Version in base suite: 21.1.7-3+deb12u5 Base version: xorg-server_21.1.7-3+deb12u5 Target version: xorg-server_21.1.7-3+deb12u6 Base file: /srv/ftp-master.debian.org/ftp/pool/main/x/xorg-server/xorg-server_21.1.7-3+deb12u5.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/x/xorg-server/xorg-server_21.1.7-3+deb12u6.dsc debian/patches/20240403/0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch | 46 ++++ debian/patches/20240403/0002-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch | 44 +++ debian/patches/20240403/0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch | 48 ++++ debian/patches/20240403/0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch | 114 ++++++++++ xorg-server-21.1.7/debian/changelog | 9 xorg-server-21.1.7/debian/patches/Xi-allocate-enough-XkbActions-for-our-buttons.patch | 13 - xorg-server-21.1.7/debian/patches/Xi-do-not-keep-linked-list-pointer-during-recursion.patch | 9 xorg-server-21.1.7/debian/patches/Xi-flush-hierarchy-events-after-adding-removing-mast.patch | 13 - xorg-server-21.1.7/debian/patches/dix-Fix-use-after-free-in-input-device-shutdown.patch | 7 xorg-server-21.1.7/debian/patches/dix-when-disabling-a-master-float-disabled-slaved-de.patch | 15 - xorg-server-21.1.7/debian/patches/series | 6 11 files changed, 280 insertions(+), 44 deletions(-) diff -u xorg-server-21.1.7/debian/changelog xorg-server-21.1.7/debian/changelog --- xorg-server-21.1.7/debian/changelog +++ xorg-server-21.1.7/debian/changelog @@ -1,3 +1,12 @@ +xorg-server (2:21.1.7-3+deb12u6) bookworm-security; urgency=high + + * CVE-2024-31080: Heap buffer overread/data leakage in ProcXIGetSelectedEvents + * CVE-2024-31081: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice + * CVE-2024-31082: Heap buffer overread/data leakage in ProcAppleDRICreatePixmap + * CVE-2024-31083: User-after-free in ProcRenderAddGlyphs + + -- Julien Cristau Thu, 04 Apr 2024 11:59:35 +0200 + xorg-server (2:21.1.7-3+deb12u5) bookworm-security; urgency=high * Non-maintainer upload by the Security Team. diff -u xorg-server-21.1.7/debian/patches/Xi-allocate-enough-XkbActions-for-our-buttons.patch xorg-server-21.1.7/debian/patches/Xi-allocate-enough-XkbActions-for-our-buttons.patch --- xorg-server-21.1.7/debian/patches/Xi-allocate-enough-XkbActions-for-our-buttons.patch +++ xorg-server-21.1.7/debian/patches/Xi-allocate-enough-XkbActions-for-our-buttons.patch @@ -18,11 +18,9 @@ dix/devices.c | 10 ++++++++++ 2 files changed, 16 insertions(+), 6 deletions(-) -diff --git a/Xi/exevents.c b/Xi/exevents.c -index dcd4efb3bc7a..54ea11a93872 100644 --- a/Xi/exevents.c +++ b/Xi/exevents.c -@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) +@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from } if (from->button->xkb_acts) { @@ -42,11 +40,9 @@ } else { free(to->button->xkb_acts); -diff --git a/dix/devices.c b/dix/devices.c -index b063128df072..3f3224d6264f 100644 --- a/dix/devices.c +++ b/dix/devices.c -@@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave) +@@ -2525,6 +2525,8 @@ RecalculateMasterButtons(DeviceIntPtr sl if (master->button && master->button->numButtons != maxbuttons) { int i; @@ -55,7 +51,7 @@ DeviceChangedEvent event = { .header = ET_Internal, .type = ET_DeviceChanged, -@@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave) +@@ -2535,6 +2537,14 @@ RecalculateMasterButtons(DeviceIntPtr sl }; master->button->numButtons = maxbuttons; @@ -70,6 +66,3 @@ memcpy(&event.buttons.names, master->button->labels, maxbuttons * sizeof(Atom)); --- -2.43.0 - diff -u xorg-server-21.1.7/debian/patches/Xi-do-not-keep-linked-list-pointer-during-recursion.patch xorg-server-21.1.7/debian/patches/Xi-do-not-keep-linked-list-pointer-during-recursion.patch --- xorg-server-21.1.7/debian/patches/Xi-do-not-keep-linked-list-pointer-during-recursion.patch +++ xorg-server-21.1.7/debian/patches/Xi-do-not-keep-linked-list-pointer-during-recursion.patch @@ -27,11 +27,9 @@ dix/devices.