From: Kai <kai.kang@windriver.com>
To: openembedded-core@lists.openembedded.org
Cc: randy.macleod@windriver.com
Subject: Re: [OE-core] [hardknott][PATCH 1/4] xserver-xorg: fix CVE-2021-4008
Date: Fri, 7 Jan 2022 10:56:15 +0800 [thread overview]
Message-ID: <46ba307e-dfba-4074-607f-a9b52bdeca06@windriver.com> (raw)
In-Reply-To: <16C515AB4535CCA0.27787@lists.openembedded.org>
[-- Attachment #1: Type: text/plain, Size: 3988 bytes --]
On 12/29/21 9:30 AM, kai wrote:
> From: Kai Kang <kai.kang@windriver.com>
>
> Backport patch to fix CVE-2021-4008 for xserver-xorg.
>
> CVE: CVE-2021-4008
Ping.
Kai
>
> Signed-off-by: Kai Kang <kai.kang@windriver.com>
> ---
> .../xserver-xorg/CVE-2021-4008.patch | 59 +++++++++++++++++++
> .../xorg-xserver/xserver-xorg_1.20.10.bb | 1 +
> 2 files changed, 60 insertions(+)
> create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch
>
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch
> new file mode 100644
> index 0000000000..3277be0185
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch
> @@ -0,0 +1,59 @@
> +Backport patch to fix CVE-2021-4008.
> +
> +CVE: CVE-2021-4008
> +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ebce7e2]
> +
> +Signed-off-by: Kai Kang <kai.kang@windriver.com>
> +
> +From ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60 Mon Sep 17 00:00:00 2001
> +From: Povilas Kanapickas <povilas@radix.lt>
> +Date: Tue, 14 Dec 2021 15:00:03 +0200
> +Subject: [PATCH] render: Fix out of bounds access in
> + SProcRenderCompositeGlyphs()
> +
> +ZDI-CAN-14192, CVE-2021-4008
> +
> +This vulnerability was discovered and the fix was suggested by:
> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> +
> +Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
> +---
> + render/render.c | 9 +++++++++
> + 1 file changed, 9 insertions(+)
> +
> +diff --git a/render/render.c b/render/render.c
> +index c376090ca..456f156d4 100644
> +--- a/render/render.c
> ++++ b/render/render.c
> +@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client)
> +
> + i = elt->len;
> + if (i == 0xff) {
> ++ if (buffer + 4 > end) {
> ++ return BadLength;
> ++ }
> + swapl((int *) buffer);
> + buffer += 4;
> + }
> +@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client)
> + buffer += i;
> + break;
> + case 2:
> ++ if (buffer + i * 2 > end) {
> ++ return BadLength;
> ++ }
> + while (i--) {
> + swaps((short *) buffer);
> + buffer += 2;
> + }
> + break;
> + case 4:
> ++ if (buffer + i * 4 > end) {
> ++ return BadLength;
> ++ }
> + while (i--) {
> + swapl((int *) buffer);
> + buffer += 4;
> +--
> +GitLab
> +
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
> index e0551fa999..9a7aa1ed9a 100644
> --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
> @@ -9,6 +9,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
> file://0001-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch \
> file://CVE-2021-3472.patch \
> file://0001-hw-xwayland-Makefile.am-fix-build-without-glx.patch \
> + file://CVE-2021-4008.patch \
> "
> SRC_URI[sha256sum] = "977420c082450dc808de301ef56af4856d653eea71519a973c3490a780cb7c99"
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#160043): https://lists.openembedded.org/g/openembedded-core/message/160043
> Mute This Topic: https://lists.openembedded.org/mt/88007524/3616933
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [kai.kang@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
Kai Kang
Wind River Linux
[-- Attachment #2: Type: text/html, Size: 5780 bytes --]
next prev parent reply other threads:[~2022-01-07 2:56 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-29 1:30 [hardknott][PATCH 0/4] Fix CVEs of xserver-xorg kai.kang
2021-12-29 1:30 ` [hardknott][PATCH 1/4] xserver-xorg: fix CVE-2021-4008 kai.kang
2021-12-29 1:30 ` [hardknott][PATCH 2/4] xserver-xorg: fix CVE-2021-4009 kai.kang
2021-12-29 1:30 ` [hardknott][PATCH 3/4] xserver-xorg: fix CVE-2021-4010 kai.kang
2021-12-29 1:30 ` [hardknott][PATCH 4/4] xserver-xorg: fix CVE-2021-4011 kai.kang
[not found] ` <16C515AB4535CCA0.27787@lists.openembedded.org>
2022-01-07 2:56 ` Kai [this message]
2022-01-07 7:51 ` [OE-core] [hardknott][PATCH 1/4] xserver-xorg: fix CVE-2021-4008 Mittal, Anuj
2022-01-07 7:56 ` Kai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46ba307e-dfba-4074-607f-a9b52bdeca06@windriver.com \
--to=kai.kang@windriver.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=randy.macleod@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox