diff --git a/0001-fix-CVE-2024-31080.patch b/0001-fix-CVE-2024-31080.patch new file mode 100644 index 0000000000000000000000000000000000000000..060d14c8bcef269515955590c19ac5b53b941741 --- /dev/null +++ b/0001-fix-CVE-2024-31080.patch @@ -0,0 +1,45 @@ +From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sun, 28 Apr 2024 16:28:48 +0800 +Subject: [PATCH] Xi: ProcXIGetSelectedEvents needs to use unswapped length to send reply +CVE-2024-31080 + +Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762 +Fixes: 53e821ab + + ("Xi: add request processing for XIGetSelectedEvents.") +Signed-off-by: Alan Coopersmith +Part-of: +--- + Xi/xiselectev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c +index edcb8a0..ac14949 100644 +--- a/Xi/xiselectev.c ++++ b/Xi/xiselectev.c +@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client) + InputClientsPtr others = NULL; + xXIEventMask *evmask = NULL; + DeviceIntPtr dev; ++ uint32_t length; + + REQUEST(xXIGetSelectedEventsReq); + REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq); +@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client) + } + } + ++ /* save the value before SRepXIGetSelectedEvents swaps it */ ++ length = reply.length; + WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply); + + if (reply.num_masks) +- WriteToClient(client, reply.length * 4, buffer); ++ WriteToClient(client, length * 4, buffer); + + free(buffer); + return Success; +-- +2.27.0 + diff --git a/0002-fix-CVE-2024-31081.patch b/0002-fix-CVE-2024-31081.patch new file mode 100644 index 0000000000000000000000000000000000000000..151375a06a588f56f7d9e8e650483be92e10204f --- /dev/null +++ b/0002-fix-CVE-2024-31081.patch @@ -0,0 +1,43 @@ +From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sun, 28 Apr 2024 16:35:36 +0800 +Subject: [PATCH] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to send reply +CVE-2024-31081 + +Fixes: d220d690 + + ("Xi: add GrabButton and GrabKeysym code.") +Signed-off-by: Alan Coopersmith +Part-of: +--- + Xi/xipassivegrab.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c +index 2769fb7..c925e3c 100644 +--- a/Xi/xipassivegrab.c ++++ b/Xi/xipassivegrab.c +@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client) + GrabParameters param; + void *tmp; + int mask_len; ++ uint32_t length; + + REQUEST(xXIPassiveGrabDeviceReq); + REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, +@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client) + } + } + ++ /* save the value before SRepXIPassiveGrabDevice swaps it */ ++ length = rep.length; + WriteReplyToClient(client, sizeof(rep), &rep); + if (rep.num_modifiers) +- WriteToClient(client, rep.length * 4, modifiers_failed); ++ WriteToClient(client, length * 4, modifiers_failed); + + out: + free(modifiers_failed); +-- +2.27.0 + diff --git a/xorg-x11-server-xwayland.spec b/xorg-x11-server-xwayland.spec index 3715c046df7735dc69ea689a4897926094082ccb..e71d8fcd1b7c28189a117c53a96fcf5ad53e4951 100644 --- a/xorg-x11-server-xwayland.spec +++ b/xorg-x11-server-xwayland.spec @@ -4,11 +4,13 @@ Summary: Xwayland Name: xorg-x11-server-Xwayland Version: 22.1.2 -Release: 2 +Release: 3 License: MIT URL: http://www.x.org Source0: https://www.x.org/pub/individual/xserver/%{pkgname}-%{version}.tar.xz +Patch1: 0001-fix-CVE-2024-31080.patch +Patch2: 0002-fix-CVE-2024-31081.patch Requires: xorg-x11-server-common Requires: libEGL @@ -77,7 +79,7 @@ The development package provides the developmental files which are necessary for developing Wayland compositors using Xwayland. %prep -%autosetup -n %{pkgname}-%{version} +%autosetup -n %{pkgname}-%{version} -p1 %build %meson \ @@ -109,6 +111,9 @@ rm -Rf $RPM_BUILD_ROOT%{_localstatedir}/lib/xkb %{_libdir}/pkgconfig/xwayland.pc %changelog +* Sun Apr 28 2024 cenhuilin - 22.1.2-3 +- fix CVE-2024-31080 CVE-2024-31081 + * Fri Jun 24 2022 wangkerong - 22.1.2-2 - rename packagename