Version in base suite: 1.7.2-1 Version in overlay suite: 1.7.2-1+deb11u1 Base version: libx11_1.7.2-1+deb11u1 Target version: libx11_1.7.2-1+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libx/libx11/libx11_1.7.2-1+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libx/libx11/libx11_1.7.2-1+deb11u2.dsc .pc/.quilt_patches | 1 .pc/.quilt_series | 1 .pc/.version | 1 debian/patches/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch | 58 +++++++++ debian/patches/0002-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch | 37 ++++++ debian/patches/0003-XPutImage-clip-images-to-maximum-height-width-allowe.patch | 41 ++++++ debian/patches/0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch | 47 +++++++ debian/patches/0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch | 59 ++++++++++ libx11-1.7.2/debian/changelog | 10 + libx11-1.7.2/debian/patches/003_recognize_glibc_2.3.2_locale_names.diff | 18 ++- libx11-1.7.2/debian/patches/015_russian_locale_alias.diff | 6 - libx11-1.7.2/debian/patches/series | 5 12 files changed, 277 insertions(+), 7 deletions(-) diff -u libx11-1.7.2/debian/changelog libx11-1.7.2/debian/changelog --- libx11-1.7.2/debian/changelog +++ libx11-1.7.2/debian/changelog @@ -1,3 +1,13 @@ +libx11 (2:1.7.2-1+deb11u2) bullseye-security; urgency=medium + + * CVE-2023-43785: out-of-bounds memory access in _XkbReadKeySyms() + * CVE-2023-43786: stack exhaustion from infinite recursion in PutSubImage() + * CVE-2023-43787: integer overflow in XCreateImage() leading to a heap overflow + * XPutImage: clip images to maximum height & width allowed by protocol + * XCreatePixmap: trigger BadValue error for out-of-range dimensions + + -- Julien Cristau Tue, 03 Oct 2023 11:01:59 +0200 + libx11 (2:1.7.2-1+deb11u1) bullseye-security; urgency=high * Non-maintainer upload by the Security Team. diff -u libx11-1.7.2/debian/patches/003_recognize_glibc_2.3.2_locale_names.diff libx11-1.7.2/debian/patches/003_recognize_glibc_2.3.2_locale_names.diff --- libx11-1.7.2/debian/patches/003_recognize_glibc_2.3.2_locale_names.diff +++ libx11-1.7.2/debian/patches/003_recognize_glibc_2.3.2_locale_names.diff @@ -49,6 +49,12 @@ Partially submitted upstream. This is so large I don't expect it to all go in at once, but any bit would help. --Nathanael +--- + nls/compose.dir.pre | 58 +++++++++++++++++++++++++++++++++++++++++---------- + nls/locale.alias.pre | 24 +++++++++++++++++---- + nls/locale.dir.pre | 55 +++++++++++++++++++++++++++++++++++++++++------- + 3 files changed, 114 insertions(+), 23 deletions(-) + --- a/nls/compose.dir.pre +++ b/nls/compose.dir.pre @@ -4,8 +4,13 @@ XCOMM The first word is the compose tabl @@ -254,7 +260,7 @@ en_US.UTF-8/Compose: tr_TR.UTF-8 --- a/nls/locale.alias.pre +++ b/nls/locale.alias.pre -@@ -316,6 +316,12 @@ en_CA.iso88591: en_CA.ISO8859-1 +@@ -317,6 +317,12 @@ en_CA.iso88591: en_CA.ISO8859-1 en_CA.ISO-8859-1: en_CA.ISO8859-1 en_CA.ISO_8859-1: en_CA.ISO8859-1 en_CA.utf8: en_CA.UTF-8 @@ -267,7 +273,7 @@ en_DL.utf8: en_DL.UTF-8 en_GB: en_GB.ISO8859-1 en_GB.88591: en_GB.ISO8859-1 -@@ -369,6 +375,16 @@ en_US.8859-15: en_US.ISO8859-15 +@@ -370,6 +376,16 @@ en_US.8859-15: en_US.ISO8859-15 en_US.ISO8859-15@euro: en_US.ISO8859-15 en_US.utf8: en_US.UTF-8 EN_US.UTF-8: en_US.UTF-8 @@ -284,7 +290,7 @@ en_ZA: en_ZA.ISO8859-1 en_ZA.88591: en_ZA.ISO8859-1 en_ZA.88591.en: en_ZA.ISO8859-1 -@@ -926,7 +942,6 @@ pt_BR.88591.en: pt_BR.ISO8859-1 +@@ -927,7 +943,6 @@ pt_BR.88591.en: pt_BR.ISO8859-1 pt_BR.iso88591: pt_BR.ISO8859-1 pt_BR.ISO-8859-1: