Version in base suite: 21.1.7-3 Base version: xorg-server_21.1.7-3 Target version: xorg-server_21.1.7-3+deb12u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/x/xorg-server/xorg-server_21.1.7-3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/x/xorg-server/xorg-server_21.1.7-3+deb12u2.dsc debian/patches/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch | 80 ++++++++ debian/patches/0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch | 99 ++++++++++ debian/patches/present-Check-for-NULL-to-prevent-crash.patch | 43 ---- xorg-server-21.1.7/debian/changelog | 18 + xorg-server-21.1.7/debian/patches/02_kbsd-input-devd.diff | 12 - xorg-server-21.1.7/debian/patches/03_static-nettle.diff | 2 xorg-server-21.1.7/debian/patches/05_Revert-Unload-submodules.diff | 2 xorg-server-21.1.7/debian/patches/series | 3 8 files changed, 207 insertions(+), 52 deletions(-) diff -u xorg-server-21.1.7/debian/changelog xorg-server-21.1.7/debian/changelog --- xorg-server-21.1.7/debian/changelog +++ xorg-server-21.1.7/debian/changelog @@ -1,3 +1,21 @@ +xorg-server (2:21.1.7-3+deb12u2) bookworm-security; urgency=high + + * 0003-mi-fix-CloseScreen-initialization-order.patch, + 0004-fb-properly-wrap-unwrap-CloseScreen.patch: drop, causes other + bugs that are worse than CVE-2023-5574. + + -- Julien Cristau Wed, 25 Oct 2023 09:35:47 +0200 + +xorg-server (2:21.1.7-3+deb12u1) bookworm-security; urgency=medium + + * present-Check-for-NULL-to-prevent-crash.patch: drop, applied upstream since 21.1.4 + * Xi/randr: fix handling of PropModeAppend/Prepend (CVE-2023-5367) + * mi: reset the PointerWindows reference on screen switch (CVE-2023-5380) + * mi: fix CloseScreen initialization order + * fb: properly wrap/unwrap CloseScreen (CVE-2023-5574) + + -- Julien Cristau Mon, 23 Oct 2023 19:26:14 +0200 + xorg-server (2:21.1.7-3) unstable; urgency=medium * Enable DRI2 for the udeb build, needed in addition to DRM support diff -u xorg-server-21.1.7/debian/patches/02_kbsd-input-devd.diff xorg-server-21.1.7/debian/patches/02_kbsd-input-devd.diff --- xorg-server-21.1.7/debian/patches/02_kbsd-input-devd.diff +++ xorg-server-21.1.7/debian/patches/02_kbsd-input-devd.diff @@ -448,7 +448,7 @@ +} --- a/configure.ac +++ b/configure.ac -@@ -566,6 +566,7 @@ AC_ARG_ENABLE(dpms, AS_HELP_ST +@@ -555,6 +555,7 @@ AC_ARG_ENABLE(dpms, AS_HELP_ST AC_ARG_ENABLE(config-udev, AS_HELP_STRING([--enable-config-udev], [Build udev support (default: auto)]), [CONFIG_UDEV=$enableval], [CONFIG_UDEV=auto]) AC_ARG_ENABLE(config-udev-kms, AS_HELP_STRING([--enable-config-udev-kms], [Build udev kms support (default: auto)]), [CONFIG_UDEV_KMS=$enableval], [CONFIG_UDEV_KMS=auto]) AC_ARG_ENABLE(config-hal, AS_HELP_STRING([--disable-config-hal], [Build HAL support (default: auto)]), [CONFIG_HAL=$enableval], [CONFIG_HAL=auto]) @@ -456,7 +456,7 @@ AC_ARG_ENABLE(config-wscons, AS_HELP_STRING([--enable-config-wscons], [Build wscons config support (default: auto)]), [CONFIG_WSCONS=$enableval], [CONFIG_WSCONS=auto]) AC_ARG_ENABLE(xfree86-utils, AS_HELP_STRING([--enable-xfree86-utils], [Build xfree86 DDX utilities (default: enabled)]), [XF86UTILS=$enableval], [XF86UTILS=yes]) AC_ARG_ENABLE(vgahw, AS_HELP_STRING([--enable-vgahw], [Build Xorg with vga access (default: enabled)]), [VGAHW=$enableval], [VGAHW=yes]) -@@ -950,6 +951,21 @@ if test "x$CONFIG_WSCONS" = xyes; then +@@ -930,6 +931,21 @@ if test "x$CONFIG_WSCONS" = xyes; then AC_DEFINE(CONFIG_WSCONS, 1, [Use wscons for input auto configuration]) fi @@ -478,7 +478,7 @@ AC_MSG_CHECKING([for glibc...]) AC_PREPROC_IFELSE([AC_LANG_SOURCE([ -@@ -2429,7 +2445,7 @@ AC_SUBST([prefix]) +@@ -2256,7 +2272,7 @@ AC_SUBST([prefix]) AC_CONFIG_COMMANDS([sdksyms], [touch hw/xfree86/sdksyms.dep]) @@ -489,7 +489,7 @@ Neither HAL nor udev backend will be enabled. --- a/hw/xfree86/common/xf86Config.c +++ b/hw/xfree86/common/xf86Config.c -@@ -1257,15 +1257,18 @@ checkCoreInputDevices(serverLayoutPtr se +@@ -1279,15 +1279,18 @@ checkCoreInputDevices(serverLayoutPtr se } if (!xf86Info.forceInputDevices && !(foundPointer && foundKeyboard)) { @@ -512,7 +512,7 @@ "input devices.\n\tIf no devices become available, " --- a/hw/xfree86/common/xf86Globals.c +++ b/hw/xfree86/common/xf86Globals.c -@@ -117,7 +117,8 @@ xf86InfoRec xf86Info = { +@@ -118,7 +118,8 @@ xf86InfoRec xf86Info = { .miscModInDevEnabled = TRUE, .miscModInDevAllowNonLocal = FALSE, .pmFlag = TRUE, @@ -524,7 +524,7 @@ .autoEnableDevices = TRUE, --- a/include/dix-config.h.in +++ b/include/dix-config.h.in -@@ -433,6 +433,9 @@ +@@ -418,6 +418,9 @@ /* Enable systemd-logind integration */ #undef SYSTEMD_LOGIND 1 diff -u xorg-server-21.1.7/debian/patches/03_static-nettle.diff xorg-server-21.1.7/debian/patches/03_static-nettle.diff --- xorg-server-21.1.7/debian/patches/03_static-nettle.diff +++ xorg-server-21.1.7/debian/patches/03_static-nettle.diff @@ -4,7 +4,7 @@ --- a/configure.ac +++ b/configure.ac -@@ -1634,7 +1634,7 @@ fi +@@ -1574,7 +1574,7 @@ fi if test "x$with_sha1" = xlibnettle; then AC_DEFINE([HAVE_SHA1_IN_LIBNETTLE], [1], [Use libnettle SHA1 functions]) diff -u xorg-server-21.1.7/debian/patches/05_Revert-Unload-submodules.diff xorg-server-21.1.7/debian/patches/05_Revert-Unload-submodules.diff --- xorg-server-21.1.7/debian/patches/05_Revert-Unload-submodules.diff +++ xorg-server-21.1.7/debian/patches/05_Revert-Unload-submodules.diff @@ -12,7 +12,7 @@ --- a/hw/xfree86/common/xf86Helper.c +++ b/hw/xfree86/common/xf86Helper.c -@@ -1524,7 +1524,13 @@ xf86LoadOneModule(const char *name, void +@@ -1508,7 +1508,13 @@ xf86LoadOneModule(const char *name, void void xf86UnloadSubModule(void *mod) { reverted: --- xorg-server-21.1.7/debian/patches/present-Check-for-NULL-to-prevent-crash.patch +++ xorg-server-21.1.7.orig/debian/patches/present-Check-for-NULL-to-prevent-crash.patch @@ -1,43 +0,0 @@ -From 69774044716039fa70655b3bc6dd6a4ff4535cfd Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?B=C5=82a=C5=BCej=20Szczygie=C5=82?= -Date: Thu, 13 Jan 2022 00:47:27 +0100 -Subject: [PATCH] present: Check for NULL to prevent crash -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1275 -Signed-off-by: Błażej Szczygieł -Tested-by: Aaron Plattner -(cherry picked from commit 22d5818851967408bb7c903cb345b7ca8766094c) ---- - present/present_scmd.