diff options
| author | 0strodamus | 2017-08-13 18:42:27 -0700 |
|---|---|---|
| committer | 0strodamus | 2017-08-13 18:42:27 -0700 |
| commit | 2cf71a7d5f27bcf281c7ba6b32fc65df65e8aaab (patch) | |
| tree | 48d507e1cb3a739d6c7ef4e0eb11c23d59b29442 /CVE-2017-10972.patch | |
| parent | 7fbdb5df8d59eff6a95eabd5503a574079df854c (diff) | |
| download | aur-xorg-server-nosystemd.tar.gz | |
upgpkg: xorg-server-nosystemd-1.19.3-3
Diffstat (limited to 'CVE-2017-10972.patch')
| -rw-r--r-- | CVE-2017-10972.patch | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/CVE-2017-10972.patch b/CVE-2017-10972.patch new file mode 100644 index 000000000000..f24e9c0ae688 --- /dev/null +++ b/CVE-2017-10972.patch @@ -0,0 +1,35 @@ +From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001 +From: Michal Srb <msrb@suse.com> +Date: Wed, 24 May 2017 15:54:39 +0300 +Subject: Xi: Zero target buffer in SProcXSendExtensionEvent. + +Make sure that the xEvent eventT is initialized with zeros, the same way as +in SProcSendEvent. + +Some event swapping functions do not overwrite all 32 bytes of xEvent +structure, for example XSecurityAuthorizationRevoked. Two cooperating +clients, one swapped and the other not, can send +XSecurityAuthorizationRevoked event to each other to retrieve old stack data +from X server. This can be potentialy misused to go around ASLR or +stack-protector. + +Signed-off-by: Michal Srb <msrb@suse.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 11d8202..1cf118a 100644 +--- a/Xi/sendexev.c ++++ b/Xi/sendexev.c +@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client) + { + CARD32 *p; + int i; +- xEvent eventT; ++ xEvent eventT = { .u.u.type = 0 }; + xEvent *eventP; + EventSwapPtr proc; + +-- +cgit v0.10.2 + |