pt_BR.ISO8859-1 pt_BR.ISO_8859-1: pt_BR.ISO8859-1 @@ -292,7 +298,7 @@ pt_BR.utf8: pt_BR.UTF-8 pt_PT: pt_PT.ISO8859-1 pt_PT.88591: pt_PT.ISO8859-1 -@@ -983,6 +998,7 @@ se_NO: se_NO.UTF-8 +@@ -984,6 +999,7 @@ se_NO: se_NO.UTF-8 se_NO.utf8: se_NO.UTF-8 si: si_LK.UTF-8 si_LK: si_LK.UTF-8 @@ -300,7 +306,7 @@ sk: sk_SK.ISO8859-2 sk_SK: sk_SK.ISO8859-2 sk_SK.iso88592: sk_SK.ISO8859-2 -@@ -1184,7 +1200,7 @@ XCOMM The following locale names are use +@@ -1185,7 +1201,7 @@ XCOMM The following locale names are use american.iso88591: en_US.ISO8859-1 arabic.iso88596: ar_AA.ISO8859-6 bokmal: nb_NO.ISO8859-1 @@ -309,7 +315,7 @@ bulgarian: bg_BG.CP1251 c-french.iso88591: fr_CA.ISO8859-1 catalan: ca_ES.ISO8859-1 -@@ -1199,11 +1215,11 @@ deutsch: de_DE.ISO8859-1 +@@ -1200,11 +1216,11 @@ deutsch: de_DE.ISO8859-1 dutch: nl_NL.ISO8859-1 dutch.iso88591: nl_BE.ISO8859-1 eesti: et_EE.ISO8859-1 diff -u libx11-1.7.2/debian/patches/015_russian_locale_alias.diff libx11-1.7.2/debian/patches/015_russian_locale_alias.diff --- libx11-1.7.2/debian/patches/015_russian_locale_alias.diff +++ libx11-1.7.2/debian/patches/015_russian_locale_alias.diff @@ -10,9 +10,13 @@ Suggestion: can the russian default be changed to UTF-8 instead of KOI8-R? This will make it easier for russians to fit in with the rest of the world. +--- + nls/locale.alias.pre | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + --- a/nls/locale.alias.pre +++ b/nls/locale.alias.pre -@@ -1249,7 +1249,7 @@ portuguese: pt_PT.ISO8859-1 +@@ -1250,7 +1250,7 @@ portuguese: pt_PT.ISO8859-1 portuguese.iso88591: pt_PT.ISO8859-1 romanian: ro_RO.ISO8859-2 rumanian: ro_RO.ISO8859-2 diff -u libx11-1.7.2/debian/patches/series libx11-1.7.2/debian/patches/series --- libx11-1.7.2/debian/patches/series +++ libx11-1.7.2/debian/patches/series @@ -4,3 +4,8 @@ 009_remove_th_Compose.diff 015_russian_locale_alias.diff 016_InitExt.c-Add-bounds-checks-for-extension-request-ev.diff +0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch +0002-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch +0003-XPutImage-clip-images-to-maximum-height-width-allowe.patch +0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch +0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch only in patch2: unchanged: --- libx11-1.7.2.orig/.pc/.quilt_patches +++ libx11-1.7.2/.pc/.quilt_patches @@ -0,0 +1 @@ +debian/patches only in patch2: unchanged: --- libx11-1.7.2.orig/.pc/.quilt_series +++ libx11-1.7.2/.pc/.quilt_series @@ -0,0 +1 @@ +series only in patch2: unchanged: --- libx11-1.7.2.orig/.pc/.version +++ libx11-1.7.2/.pc/.version @@ -0,0 +1 @@ +2 only in patch2: unchanged: --- libx11-1.7.2.orig/debian/patches/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch +++ libx11-1.7.2/debian/patches/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch @@ -0,0 +1,58 @@ +From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sun, 17 Sep 2023 14:19:40 -0700 +Subject: [PATCH libX11 1/5] CVE-2023-43785: out-of-bounds memory access in + _XkbReadKeySyms() + +Make sure we allocate enough memory in the first place, and +also handle error returns from _XkbReadBufferCopyKeySyms() when +it detects out-of-bounds issues. + +Reported-by: Gregory James DUCK +Signed-off-by: Alan Coopersmith +--- + src/xkb/XKBGetMap.