diff options
-rw-r--r-- | .SRCINFO | 10 | ||||
-rw-r--r-- | CVE-2017-10971.patch | 153 | ||||
-rw-r--r-- | CVE-2017-10972.patch | 35 | ||||
-rw-r--r-- | PKGBUILD | 24 | ||||
-rw-r--r-- | bug99708.patch | 33 |
5 files changed, 252 insertions, 3 deletions
@@ -1,6 +1,6 @@ pkgbase = xorg-server-dev pkgver = 1.19.3 - pkgrel = 2 + pkgrel = 3 url = https://xorg.freedesktop.org arch = i686 arch = x86_64 @@ -60,6 +60,9 @@ pkgbase = xorg-server-dev source = nvidia-add-modulepath-support.patch source = xserver-autobind-hotplug.patch source = modesetting-Set-correct-DRM-event-context-version.patch + source = CVE-2017-10971.patch + source = CVE-2017-10972.patch + source = bug99708.patch source = xvfb-run source = xvfb-run.1 sha256sums = 677a8166e03474719238dfe396ce673c4234735464d6dadf2959b600d20e5a98 @@ -67,6 +70,9 @@ pkgbase = xorg-server-dev sha256sums = 914a8d775b708f836ae3f0eeca553da3872727a2e4262190f4d5c01241cb14e8 sha256sums = fcaf536e4fc307958923b58f2baf3d3102ad694efc28506f6f95a9e64483fa57 sha256sums = 831a70809e6bec766138d7a1c96643732df9a2c0c5f77ee44b47ce4be882e0af + sha256sums = 3950d5d64822b4a34ca0358389216eed25e159751006d674e7cb491aa3b54d0b + sha256sums = 700af48c541f613b376eb7a7e567d13c0eba7a835d0aaa9d4b0431ebdd9f397c + sha256sums = 67013743ba8ff1663b233f50fae88989d36504de83fca5f93af5623f2bef6920 sha256sums = ff0156309470fc1d378fd2e104338020a884295e285972cc88e250e031cc35b9 sha256sums = 2460adccd3362fefd4cdc5f1c70f332d7b578091fb9167bf88b5f91265bbd776 @@ -166,7 +172,7 @@ pkgname = xorg-server-common-dev depends = xorg-xkbcomp depends = xorg-setxkbmap depends = xorg-fonts-misc - provides = xorg-server-common=1.19.3-2 + provides = xorg-server-common=1.19.3-3 conflicts = xorg-server-common pkgname = xorg-server-devel-dev diff --git a/CVE-2017-10971.patch b/CVE-2017-10971.patch new file mode 100644 index 000000000000..2696033e58c2 --- /dev/null +++ b/CVE-2017-10971.patch @@ -0,0 +1,153 @@ +From 215f894965df5fb0bb45b107d84524e700d2073c Mon Sep 17 00:00:00 2001 +From: Michal Srb <msrb@suse.com> +Date: Wed, 24 May 2017 15:54:40 +0300 +Subject: dix: Disallow GenericEvent in SendEvent request. + +The SendEvent request holds xEvent which is exactly 32 bytes long, no more, +no less. Both ProcSendEvent and SProcSendEvent verify that the received data +exactly match the request size. However nothing stops the client from passing +in event with xEvent::type = GenericEvent and any value of +xGenericEvent::length. + +In the case of ProcSendEvent, the event will be eventually passed to +WriteEventsToClient which will see that it is Generic event and copy the +arbitrary length from the receive buffer (and possibly past it) and send it to +the other client. This allows clients to copy unitialized heap memory out of X +server or to crash it. + +In case of SProcSendEvent, it will attempt to swap the incoming event by +calling a swapping function from the EventSwapVector array. The swapped event +is written to target buffer, which in this case is local xEvent variable. The +xEvent variable is 32 bytes long, but the swapping functions for GenericEvents +expect that the target buffer has size matching the size of the source +GenericEvent. This allows clients to cause stack buffer overflows. + +Signed-off-by: Michal Srb <msrb@suse.