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) -diff --git a/dix/devices.c b/dix/devices.c -index 3f3224d62..3a64d8702 100644 --- a/dix/devices.c +++ b/dix/devices.c -@@ -451,14 +451,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) +@@ -447,14 +447,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sen { DeviceIntPtr *prev, other; BOOL enabled; @@ -55,7 +53,7 @@ return FALSE; TouchEndPhysicallyActiveTouches(dev); -@@ -509,6 +515,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) +@@ -505,6 +511,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sen LeaveWindow(dev); SetFocusOut(dev); @@ -65,6 +63,3 @@ *prev = dev->next; dev->next = inputInfo.off_devices; inputInfo.off_devices = dev; --- -2.43.0 - diff -u xorg-server-21.1.7/debian/patches/Xi-flush-hierarchy-events-after-adding-removing-mast.patch xorg-server-21.1.7/debian/patches/Xi-flush-hierarchy-events-after-adding-removing-mast.patch --- xorg-server-21.1.7/debian/patches/Xi-flush-hierarchy-events-after-adding-removing-mast.patch +++ xorg-server-21.1.7/debian/patches/Xi-flush-hierarchy-events-after-adding-removing-mast.patch @@ -27,11 +27,9 @@ Xi/xichangehierarchy.c | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) -diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c -index 01eb7a8af4..67eedddec6 100644 --- a/Xi/xichangehierarchy.c +++ b/Xi/xichangehierarchy.c -@@ -340,6 +340,11 @@ ProcXIChangeHierarchy(ClientPtr client) +@@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client) size_t len; /* length of data remaining in request */ int rc = Success; int flags[MAXDEVICES] = { 0 }; @@ -43,7 +41,7 @@ REQUEST(xXIChangeHierarchyReq); REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq); -@@ -389,8 +394,9 @@ ProcXIChangeHierarchy(ClientPtr client) +@@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client) rc = add_master(client, c, flags); if (rc != Success) goto unwind; @@ -54,7 +52,7 @@ case XIRemoveMaster: { xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any; -@@ -399,8 +405,9 @@ ProcXIChangeHierarchy(ClientPtr client) +@@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client) rc = remove_master(client, r, flags); if (rc != Success) goto unwind; @@ -65,7 +63,7 @@ case XIDetachSlave: { xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any; -@@ -409,8 +416,9 @@ ProcXIChangeHierarchy(ClientPtr client) +@@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client) rc = detach_slave(client, c, flags); if (rc != Success) goto unwind; @@ -104,6 +102,3 @@ + XISendDeviceHierarchyEvent(flags); return rc; } --- -2.43.0 - diff -u xorg-server-21.1.7/debian/patches/dix-Fix-use-after-free-in-input-device-shutdown.patch xorg-server-21.1.7/debian/patches/dix-Fix-use-after-free-in-input-device-shutdown.patch --- xorg-server-21.1.7/debian/patches/dix-Fix-use-after-free-in-input-device-shutdown.patch +++ xorg-server-21.1.7/debian/patches/dix-Fix-use-after-free-in-input-device-shutdown.patch @@ -60,11 +60,9 @@ dix/devices.c | 1 + 1 file changed, 1 insertion(+) -diff --git a/dix/devices.c b/dix/devices.c -index e62c34c55e95..5f9ce1678fc4 100644 --- a/dix/devices.c +++ b/dix/devices.c -@@ -520,6 +520,7 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) +@@ -536,6 +536,7 @@ DisableDevice(DeviceIntPtr dev, BOOL sen } RecalculateMasterButtons(dev); @@ -72,6 +70,3 @@ return TRUE; } --- -2.43.0 - diff -u xorg-server-21.1.7/debian/patches/dix-when-disabling-a-master-float-disabled-slaved-de.patch xorg-server-21.1.7/debian/patches/dix-when-disabling-a-master-float-disabled-slaved-de.patch --- xorg-server-21.1.7/debian/patches/dix-when-disabling-a-master-float-disabled-slaved-de.patch +++ xorg-server-21.1.7/debian/patches/dix-when-disabling-a-master-float-disabled-slaved-de.patch @@ -18,11 +18,9 @@ dix/devices.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) -diff --git a/dix/devices.c b/dix/devices.c -index c7fa8fad69..87f4d4a213 100644 --- a/dix/devices.c +++ b/dix/devices.c -@@ -482,6 +482,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) +@@ -477,6 +477,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sen flags[other->id] |= XISlaveDetached; } } @@ -36,18 +34,15 @@ } else { for (other = inputInfo.devices; other; other = other->next) { -@@ -1088,6 +1095,11 @@ CloseDownDevices(void) +@@ -1072,6 +1079,11 @@ CloseDownDevices(void) + if (!IsMaster(dev) && !IsFloating(dev)) dev->master = NULL; } - ++ + for (dev = inputInfo.off_devices; dev; dev = dev->next) { + if (!IsMaster(dev) && !IsFloating(dev)) + dev->master = NULL; + } -+ + CloseDeviceList(&inputInfo.devices); CloseDeviceList(&inputInfo.off_devices); - --- -2.43.0 - diff -u xorg-server-21.1.7/debian/patches/series xorg-server-21.1.7/debian/patches/series --- xorg-server-21.1.7/debian/patches/series +++ xorg-server-21.1.7/debian/patches/series @@ -1,5 +1,3 @@ -## Patches with a number < 100 are applied in debian. -## Ubuntu patches start with 100. 0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch 0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch Xi-allocate-enough-XkbActions-for-our-buttons.patch @@ -15,6 +13,10 @@ ephyr-xwayland-Use-the-proper-private-key-for-cursor.patch glx-Call-XACE-hooks-on-the-GLX-buffer.patch dix-Fix-use-after-free-in-input-device-shutdown.patch +20240403/0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch +20240403/0002-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch +20240403/0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch +20240403/0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch 02_kbsd-input-devd.diff 03_static-nettle.diff 05_Revert-Unload-submodules.diff only in patch2: unchanged: --- xorg-server-21.1.7.orig/debian/patches/20240403/0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch +++ xorg-server-21.1.7/debian/patches/20240403/0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch @@ -0,0 +1,46 @@ +From 8a7cd0e3ef194610300c1a38fb5a5423b23dd6a5 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 22 Mar 2024 18:51:45 -0700 +Subject: [PATCH xserver 1/4] Xi: ProcXIGetSelectedEvents needs to use + unswapped length to send reply + +CVE-2024-31080 + +Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762 +Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.") +Signed-off-by: Alan Coopersmith +Part-of: +(cherry picked from commit 96798fc1967491c80a4d0c8d9e0a80586cb2152b) +--- + Xi/xiselectev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c +index edcb8a0d36..ac14949871 100644 +--- a/Xi/xiselectev.c ++++ b/Xi/xiselectev.c +@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client) + InputClientsPtr others = NULL; + xXIEventMask *evmask = NULL; + DeviceIntPtr dev; ++ uint32_t length; + + REQUEST(xXIGetSelectedEventsReq); + REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq); +@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client) + } + } + ++ /* save the value before SRepXIGetSelectedEvents swaps it */ ++ length = reply.length; + WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply); + + if (reply.num_masks) +- WriteToClient(client, reply.length * 4, buffer); ++ WriteToClient(client, length * 4, buffer); + + free(buffer); + return Success; +-- +2.39.2 + only in patch2: unchanged: --- xorg-server-21.1.7.orig/debian/patches/20240403/0002-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch +++ xorg-server-21.1.7/debian/patches/20240403/0002-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch @@ -0,0 +1,44 @@ +From cea92ca78f900bfb4c9a5540dfd631e065b9151b Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 22 Mar 2024 18:56:27 -0700 +Subject: [PATCH xserver 2/4] Xi: ProcXIPassiveGrabDevice needs to use + unswapped length to send reply + +CVE-2024-31081 + +Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.") +Signed-off-by: Alan Coopersmith +Part-of: +(cherry picked from commit 3e77295f888c67fc7645db5d0c00926a29ffecee) +--- + Xi/xipassivegrab.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c +index c9ac2f8553..896233bec2 100644 +--- a/Xi/xipassivegrab.c ++++ b/Xi/xipassivegrab.c +@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client) + GrabParameters param; + void *tmp; + int mask_len; ++ uint32_t length; + + REQUEST(xXIPassiveGrabDeviceReq); + REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, +@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client) + } + } + ++ /* save the value before SRepXIPassiveGrabDevice swaps it */ ++ length = rep.length; + WriteReplyToClient(client, sizeof(rep), &rep); + if (rep.num_modifiers) +- WriteToClient(client, rep.length * 4, modifiers_failed); ++ WriteToClient(client, length * 4, modifiers_failed); + + out: + free(modifiers_failed); +-- +2.39.2 + only in patch2: unchanged: --- xorg-server-21.1.7.orig/debian/patches/20240403/0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch +++ xorg-server-21.1.7/debian/patches/20240403/0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch @@ -0,0 +1,48 @@ +From 0e34d8ebc98a0ba6f9f0a2f8f5045761bccc45d3 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 22 Mar 2024 19:07:34 -0700 +Subject: [PATCH xserver 3/4] Xquartz: ProcAppleDRICreatePixmap needs to use + unswapped length to send reply + +CVE-2024-31082 + +Fixes: 14205ade0 ("XQuartz: appledri: Fix byte swapping in replies") +Signed-off-by: Alan Coopersmith +Part-of: +(cherry picked from commit 6c684d035c06fd41c727f0ef0744517580864cef) +--- + hw/xquartz/xpr/appledri.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/hw/xquartz/xpr/appledri.c b/hw/xquartz/xpr/appledri.c +index 77574655b2..40422b61a9 100644 +--- a/hw/xquartz/xpr/appledri.c ++++ b/hw/xquartz/xpr/appledri.c +@@ -272,6 +272,7 @@ ProcAppleDRICreatePixmap(ClientPtr client) + xAppleDRICreatePixmapReply rep; + int width, height, pitch, bpp; + void *ptr; ++ CARD32 stringLength; + + REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq); + +@@ -307,6 +308,7 @@ ProcAppleDRICreatePixmap(ClientPtr client) + if (sizeof(rep) != sz_xAppleDRICreatePixmapReply) + ErrorF("error sizeof(rep) is %zu\n", sizeof(rep)); + ++ stringLength = rep.stringLength; /* save unswapped value */ + if (client->swapped) { + swaps(&rep.sequenceNumber); + swapl(&rep.length); +@@ -319,7 +321,7 @@ ProcAppleDRICreatePixmap(ClientPtr client) + } + + WriteToClient(client, sizeof(rep), &rep); +- WriteToClient(client, rep.stringLength, path); ++ WriteToClient(client, stringLength, path); + + return Success; + } +-- +2.39.2 + only in patch2: unchanged: --- xorg-server-21.1.7.orig/debian/patches/20240403/0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch +++ xorg-server-21.1.7/debian/patches/20240403/0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch @@ -0,0 +1,114 @@ +From 1173156404be826f50f453ca11bda28ccb5a5268 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 30 Jan 2024 13:13:35 +1000 +Subject: [PATCH xserver 4/4] render: fix refcounting of glyphs during + ProcRenderAddGlyphs + +Previously, AllocateGlyph would return a new glyph with refcount=0 and a +re-used glyph would end up not changing the refcount at all. The +resulting glyph_new array would thus have multiple entries pointing to +the same non-refcounted glyphs. + +AddGlyph may free a glyph, resulting in a UAF when the same glyph +pointer is then later used. + +Fix this by returning a refcount of 1 for a new glyph and always +incrementing the refcount for a re-used glyph, followed by dropping that +refcount back down again when we're done with it. + +CVE-2024-31083, ZDI-CAN-22880 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Part-of: +(cherry picked from commit bdca6c3d1f5057eeb31609b1280fc93237b00c77) +--- + render/glyph.c | 5 +++-- + render/glyphstr.h | 2 ++ + render/render.c | 15 +++++++++++---- + 3 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/render/glyph.c b/render/glyph.c +index f3ed9cf4c1..d5fc5f3c91 100644 +--- a/render/glyph.c ++++ b/render/glyph.c +@@ -245,10 +245,11 @@ FreeGlyphPicture(GlyphPtr glyph) + } + } + +-static void ++void + FreeGlyph(GlyphPtr glyph, int format) + { + CheckDuplicates(&globalGlyphs[format], "FreeGlyph"); ++ BUG_RETURN(glyph->refcnt == 0); + if (--glyph->refcnt == 0) { + GlyphRefPtr gr; + int i; +@@ -354,7 +355,7 @@ AllocateGlyph(xGlyphInfo * gi, int fdepth) + glyph = (GlyphPtr) malloc(size); + if (!glyph) + return 0; +- glyph->refcnt = 0; ++ glyph->refcnt = 1; + glyph->size = size + sizeof(xGlyphInfo); + glyph->info = *gi; + dixInitPrivates(glyph, (char *) glyph + head_size, PRIVATE_GLYPH); +diff --git a/render/glyphstr.h b/render/glyphstr.h +index 2f51bd244a..e8034556d7 100644 +--- a/render/glyphstr.h ++++ b/render/glyphstr.h +@@ -109,6 +109,8 @@ extern GlyphPtr FindGlyph(GlyphSetPtr glyphSet, Glyph id); + + extern GlyphPtr AllocateGlyph(xGlyphInfo * gi, int format); + ++extern void FreeGlyph(GlyphPtr glyph, int format); ++ + extern Bool + ResizeGlyphSet(GlyphSetPtr glyphSet, CARD32 change); + +diff --git a/render/render.c b/render/render.c +index 456f156d43..5bc2a204b7 100644 +--- a/render/render.c ++++ b/render/render.c +@@ -1076,6 +1076,7 @@ ProcRenderAddGlyphs(ClientPtr client) + + if (glyph_new->glyph && glyph_new->glyph != DeletedGlyph) { + glyph_new->found = TRUE; ++ ++glyph_new->glyph->refcnt; + } + else { + GlyphPtr glyph; +@@ -1168,8 +1169,10 @@ ProcRenderAddGlyphs(ClientPtr client) + err = BadAlloc; + goto bail; + } +- for (i = 0; i < nglyphs; i++) ++ for (i = 0; i < nglyphs; i++) { + AddGlyph(glyphSet, glyphs[i].glyph, glyphs[i].id); ++ FreeGlyph(glyphs[i].glyph, glyphSet->fdepth); ++ } + + if (glyphsBase != glyphsLocal) + free(glyphsBase); +@@ -1179,9 +1182,13 @@ ProcRenderAddGlyphs(ClientPtr client) + FreePicture((void *) pSrc, 0); + if (pSrcPix) + FreeScratchPixmapHeader(pSrcPix); +- for (i = 0; i < nglyphs; i++) +- if (glyphs[i].glyph && !glyphs[i].found) +- free(glyphs[i].glyph); ++ for (i = 0; i < nglyphs; i++) { ++ if (glyphs[i].glyph) { ++ --glyphs[i].glyph->refcnt; ++ if (!glyphs[i].found) ++ free(glyphs[i].glyph); ++ } ++ } + if (glyphsBase != glyphsLocal) + free(glyphsBase); + return err; +-- +2.39.2 +