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c +index 2891d21e..31199e4a 100644 +--- a/src/xkb/XKBGetMap.c ++++ b/src/xkb/XKBGetMap.c +@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) + if (offset + newMap->nSyms >= map->size_syms) { + register int sz; + +- sz = map->size_syms + 128; ++ sz = offset + newMap->nSyms; ++ sz = ((sz + (unsigned) 128) / 128) * 128; + _XkbResizeArray(map->syms, map->size_syms, sz, KeySym); + if (map->syms == NULL) { + map->size_syms = 0; +@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) + map->size_syms = sz; + } + if (newMap->nSyms > 0) { +- _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], +- newMap->nSyms); ++ if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], ++ newMap->nSyms) == 0) ++ return BadLength; + offset += newMap->nSyms; + } + else { +@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) + newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp); + if (newSyms == NULL) + return BadAlloc; +- if (newMap->nSyms > 0) +- _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms); ++ if (newMap->nSyms > 0) { ++ if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0) ++ return BadLength; ++ } + else + newSyms[0] = NoSymbol; + oldMap->kt_index[0] = newMap->ktIndex[0]; +-- +2.39.3 + only in patch2: unchanged: --- libx11-1.7.2.orig/debian/patches/0002-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch +++ libx11-1.7.2/debian/patches/0002-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch @@ -0,0 +1,37 @@ +From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 7 Sep 2023 15:54:30 -0700 +Subject: [PATCH libX11 2/5] CVE-2023-43786: stack exhaustion from infinite + recursion in PutSubImage() + +When splitting a single line of pixels into chunks to send to the +X server, be sure to take into account the number of bits per pixel, +so we don't just loop forever trying to send more pixels than fit in +the given request size and not breaking them down into a small enough +chunk to fix. + +Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2 +Signed-off-by: Alan Coopersmith +--- + src/PutImage.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/PutImage.c b/src/PutImage.c +index 857ee916..a6db7b42 100644 +--- a/src/PutImage.c ++++ b/src/PutImage.c +@@ -914,8 +914,9 @@ PutSubImage ( + req_width, req_height - SubImageHeight, + dest_bits_per_pixel, dest_scanline_pad); + } else { +- int SubImageWidth = (((Available << 3) / dest_scanline_pad) +- * dest_scanline_pad) - left_pad; ++ int SubImageWidth = ((((Available << 3) / dest_scanline_pad) ++ * dest_scanline_pad) - left_pad) ++ / dest_bits_per_pixel; + + PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y, + (unsigned int) SubImageWidth, 1, +-- +2.39.3 + only in patch2: unchanged: --- libx11-1.7.2.orig/debian/patches/0003-XPutImage-clip-images-to-maximum-height-width-allowe.patch +++ libx11-1.7.2/debian/patches/0003-XPutImage-clip-images-to-maximum-height-width-allowe.patch @@ -0,0 +1,41 @@ +From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 7 Sep 2023 15:55:04 -0700 +Subject: [PATCH libX11 3/5] XPutImage: clip images to maximum height & width + allowed by protocol + +The PutImage request specifies height & width of the image as CARD16 +(unsigned 16-bit integer), same as the maximum dimensions of an X11 +Drawable, which the image is being copied to. + +Signed-off-by: Alan Coopersmith +--- + src/PutImage.