diff --git a/backport-0001-CVE-2022-3555.patch b/backport-0001-CVE-2022-3555.patch new file mode 100644 index 0000000000000000000000000000000000000000..bff3fdf876614995d2524ce7e5ece03f77d8a5ae --- /dev/null +++ b/backport-0001-CVE-2022-3555.patch @@ -0,0 +1,37 @@ +From 8a368d808fec166b5fb3dfe6312aab22c7ee20af Mon Sep 17 00:00:00 2001 +From: Hodong +Date: Thu, 20 Jan 2022 00:57:41 +0900 +Subject: [PATCH] Fix two memory leaks in _XFreeX11XCBStructure() + +Even when XCloseDisplay() was called, some memory was leaked. + +XCloseDisplay() calls _XFreeDisplayStructure(), which calls +_XFreeX11XCBStructure(). + +However, _XFreeX11XCBStructure() did not destroy the condition variables, +resulting in the leaking of some 40 bytes. + +Signed-off-by: Hodong + +Conflict:NA +Reference:https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8a368d808fec166b5fb3dfe6312aab22c7ee20af +--- + src/xcb_disp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/xcb_disp.c b/src/xcb_disp.c +index 70a602f4..e9becee3 100644 +--- a/src/xcb_disp.c ++++ b/src/xcb_disp.c +@@ -102,6 +102,8 @@ void _XFreeX11XCBStructure(Display *dpy) + dpy->xcb->pending_requests = tmp->next; + free(tmp); + } ++ xcondition_clear(dpy->xcb->event_notify); ++ xcondition_clear(dpy->xcb->reply_notify); + xcondition_free(dpy->xcb->event_notify); + xcondition_free(dpy->xcb->reply_notify); + Xfree(dpy->xcb); +-- +2.27.0 + diff --git a/backport-0002-CVE-2022-3555.patch b/backport-0002-CVE-2022-3555.patch new file mode 100644 index 0000000000000000000000000000000000000000..2149df68d66495b9285949386fe28caf2e627d0d --- /dev/null +++ b/backport-0002-CVE-2022-3555.patch @@ -0,0 +1,37 @@ +From 76d1cc3c1ce943c6ff81dc8c62a1d1b30fabf02e Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Sun, 3 Apr 2022 14:23:36 +0100 +Subject: Don't try to destroy NULL condition variables + +This avoids a segfault during error-unwinding if an invalid display name +is passed to XOpenDisplay(). + +Fixes: 8a368d80 "Fix two memory leaks in _XFreeX11XCBStructure()" +Resolves: #155 +Signed-off-by: Simon McVittie + +Conflict:NA +Reference:https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=76d1cc3c1ce943c6ff81dc8c62a1d1b30fabf02e +--- + src/xcb_disp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/xcb_disp.c b/src/xcb_disp.c +index e9becee3..63e344af 100644 +--- a/src/xcb_disp.c ++++ b/src/xcb_disp.c +@@ -102,8 +102,10 @@ void _XFreeX11XCBStructure(Display *dpy) + dpy->xcb->pending_requests = tmp->next; + free(tmp); + } +- xcondition_clear(dpy->xcb->event_notify); +- xcondition_clear(dpy->xcb->reply_notify); ++ if (dpy->xcb->event_notify) ++ xcondition_clear(dpy->xcb->event_notify); ++ if (dpy->xcb->reply_notify) ++ xcondition_clear(dpy->xcb->reply_notify); + xcondition_free(dpy->xcb->event_notify); + xcondition_free(dpy->xcb->reply_notify); + Xfree(dpy->xcb); +-- +cgit v1.2.1 diff --git a/backport-CVE-2022-3554.patch b/backport-CVE-2022-3554.patch new file mode 100644 index 0000000000000000000000000000000000000000..624082867b241314b4d22bda6b200e831754e63f --- /dev/null +++ b/backport-CVE-2022-3554.patch @@ -0,0 +1,56 @@ +From 1d11822601fd24a396b354fa616b04ed3df8b4ef Mon Sep 17 00:00:00 2001 +From: "Thomas E. Dickey" +Date: Tue, 4 Oct 2022 18:26:17 -0400 +Subject: [PATCH] fix a memory leak in XRegisterIMInstantiateCallback + +Analysis: + + _XimRegisterIMInstantiateCallback() opens an XIM and closes it using + the internal function pointers, but the internal close function does + not free the pointer to the XIM (this would be done in XCloseIM()). + +Report/patch: + + Date: Mon, 03 Oct 2022 18:47:32 +0800 + From: Po Lu + To: xorg-devel@lists.x.org + Subject: Re: Yet another leak in Xlib + + For reference, here's how I'm calling XRegisterIMInstantiateCallback: + + XSetLocaleModifiers (""); + XRegisterIMInstantiateCallback (compositor.display, + XrmGetDatabase (compositor.display), + (char *) compositor.resource_name, + (char *) compositor.app_name, + IMInstantiateCallback, NULL); + + and XMODIFIERS is: + + @im=ibus + +Signed-off-by: Thomas E. Dickey + +Conflict:NA +Reference:https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=1d11822601fd24a396b354fa616b04ed3df8b4ef +--- + modules/im/ximcp/imInsClbk.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/modules/im/ximcp/imInsClbk.c b/modules/im/ximcp/imInsClbk.c +index 95b379cb..c10e347f 100644 +--- a/modules/im/ximcp/imInsClbk.c ++++ b/modules/im/ximcp/imInsClbk.c +@@ -212,6 +212,9 @@ _XimRegisterIMInstantiateCallback( + if( xim ) { + lock = True; + xim->methods->close( (XIM)xim ); ++ /* XIMs must be freed manually after being opened; close just ++ does the protocol to deinitialize the IM. */ ++ XFree( xim ); + lock = False; + icb->call = True; + callback( display, client_data, NULL ); +-- +2.27.0 + diff --git a/libX11.spec b/libX11.spec index a0c2cac12b6f8d72e1fa62afdc9ee178a70de0c8..39e15e5edf02a24d9e6f918599485f42a330398f 100644 --- a/libX11.spec +++ b/libX11.spec @@ -1,6 +1,6 @@ Name: libX11 Version: 1.7.2 -Release: 3 +Release: 4 Summary: Core X11 protocol client library License: MIT URL: http://www.x.org @@ -8,6 +8,9 @@ Source0: https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}. Patch1: dont-forward-keycode-0.patch Patch2: backport-makekeys-handle-the-new-EVDEVK-xorgproto-symbols.patch +Patch6001: backport-CVE-2022-3554.patch +Patch6002: backport-0001-CVE-2022-3555.patch +Patch6003: backport-0002-CVE-2022-3555.patch BuildRequires: xorg-x11-util-macros >= 1.11 xorg-x11-proto-devel perl-Pod-Usage libXau-devel BuildRequires: libxcb-devel >= 1.2 libXdmcp-devel xorg-x11-xtrans-devel >= 1.0.3-4 @@ -74,6 +77,9 @@ make %{?_smp_mflags} check %{_mandir}/*/* %changelog +* Mon Oct 24 2022 zhouwenpei - 1.7.2-4 +- fix CVE-2022-3554,CVE-2022-3555 + * Tue Jun 21 2022 wangkerong - 1.7.2-3 - fix error from unkown X86FMacroxx keysym