From: "Mittal, Anuj" <anuj.mittal@intel.com>
To: "kai.kang@windriver.com" <kai.kang@windriver.com>,
"openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>
Cc: "randy.macleod@windriver.com" <randy.macleod@windriver.com>
Subject: Re: [OE-core] [hardknott][PATCH 1/4] xserver-xorg: fix CVE-2021-4008
Date: Fri, 7 Jan 2022 07:51:29 +0000 [thread overview]
Message-ID: <b24158607b47366ba037eeb9a43865956ed9c6ed.camel@intel.com> (raw)
In-Reply-To: <46ba307e-dfba-4074-607f-a9b52bdeca06@windriver.com>
On Fri, 2022-01-07 at 10:56 +0800, kai wrote:
> On 12/29/21 9:30 AM, kai wrote:
>
> > From: Kai Kang <kai.kang@windriver.com>
> >
> > Backport patch to fix CVE-2021-4008 for xserver-xorg.
> >
> > CVE: CVE-2021-4008
> Ping.
> Kai
>
This is in this week's pull request and should get merged soon.
Thanks,
Anuj
> >
> > Signed-off-by: Kai Kang <kai.kang@windriver.com>
> > ---
> > .../xserver-xorg/CVE-2021-4008.patch | 59
> > +++++++++++++++++++
> > .../xorg-xserver/xserver-xorg_1.20.10.bb | 1 +
> > 2 files changed, 60 insertions(+)
> > create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-
> > xorg/CVE-2021-4008.patch
> >
> > diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-
> > 2021-4008.patch b/meta/recipes-graphics/xorg-xserver/xserver-
> > xorg/CVE-2021-4008.patch
> > new file mode 100644
> > index 0000000000..3277be0185
> > --- /dev/null
> > +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-
> > 4008.patch
> > @@ -0,0 +1,59 @@
> > +Backport patch to fix CVE-2021-4008.
> > +
> > +CVE: CVE-2021-4008
> > +Upstream-Status: Backport
> > [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ebce7e2]
> > +
> > +Signed-off-by: Kai Kang <kai.kang@windriver.com>
> > +
> > +From ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60 Mon Sep 17 00:00:00
> > 2001
> > +From: Povilas Kanapickas <povilas@radix.lt>
> > +Date: Tue, 14 Dec 2021 15:00:03 +0200
> > +Subject: [PATCH] render: Fix out of bounds access in
> > + SProcRenderCompositeGlyphs()
> > +
> > +ZDI-CAN-14192, CVE-2021-4008
> > +
> > +This vulnerability was discovered and the fix was suggested by:
> > +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> > +
> > +Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
> > +---
> > + render/render.c | 9 +++++++++
> > + 1 file changed, 9 insertions(+)
> > +
> > +diff --git a/render/render.c b/render/render.c
> > +index c376090ca..456f156d4 100644
> > +--- a/render/render.c
> > ++++ b/render/render.c
> > +@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client)
> > +
> > + i = elt->len;
> > + if (i == 0xff) {
> > ++ if (buffer + 4 > end) {
> > ++ return BadLength;
> > ++ }
> > + swapl((int *) buffer);
> > + buffer += 4;
> > + }
> > +@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr
> > client)
> > + buffer += i;
> > + break;
> > + case 2:
> > ++ if (buffer + i * 2 > end) {
> > ++ return BadLength;
> > ++ }
> > + while (i--) {
> > + swaps((short *) buffer);
> > + buffer += 2;
> > + }
> > + break;
> > + case 4:
> > ++ if (buffer + i * 4 > end) {
> > ++ return BadLength;
> > ++ }
> > + while (i--) {
> > + swapl((int *) buffer);
> > + buffer += 4;
> > +--
> > +GitLab
> > +
> > diff --git a/meta/recipes-graphics/xorg-xserver/xserver-
> > xorg_1.20.10.bb b/meta/recipes-graphics/xorg-xserver/xserver-
> > xorg_1.20.10.bb
> > index e0551fa999..9a7aa1ed9a 100644
> > --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
> > +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
> > @@ -9,6 +9,7 @@ SRC_URI +=
> > "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.p
> > at
> > file://0001-Fix-segfault-on-probing-a-non-PCI-platform-
> > device-on.patch \
> > file://CVE-2021-3472.patch \
> >
> > file://0001-hw-xwayland-Makefile.am-fix-build-without-glx.patch \
> > + file://CVE-2021-4008.patch \
> > "
> > SRC_URI[sha256sum] =
> > "977420c082450dc808de301ef56af4856d653eea71519a973c3490a780cb7c99"
> >
> >
> >
> >
> >
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#160247):
> https://lists.openembedded.org/g/openembedded-core/message/160247
> Mute This Topic: https://lists.openembedded.org/mt/88254273/3616702
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe:
> https://lists.openembedded.org/g/openembedded-core/unsub [
> anuj.mittal@intel.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
next prev parent reply other threads:[~2022-01-07 7:51 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-29 1:30 [hardknott][PATCH 0/4] Fix CVEs of xserver-xorg kai.kang
2021-12-29 1:30 ` [hardknott][PATCH 1/4] xserver-xorg: fix CVE-2021-4008 kai.kang
2021-12-29 1:30 ` [hardknott][PATCH 2/4] xserver-xorg: fix CVE-2021-4009 kai.kang
2021-12-29 1:30 ` [hardknott][PATCH 3/4] xserver-xorg: fix CVE-2021-4010 kai.kang
2021-12-29 1:30 ` [hardknott][PATCH 4/4] xserver-xorg: fix CVE-2021-4011 kai.kang
[not found] ` <16C515AB4535CCA0.27787@lists.openembedded.org>
2022-01-07 2:56 ` [OE-core] [hardknott][PATCH 1/4] xserver-xorg: fix CVE-2021-4008 Kai
2022-01-07 7:51 ` Mittal, Anuj [this message]
2022-01-07 7:56 ` Kai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b24158607b47366ba037eeb9a43865956ed9c6ed.camel@intel.com \
--to=anuj.mittal@intel.com \
--cc=kai.kang@windriver.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=randy.macleod@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox