From 11c1c3913261e0ab06cea83456c0a689f1dcd27c Mon Sep 17 00:00:00 2001
From: cenhuilin <cenhuilin@kylinos.cn>
Date: Sun, 28 Apr 2024 16:20:33 +0800
Subject: [PATCH] fix CVE-2024-31080 and CVE-2024-31081

---
 0001-fix-CVE-2024-31080.patch | 45 +++++++++++++++++++++++++++++++++++
 0002-fix-CVE-2024-31081.patch | 43 +++++++++++++++++++++++++++++++++
 xorg-x11-server-xwayland.spec |  9 +++++--
 3 files changed, 95 insertions(+), 2 deletions(-)
 create mode 100644 0001-fix-CVE-2024-31080.patch
 create mode 100644 0002-fix-CVE-2024-31081.patch

diff --git a/0001-fix-CVE-2024-31080.patch b/0001-fix-CVE-2024-31080.patch
new file mode 100644
index 0000000..4a0e47b
--- /dev/null
+++ b/0001-fix-CVE-2024-31080.patch
@@ -0,0 +1,45 @@
+From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun, 28 Apr 2024 15:25:15 +0800
+Subject: [PATCH] Xi: ProcXIGetSelectedEvents needs to use unswapped length to send reply
+CVE-2024-31080
+
+Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
+Fixes: 53e821ab
+
+ ("Xi: add request processing for XIGetSelectedEvents.")
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Part-of: <!1463>
+---
+ Xi/xiselectev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
+index edcb8a0..ac14949 100644
+--- a/Xi/xiselectev.c
++++ b/Xi/xiselectev.c
+@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
+     InputClientsPtr others = NULL;
+     xXIEventMask *evmask = NULL;
+     DeviceIntPtr dev;
++    uint32_t length;
+ 
+     REQUEST(xXIGetSelectedEventsReq);
+     REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
+@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
+         }
+     }
+ 
++    /* save the value before SRepXIGetSelectedEvents swaps it */
++    length = reply.length;
+     WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
+ 
+     if (reply.num_masks)
+-        WriteToClient(client, reply.length * 4, buffer);
++        WriteToClient(client, length * 4, buffer);
+ 
+     free(buffer);
+     return Success;
+-- 
+2.27.0
+
diff --git a/0002-fix-CVE-2024-31081.patch b/0002-fix-CVE-2024-31081.patch
new file mode 100644
index 0000000..431626c
--- /dev/null
+++ b/0002-fix-CVE-2024-31081.patch
@@ -0,0 +1,43 @@
+From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun, 28 Apr 2024 15:35:19 +0800
+Subject: [PATCH] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to send reply
+CVE-2024-31081
+
+Fixes: d220d690
+
+ ("Xi: add GrabButton and GrabKeysym code.")
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Part-of: <!1463>
+---
+ Xi/xipassivegrab.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
+index c9ac2f8..896233b 100644
+--- a/Xi/xipassivegrab.c
++++ b/Xi/xipassivegrab.c
+@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+     GrabParameters param;
+     void *tmp;
+     int mask_len;
++    uint32_t length;
+ 
+     REQUEST(xXIPassiveGrabDeviceReq);
+     REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
+@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+         }
+     }
+ 
++    /* save the value before SRepXIPassiveGrabDevice swaps it */
++    length = rep.length;
+     WriteReplyToClient(client, sizeof(rep), &rep);
+     if (rep.num_modifiers)
+-        WriteToClient(client, rep.length * 4, modifiers_failed);
++        WriteToClient(client, length * 4, modifiers_failed);
+ 
+  out:
+     free(modifiers_failed);
+-- 
+2.27.0
+
diff --git a/xorg-x11-server-xwayland.spec b/xorg-x11-server-xwayland.spec
index 79d983d..c830d35 100644
--- a/xorg-x11-server-xwayland.spec
+++ b/xorg-x11-server-xwayland.spec
@@ -4,11 +4,13 @@
 Summary:   Xwayland
 Name:      xorg-x11-server-Xwayland
 Version:   23.2.4
-Release:   1
+Release:   2
 License:   MIT 
 URL:       http://www.x.org
 Source0:   https://www.x.org/pub/individual/xserver/%{pkgname}-%{version}.tar.xz
 
+Patch1:    0001-fix-CVE-2024-31080.patch
+Patch2:    0002-fix-CVE-2024-31081.patch
  
 Requires: xorg-x11-server-common
 Requires: libEGL
@@ -77,7 +79,7 @@ The development package provides the developmental files which are
 necessary for developing Wayland compositors using Xwayland.
  
 %prep
-%autosetup -n %{pkgname}-%{version}
+%autosetup -n %{pkgname}-%{version} -p1
  
 %build
 %meson \
@@ -110,6 +112,9 @@ rm -Rf $RPM_BUILD_ROOT%{_localstatedir}/lib/xkb
 %{_libdir}/pkgconfig/xwayland.pc
  
 %changelog
+* Sun Apr 28 2024 cenhuilin <cenhuilin@kylinos.cn> - 23.2.4-2
+- fix CVE-2024-31080 CVE-2024-31081
+
 * Fri Mar 01 2024 liweigang <venland30@gmail.com> - 23.2.4-1
 - update to version 23.2.4
 
-- 
Gitee