.patch \
+ file://CVE-2020-14344.patch \
+"
SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2"
SRC_URI[sha256sum] = "9cc7e8d000d6193fa5af580d50d689380b8287052270f5bb26a5fb6b58b2bed1"
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread