Version in base suite: 1.7.2-1

Base version: libx11_1.7.2-1
Target version: libx11_1.7.2-1+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libx/libx11/libx11_1.7.2-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libx/libx11/libx11_1.7.2-1+deb11u1.dsc

 debian/patches/016_InitExt.c-Add-bounds-checks-for-extension-request-ev.diff |  110 ++++++++++
 libx11-1.7.2/debian/changelog                                                |    8 
 libx11-1.7.2/debian/patches/series                                           |    1 
 3 files changed, 119 insertions(+)

diff -u libx11-1.7.2/debian/changelog libx11-1.7.2/debian/changelog
--- libx11-1.7.2/debian/changelog
+++ libx11-1.7.2/debian/changelog
@@ -1,3 +1,11 @@
+libx11 (2:1.7.2-1+deb11u1) bullseye-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * InitExt.c: Add bounds checks for extension request, event, & error codes
+    (CVE-2023-3138) (Closes: #1038133)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 15 Jun 2023 21:58:56 +0200
+
 libx11 (2:1.7.2-1) unstable; urgency=medium
 
   [ Timo Aaltonen ]
diff -u libx11-1.7.2/debian/patches/series libx11-1.7.2/debian/patches/series
--- libx11-1.7.2/debian/patches/series
+++ libx11-1.7.2/debian/patches/series
@@ -3,3 +3,4 @@
 008_remove_ko_Compose.diff
 009_remove_th_Compose.diff
 015_russian_locale_alias.diff
+016_InitExt.c-Add-bounds-checks-for-extension-request-ev.diff
only in patch2:
unchanged:
--- libx11-1.7.2.orig/debian/patches/016_InitExt.c-Add-bounds-checks-for-extension-request-ev.diff
+++ libx11-1.7.2/debian/patches/016_InitExt.c-Add-bounds-checks-for-extension-request-ev.diff
@@ -0,0 +1,110 @@
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 10 Jun 2023 16:30:07 -0700
+Subject: InitExt.c: Add bounds checks for extension request, event, & error
+ codes
+Origin: https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/304a654a0d57bf0f00d8998185f0360332cfa36c
+Bug-Debian: https://bugs.debian.org/1038133
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-3138
+
+Fixes CVE-2023-3138: X servers could return values from XQueryExtension
+that would cause Xlib to write entries out-of-bounds of the arrays to
+store them, though this would only overwrite other parts of the Display
+struct, not outside the bounds allocated for that structure.
+
+Reported-by: Gregory James DUCK <gjduck@gmail.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 42 insertions(+)
+
+diff --git a/src/InitExt.c b/src/InitExt.c
+index 4de46f157b33..afc00a6b6f10 100644
+--- a/src/InitExt.c
++++ b/src/InitExt.c
+@@ -33,6 +33,18 @@ from The Open Group.
+ #include <X11/Xos.h>
+ #include <stdio.h>
+ 
++/* The X11 protocol spec reserves events 64 through 127 for extensions */
++#ifndef LastExtensionEvent
++#define LastExtensionEvent 127
++#endif
++
++/* The X11 protocol spec reserves requests 128 through 255 for extensions */
++#ifndef LastExtensionRequest
++#define FirstExtensionRequest 128
++#define LastExtensionRequest 255
++#endif
++
++
+ /*
+  * This routine is used to link a extension in so it will be called
+  * at appropriate times.
+@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent(
+ 	WireToEventType proc)	/* routine to call when converting event */
+ {
+ 	register WireToEventType oldproc;
++	if (event_number < 0 ||
++	    event_number > LastExtensionEvent) {
++	    fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
++		    event_number);
++	    return (WireToEventType)_XUnknownWireEvent;
++	}
+ 	if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent;
+ 	LockDisplay (dpy);
+ 	oldproc = dpy->event_vec[event_number];
+@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie(
+     )
+ {
+ 	WireToEventCookieType oldproc;
++	if (extension < FirstExtensionRequest ||
++	    extension > LastExtensionRequest) {
++	    fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
++		    extension);
++	    return (WireToEventCookieType)_XUnknownWireEventCookie;
++	}
+ 	if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie;
+ 	LockDisplay (dpy);
+ 	oldproc = dpy->generic_event_vec[extension & 0x7F];
+@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie(
+     )
+ {
+ 	CopyEventCookieType oldproc;
++	if (extension < FirstExtensionRequest ||
++	    extension > LastExtensionRequest) {
++	    fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
++		    extension);
++	    return (CopyEventCookieType)_XUnknownCopyEventCookie;
++	}
+ 	if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie;
+ 	LockDisplay (dpy);
+ 	oldproc = dpy->generic_event_copy_vec[extension & 0x7F];
+@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire(
+ 	EventToWireType proc)	/* routine to call when converting event */
+ {
+ 	register EventToWireType oldproc;
++	if (event_number < 0 ||
++	    event_number > LastExtensionEvent) {
++	    fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
++		    event_number);
++	    return (EventToWireType)_XUnknownNativeEvent;
++	}
+ 	if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent;
+ 	LockDisplay (dpy);
+ 	oldproc = dpy->wire_vec[event_number];
+@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError(
+ 	WireToErrorType proc)	/* routine to call when converting error */
+ {
+ 	register WireToErrorType oldproc = NULL;
++	if (error_number < 0 ||
++	    error_number > LastExtensionError) {
++	   fprintf(stderr, "Xlib: ignoring invalid extension error %d\n",
++		    error_number);
++	   return (WireToErrorType)_XDefaultWireError;
++	}
+ 	if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError;
+ 	LockDisplay (dpy);
+ 	if (!dpy->error_vec) {
+-- 
+2.40.1
+