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/present/present_scmd.c b/present/present_scmd.c -index da836ea6b..239055bc1 100644 ---- a/present/present_scmd.c -+++ b/present/present_scmd.c -@@ -158,6 +158,9 @@ present_scmd_get_crtc(present_screen_priv_ptr screen_priv, WindowPtr window) - if (!screen_priv->info) - return NULL; - -+ if (!screen_priv->info->get_crtc) -+ return NULL; -+ - return (*screen_priv->info->get_crtc)(window); - } - -@@ -196,6 +199,9 @@ present_flush(WindowPtr window) - if (!screen_priv->info) - return; - -+ if (!screen_priv->info->flush) -+ return; -+ - (*screen_priv->info->flush) (window); - } - --- -2.34.1 - diff -u xorg-server-21.1.7/debian/patches/series xorg-server-21.1.7/debian/patches/series --- xorg-server-21.1.7/debian/patches/series +++ xorg-server-21.1.7/debian/patches/series @@ -1,8 +1,9 @@ ## Patches with a number < 100 are applied in debian. ## Ubuntu patches start with 100. +0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch +0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch 02_kbsd-input-devd.diff 03_static-nettle.diff 05_Revert-Unload-submodules.diff 06_use-intel-only-on-pre-gen4.diff 07_use-modesetting-driver-by-default-on-GeForce.diff -present-Check-for-NULL-to-prevent-crash.patch only in patch2: unchanged: --- xorg-server-21.1.7.orig/debian/patches/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch +++ xorg-server-21.1.7/debian/patches/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch @@ -0,0 +1,80 @@ +From 69ceb12e9c9dc42175aba48bb86f2842423d7082 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 3 Oct 2023 11:53:05 +1000 +Subject: [PATCH xserver 1/4] Xi/randr: fix handling of PropModeAppend/Prepend + +The handling of appending/prepending properties was incorrect, with at +least two bugs: the property length was set to the length of the new +part only, i.e. appending or prepending N elements to a property with P +existing elements always resulted in the property having N elements +instead of N + P. + +Second, when pre-pending a value to a property, the offset for the old +values was incorrect, leaving the new property with potentially +uninitalized values and/or resulting in OOB memory writes. +For example, prepending a 3 element value to a 5 element property would +result in this 8 value array: + [N, N, N, ?, ?, P, P, P ] P, P + ^OOB write + +The XI2 code is a copy/paste of the RandR code, so the bug exists in +both. + +CVE-2023-5367, ZDI-CAN-22153 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer +--- + Xi/xiproperty.c | 4 ++-- + randr/rrproperty.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c +index 066ba21fba..d315f04d0e 100644 +--- a/Xi/xiproperty.c ++++ b/Xi/xiproperty.c +@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type, + XIDestroyDeviceProperty(prop); + return BadAlloc; + } +- new_value.size = len; ++ new_value.size = total_len; + new_value.type = type; + new_value.format = format; + +@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type, + case PropModePrepend: + new_data = new_value.data; + old_data = (void *) (((char *) new_value.data) + +- (prop_value->size * size_in_bytes)); ++ (len * size_in_bytes)); + break; + } + if (new_data) +diff --git a/randr/rrproperty.c b/randr/rrproperty.c +index c2fb9585c6..25469f57b2 100644 +--- a/randr/rrproperty.c ++++ b/randr/rrproperty.c +@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type, + RRDestroyOutputProperty(prop); + return BadAlloc; + } +- new_value.size = len; ++ new_value.size = total_len; + new_value.type = type; + new_value.format = format; + +@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type, + case PropModePrepend: + new_data = new_value.data; + old_data = (void *) (((char *) new_value.data) + +- (prop_value->size * size_in_bytes)); ++ (len * size_in_bytes)); + break; + } + if (new_data) +-- +2.41.0 + only in patch2: unchanged: --- xorg-server-21.1.7.orig/debian/patches/0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch +++ xorg-server-21.1.7/debian/patches/0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch @@ -0,0 +1,99 @@ +From 344bdc9b8075bc98ddad46439f04f17b8a681cc5 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Thu, 5 Oct 2023 12:19:45 +1000 +Subject: [PATCH xserver 2/4] mi: reset the PointerWindows reference on screen + switch + +PointerWindows[] keeps a reference to the last window our sprite +entered - changes are usually handled by CheckMotion(). + +If we switch between screens via XWarpPointer our +dev->spriteInfo->sprite->win is set to the new screen's root window. +If there's another window at the cursor location CheckMotion() will +trigger the right enter/leave events later. If there is not, it skips +that process and we never trigger LeaveWindow() - PointerWindows[] for +the device still refers to the previous window. + +If that window is destroyed we have a dangling reference that will +eventually cause a use-after-free bug when checking the window hierarchy +later. + +To trigger this, we require: +- two protocol screens +- XWarpPointer to the other screen's root window +- XDestroyWindow before entering any other window + +This is a niche bug so we hack around it by making sure we reset the +PointerWindows[] entry so we cannot have a dangling pointer. This +doesn't handle Enter/Leave events correctly but the previous code didn't +either. + +CVE-2023-5380, ZDI-CAN-21608 + +This vulnerability was discovered by: +Sri working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer +Reviewed-by: Adam Jackson +--- + dix/enterleave.h | 2 -- + include/eventstr.h | 3 +++ + mi/mipointer.c | 17 +++++++++++++++-- + 3 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/dix/enterleave.h b/dix/enterleave.h +index 4b833d8a3b..e8af924c68 100644 +--- a/dix/enterleave.h ++++ b/dix/enterleave.h +@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev, + + extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode); + +-extern void LeaveWindow(DeviceIntPtr dev); +- + extern void CoreFocusEvent(DeviceIntPtr kbd, + int type, int mode, int detail, WindowPtr pWin); + +diff --git a/include/eventstr.h b/include/eventstr.h +index 93308f9b24..a9926eaeef 100644 +--- a/include/eventstr.h ++++ b/include/eventstr.h +@@ -335,4 +335,7 @@ union _InternalEvent { + GestureEvent gesture_event; + }; + ++extern void ++LeaveWindow(DeviceIntPtr dev); ++ + #endif +diff --git a/mi/mipointer.c b/mi/mipointer.c +index a638f25d4a..8cf0035140 100644 +--- a/mi/mipointer.c ++++ b/mi/mipointer.c +@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y) + #ifdef PANORAMIX + && noPanoramiXExtension + #endif +- ) +- UpdateSpriteForScreen(pDev, pScreen); ++ ) { ++ DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER); ++ /* Hack for CVE-2023-5380: if we're moving ++ * screens PointerWindows[] keeps referring to the ++ * old window. If that gets destroyed we have a UAF ++ * bug later. Only happens when jumping from a window ++ * to the root window on the other screen. ++ * Enter/Leave events are incorrect for that case but ++ * too niche to fix. ++ */ ++ LeaveWindow(pDev); ++ if (master) ++ LeaveWindow(master); ++ UpdateSpriteForScreen(pDev, pScreen); ++ } + } + + /** +-- +2.41.0 +