On 12/29/21 9:30 AM, kai wrote: > From: Kai Kang > > Backport patch to fix CVE-2021-4008 for xserver-xorg. > > CVE: CVE-2021-4008 Ping. Kai > > Signed-off-by: Kai Kang > --- > .../xserver-xorg/CVE-2021-4008.patch | 59 +++++++++++++++++++ > .../xorg-xserver/xserver-xorg_1.20.10.bb | 1 + > 2 files changed, 60 insertions(+) > create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch > > diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch > new file mode 100644 > index 0000000000..3277be0185 > --- /dev/null > +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch > @@ -0,0 +1,59 @@ > +Backport patch to fix CVE-2021-4008. > + > +CVE: CVE-2021-4008 > +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ebce7e2] > + > +Signed-off-by: Kai Kang > + > +From ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60 Mon Sep 17 00:00:00 2001 > +From: Povilas Kanapickas > +Date: Tue, 14 Dec 2021 15:00:03 +0200 > +Subject: [PATCH] render: Fix out of bounds access in > + SProcRenderCompositeGlyphs() > + > +ZDI-CAN-14192, CVE-2021-4008 > + > +This vulnerability was discovered and the fix was suggested by: > +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative > + > +Signed-off-by: Povilas Kanapickas > +--- > + render/render.c | 9 +++++++++ > + 1 file changed, 9 insertions(+) > + > +diff --git a/render/render.c b/render/render.c > +index c376090ca..456f156d4 100644 > +--- a/render/render.c > ++++ b/render/render.c > +@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client) > + > + i = elt->len; > + if (i == 0xff) { > ++ if (buffer + 4 > end) { > ++ return BadLength; > ++ } > + swapl((int *) buffer); > + buffer += 4; > + } > +@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client) > + buffer += i; > + break; > + case 2: > ++ if (buffer + i * 2 > end) { > ++ return BadLength; > ++ } > + while (i--) { > + swaps((short *) buffer); > + buffer += 2; > + } > + break; > + case 4: > ++ if (buffer + i * 4 > end) { > ++ return BadLength; > ++ } > + while (i--) { > + swapl((int *) buffer); > + buffer += 4; > +-- > +GitLab > + > diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb > index e0551fa999..9a7aa1ed9a 100644 > --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb > +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb > @@ -9,6 +9,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat > file://0001-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch \ > file://CVE-2021-3472.patch \ > file://0001-hw-xwayland-Makefile.am-fix-build-without-glx.patch \ > + file://CVE-2021-4008.patch \ > " > SRC_URI[sha256sum] = "977420c082450dc808de301ef56af4856d653eea71519a973c3490a780cb7c99" > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#160043): https://lists.openembedded.org/g/openembedded-core/message/160043 > Mute This Topic: https://lists.openembedded.org/mt/88007524/3616933 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [kai.kang@windriver.com] > -=-=-=-=-=-=-=-=-=-=-=- > -- Kai Kang Wind River Linux