From b2979b5c2e8fbfbbe947e86167c06ce842267120 Mon Sep 17 00:00:00 2001 From: baiguo Date: Fri, 22 Jul 2022 14:01:26 +0800 Subject: [PATCH] fix CVE-2022-2319 --- backport-CVE-2022-2319.patch | 74 ++++++++++++++++++++++++++++++++++++ xorg-x11-server.spec | 7 +++- 2 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-2319.patch diff --git a/backport-CVE-2022-2319.patch b/backport-CVE-2022-2319.patch new file mode 100644 index 0000000..961be09 --- /dev/null +++ b/backport-CVE-2022-2319.patch @@ -0,0 +1,74 @@ +From 1a92545840c5d6bcad732ad82b3a63e65ebd6720 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Fri, 22 Jul 2022 13:58:27 +0800 +Subject: [PATCH] xkb: switch to array index loops to moving pointers Most + similar loops here use a pointer that advances with each loop iteration, + let's do the same here for consistency. + +No functional changes. + +Signed-off-by: Peter Hutterer +Reviewed-by: Olivier Fourdan +--- + xkb/xkb.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 68c59df..d4a4fa9 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5369,16 +5369,16 @@ _CheckSetSections(XkbGeometryPtr geom, + row->left = rWire->left; + row->vertical = rWire->vertical; + kWire = (xkbKeyWireDesc *) &rWire[1]; +- for (k = 0; k < rWire->nKeys; k++) { ++ for (k = 0; k < rWire->nKeys; k++, kWire++) { + XkbKeyPtr key; + + key = XkbAddGeomKey(row); + if (!key) + return BadAlloc; +- memcpy(key->name.name, kWire[k].name, XkbKeyNameLength); +- key->gap = kWire[k].gap; +- key->shape_ndx = kWire[k].shapeNdx; +- key->color_ndx = kWire[k].colorNdx; ++ memcpy(key->name.name, kWire->name, XkbKeyNameLength); ++ key->gap = kWire->gap; ++ key->shape_ndx = kWire->shapeNdx; ++ key->color_ndx = kWire->colorNdx; + if (key->shape_ndx >= geom->num_shapes) { + client->errorValue = _XkbErrCode3(0x10, key->shape_ndx, + geom->num_shapes); +@@ -5390,7 +5390,7 @@ _CheckSetSections(XkbGeometryPtr geom, + return BadMatch; + } + } +- rWire = (xkbRowWireDesc *) &kWire[rWire->nKeys]; ++ rWire = (xkbRowWireDesc *)kWire; + } + wire = (char *) rWire; + if (sWire->nDoodads > 0) { +@@ -5455,16 +5455,16 @@ _CheckSetShapes(XkbGeometryPtr geom, + return BadAlloc; + ol->corner_radius = olWire->cornerRadius; + ptWire = (xkbPointWireDesc *) &olWire[1]; +- for (p = 0, pt = ol->points; p < olWire->nPoints; p++, pt++) { +- pt->x = ptWire[p].x; +- pt->y = ptWire[p].y; ++ for (p = 0, pt = ol->points; p < olWire->nPoints; p++, pt++, ptWire++) { ++ pt->x = ptWire->x; ++ pt->y = ptWire->y; + if (client->swapped) { + swaps(&pt->x); + swaps(&pt->y); + } + } + ol->num_points = olWire->nPoints; +- olWire = (xkbOutlineWireDesc *) (&ptWire[olWire->nPoints]); ++ olWire = (xkbOutlineWireDesc *)ptWire; + } + if (shapeWire->primaryNdx != XkbNoShape) + shape->primary = &shape->outlines[shapeWire->primaryNdx]; +-- +2.33.0 + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index d117623..e551416 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.11 -Release: 7 +Release: 8 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -86,6 +86,7 @@ Patch6001: backport-CVE-2021-4009.patch Patch6002: backport-CVE-2021-4010.patch Patch6003: backport-CVE-2021-4011.patch Patch6004: backport-rename-bool-to-boolean.patch +Patch6005: backport-CVE-2022-2319.patch BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex git gcc BuildRequires: systemtap-sdt-devel libtool pkgconfig @@ -429,6 +430,10 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_mandir}/man*/* %changelog +* Fri Jul 22 2022 baiguo - 1.20.11-8 +- xkb: switch to array index loops to moving pointers +- fix CVE-2022-2319 + * Fri Jul 22 2022 ouyangminxiang - 1.20.11-7 - Fix the crash in shadowUpdatePacked because of memcpy acts randomly with overlapping areas. - Fix the problem of black screen after entering the login interface -- Gitee