Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CVE-2024-9632 for xorg-x11-server-Xwayland #11094

Merged
merged 3 commits into from
Nov 22, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions SPECS/xorg-x11-server-Xwayland/CVE-2024-9632.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
From 85b776571487f52e756f68a069c768757369bfe3 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Thu, 10 Oct 2024 10:37:28 +0200
Subject: [PATCH] xkb: Fix buffer overflow in _XkbSetCompatMap()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
buffer.

However, It didn't update its size properly. It updated `num_si` only,
without updating `size_si`.

This may lead to local privilege escalation if the server is run as root
or remote code execution (e.g. x11 over ssh).

CVE-2024-9632, ZDI-CAN-24756

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: José Expósito <jexposit@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1733>
---
xkb/xkb.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/xkb/xkb.c b/xkb/xkb.c
index 868d7c1e64..aaf9716b36 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -2990,13 +2990,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
XkbSymInterpretPtr sym;
unsigned int skipped = 0;

- if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) {
- compat->num_si = req->firstSI + req->nSI;
+ if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
+ compat->num_si = compat->size_si = req->firstSI + req->nSI;
compat->sym_interpret = reallocarray(compat->sym_interpret,
- compat->num_si,
+ compat->size_si,
sizeof(XkbSymInterpretRec));
if (!compat->sym_interpret) {
- compat->num_si = 0;
+ compat->num_si = compat->size_si = 0;
return BadAlloc;
}
}
--
GitLab
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ Distribution: Azure Linux
Summary: Xwayland
Name: xorg-x11-server-Xwayland
Version: 24.1.1
Release: 2%{?dist}
Release: 3%{?dist}

License: MIT
URL: http://www.x.org
Expand All @@ -20,6 +20,7 @@ Source0: https://gitlab.freedesktop.org/xorg/%{pkgname}/-/archive/%{commit
%else
Source0: https://www.x.org/pub/individual/xserver/%{pkgname}-%{version}.tar.xz
%endif
Patch0001: CVE-2024-9632.patch

Requires: xkeyboard-config
Requires: xkbcomp
Expand All @@ -29,6 +30,7 @@ Requires: libepoxy >= 1.5.5
BuildRequires: gcc
BuildRequires: git-core
BuildRequires: meson
BuildRequires: systemd-devel

BuildRequires: wayland-devel
BuildRequires: desktop-file-utils
Expand Down Expand Up @@ -136,6 +138,10 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/*.desktop
%{_libdir}/pkgconfig/xwayland.pc

%changelog
* Thu Nov 14 2024 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 24.1.1-3
- Fix for CVE-2024-9632
- Added systemd-devel build requires dependency

* Wed Jul 10 2024 Hideyuki Nagase <hideyukn@microsoft.com> - 24.1.1-2
- Initial CBL-Mariner import from Fedora 41 (license: MIT).
- License verified.
Expand Down
Loading