From 4233aead9c392360c83f51f603d063302a872789 Mon Sep 17 00:00:00 2001 From: zhanzhimin Date: Thu, 3 Jun 2021 16:05:12 +0800 Subject: [PATCH] fix CVE-2021-3472 (cherry picked from commit c0945cd06c1a9721bf527941e668c568e04925fd) --- backport-CVE-2021-3472.patch | 36 ++++++++++++++++++++++++++++++++++++ xorg-x11-server.spec | 15 +++++++++++---- 2 files changed, 47 insertions(+), 4 deletions(-) create mode 100644 backport-CVE-2021-3472.patch diff --git a/backport-CVE-2021-3472.patch b/backport-CVE-2021-3472.patch new file mode 100644 index 0000000..fd5bee9 --- /dev/null +++ b/backport-CVE-2021-3472.patch @@ -0,0 +1,36 @@ +From 7aaf54a1884f71dc363f0b884e57bcb67407a6cd Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Sun, 21 Mar 2021 18:38:57 +0100 +Subject: [PATCH] Fix XChangeFeedbackControl() request underflow + +CVE-2021-3472 / ZDI-CAN-1259 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Matthieu Herrb + +--- + Xi/chgfctl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c +index 1de4da9..7a597e4 100644 +--- a/Xi/chgfctl.c ++++ b/Xi/chgfctl.c +@@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr client) + break; + case StringFeedbackClass: + { +- xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]); ++ xStringFeedbackCtl *f; + ++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq, ++ sizeof(xStringFeedbackCtl)); ++ f = ((xStringFeedbackCtl *) &stuff[1]); + if (client->swapped) { + if (len < bytes_to_int32(sizeof(xStringFeedbackCtl))) + return BadLength; +-- +2.23.0 + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 14a4c8c..36c1f48 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.10 -Release: 1 +Release: 2 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -78,6 +78,7 @@ Patch0026: 0022-xwayland-Call-xwl_window_check_resolution_change_emu.patch Patch0027: 0023-xwayland-Fix-setting-of-_XWAYLAND_RANDR_EMU_MONITOR_.patch Patch0028: 0024-xwayland-Remove-unnecessary-xwl_window_is_toplevel-c.patch Patch0029: xorg-s11-server-CVE-2018-20839.patch +Patch0030: backport-CVE-2021-3472.patch BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex flex-devel git BuildRequires: systemtap-sdt-devel libtool pkgconfig @@ -187,9 +188,9 @@ test `getminor extension` == %{extension_minor} %build -export LDFLAGS="$RPM_LD_FLAGS -specs=/usr/lib/rpm/%{_vendor}/%{_vendor}-hardened-ld" -export CXXFLAGS="$RPM_OPT_FLAGS -specs=/usr/lib/rpm/%{_vendor}/%{_vendor}-hardened-cc1" -export CFLAGS="$RPM_OPT_FLAGS -specs=/usr/lib/rpm/%{_vendor}/%{_vendor}-hardened-cc1" +export LDFLAGS="$RPM_LD_FLAGS -specs=/usr/lib/rpm/generic-hardened-ld" +export CXXFLAGS="$RPM_OPT_FLAGS -specs=/usr/lib/rpm/generic-hardened-cc1" +export CFLAGS="$RPM_OPT_FLAGS -specs=/usr/lib/rpm/generic-hardened-cc1" %ifnarch %{ix86} x86_64 %global no_int10 --disable-vbe --disable-int10-module @@ -320,6 +321,12 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_libdir}/xorg/protocol.txt %changelog +* Thu Jun 03 2021 zhanzhimin - 1.20.10-2 +- Type:CVE +- Id:CVE-2021-3472 +- SUG:NA +- DESC:fix CVE-2021-3472 + * Sat Jan 30 2021 jinzhimin - 1.20.10-1 - Upgrade to 1.20.10 -- Gitee