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/PutImage.c b/src/PutImage.c +index a6db7b42..ba411e36 100644 +--- a/src/PutImage.c ++++ b/src/PutImage.c +@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. + #include "Xlibint.h" + #include "Xutil.h" + #include ++#include + #include "Cr.h" + #include "ImUtil.h" + #include "reallocarray.h" +@@ -962,6 +963,10 @@ XPutImage ( + height = image->height - req_yoffset; + if ((width <= 0) || (height <= 0)) + return 0; ++ if (width > USHRT_MAX) ++ width = USHRT_MAX; ++ if (height > USHRT_MAX) ++ height = USHRT_MAX; + + if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) { + dest_bits_per_pixel = 1; +-- +2.39.3 + only in patch2: unchanged: --- libx11-1.7.2.orig/debian/patches/0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch +++ libx11-1.7.2/debian/patches/0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch @@ -0,0 +1,47 @@ +From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 7 Sep 2023 16:12:27 -0700 +Subject: [PATCH libX11 4/5] XCreatePixmap: trigger BadValue error for + out-of-range dimensions + +The CreatePixmap request specifies height & width of the image as CARD16 +(unsigned 16-bit integer), so if either is larger than that, set it to 0 +so the X server returns a BadValue error as the protocol requires. + +Signed-off-by: Alan Coopersmith +--- + src/CrPixmap.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/CrPixmap.c b/src/CrPixmap.c +index cdf31207..3cb2ca6d 100644 +--- a/src/CrPixmap.c ++++ b/src/CrPixmap.c +@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group. + #include + #endif + #include "Xlibint.h" ++#include + + #ifdef USE_DYNAMIC_XCURSOR + void +@@ -47,6 +48,16 @@ Pixmap XCreatePixmap ( + Pixmap pid; + register xCreatePixmapReq *req; + ++ /* ++ * Force a BadValue X Error if the requested dimensions are larger ++ * than the X11 protocol has room for, since that's how callers expect ++ * to get notified of errors. ++ */ ++ if (width > USHRT_MAX) ++ width = 0; ++ if (height > USHRT_MAX) ++ height = 0; ++ + LockDisplay(dpy); + GetReq(CreatePixmap, req); + req->drawable = d; +-- +2.39.3 + only in patch2: unchanged: --- libx11-1.7.2.orig/debian/patches/0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch +++ libx11-1.7.2/debian/patches/0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch @@ -0,0 +1,59 @@ +From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001 +From: Yair Mizrahi +Date: Thu, 7 Sep 2023 16:15:32 -0700 +Subject: [PATCH libX11 5/5] CVE-2023-43787: Integer overflow in XCreateImage() + leading to a heap overflow + +When the format is `Pixmap` it calculates the size of the image data as: + ROUNDUP((bits_per_pixel * width), image->bitmap_pad); +There is no validation on the `width` of the image, and so this +calculation exceeds the capacity of a 4-byte integer, causing an overflow. + +Signed-off-by: Alan Coopersmith +--- + src/ImUtil.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/src/ImUtil.c b/src/ImUtil.c +index 36f08a03..fbfad33e 100644 +--- a/src/ImUtil.c ++++ b/src/ImUtil.c +@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. + #include + #include + #include ++#include + #include "ImUtil.h" + + static int _XDestroyImage(XImage *); +@@ -361,13 +362,22 @@ XImage *XCreateImage ( + /* + * compute per line accelerator. + */ +- { +- if (format == ZPixmap) ++ if (format == ZPixmap) { ++ if ((INT_MAX / bits_per_pixel) < width) { ++ Xfree(image); ++ return NULL; ++ } ++ + min_bytes_per_line = +- ROUNDUP((bits_per_pixel * width), image->bitmap_pad); +- else ++ ROUNDUP((bits_per_pixel * width), image->bitmap_pad); ++ } else { ++ if ((INT_MAX - offset) < width) { ++ Xfree(image); ++ return NULL; ++ } ++ + min_bytes_per_line = +- ROUNDUP((width + offset), image->bitmap_pad); ++ ROUNDUP((width + offset), image->bitmap_pad); + } + if (image_bytes_per_line == 0) { + image->bytes_per_line = min_bytes_per_line; +-- +2.39.3 +