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +diff --git a/dix/events.c b/dix/events.c +index 3e3a01e..d3a33ea 100644 +--- a/dix/events.c ++++ b/dix/events.c +@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client) + client->errorValue = stuff->event.u.u.type; + return BadValue; + } ++ /* Generic events can have variable size, but SendEvent request holds ++ exactly 32B of event data. */ ++ if (stuff->event.u.u.type == GenericEvent) { ++ client->errorValue = stuff->event.u.u.type; ++ return BadValue; ++ } + if (stuff->event.u.u.type == ClientMessage && + stuff->event.u.u.detail != 8 && + stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) { +diff --git a/dix/swapreq.c b/dix/swapreq.c +index 719e9b8..6785059 100644 +--- a/dix/swapreq.c ++++ b/dix/swapreq.c +@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client) + swapl(&stuff->destination); + swapl(&stuff->eventMask); + ++ /* Generic events can have variable size, but SendEvent request holds ++ exactly 32B of event data. */ ++ if (stuff->event.u.u.type == GenericEvent) { ++ client->errorValue = stuff->event.u.u.type; ++ return BadValue; ++ } ++ + /* Swap event */ + proc = EventSwapVector[stuff->event.u.u.type & 0177]; + if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */ +-- +cgit v0.10.2 + +From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001 +From: Michal Srb <msrb@suse.com> +Date: Wed, 24 May 2017 15:54:41 +0300 +Subject: Xi: Verify all events in ProcXSendExtensionEvent. + +The requirement is that events have type in range +EXTENSION_EVENT_BASE..lastEvent, but it was tested +only for first event of all. + +Signed-off-by: Michal Srb <msrb@suse.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 1cf118a..5e63bfc 100644 +--- a/Xi/sendexev.c ++++ b/Xi/sendexev.c +@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client) + int + ProcXSendExtensionEvent(ClientPtr client) + { +- int ret; ++ int ret, i; + DeviceIntPtr dev; + xEvent *first; + XEventClass *list; +@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client) + /* The client's event type must be one defined by an extension. */ + + first = ((xEvent *) &stuff[1]); +- if (!((EXTENSION_EVENT_BASE <= first->u.u.type) && +- (first->u.u.type < lastEvent))) { +- client->errorValue = first->u.u.type; +- return BadValue; ++ for (i = 0; i < stuff->num_events; i++) { ++ if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) && ++ (first[i].u.u.type < lastEvent))) { ++ client->errorValue = first[i].u.u.type; ++ return BadValue; ++ } + } + + list = (XEventClass *) (first + stuff->num_events); +-- +cgit v0.10.2 + +From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001 +From: Michal Srb <msrb@suse.com> +Date: Wed, 24 May 2017 15:54:42 +0300 +Subject: Xi: Do not try to swap GenericEvent. + +The SProcXSendExtensionEvent must not attempt to swap GenericEvent because +it is assuming that the event has fixed size and gives the swapping function +xEvent-sized buffer. + +A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway. + +Signed-off-by: Michal Srb <msrb@suse.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 5e63bfc..5c2e0fc 100644 +--- a/Xi/sendexev.c ++++ b/Xi/sendexev.c +@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client) + + eventP = (xEvent *) &stuff[1]; + for (i = 0; i < stuff->num_events; i++, eventP++) { ++ if (eventP->u.u.type == GenericEvent) { ++ client->errorValue = eventP->u.u.type; ++ return BadValue; ++ } ++ + proc = EventSwapVector[eventP->u.u.type & 0177]; +- if (proc == NotImplemented) /* no swapping proc; invalid event type? */ ++ /* no swapping proc; invalid event type? */ ++ if (proc == NotImplemented) { ++ client->errorValue = eventP->u.u.type; + return BadValue; ++ } + (*proc) (eventP, &eventT); + *eventP = eventT; + } +-- +cgit v0.10.2 + diff --git a/CVE-2017-10972.patch b/CVE-2017-10972.patch new file mode 100644 index 000000000000..f24e9c0ae688 --- /dev/null +++ b/CVE-2017-10972.patch @@ -0,0 +1,35 @@ +From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001 +From: Michal Srb <msrb@suse.com> +Date: Wed, 24 May 2017 15:54:39 +0300 +Subject: Xi: Zero target buffer in SProcXSendExtensionEvent. + +Make sure that the xEvent eventT is initialized with zeros, the same way as +in SProcSendEvent. + +Some event swapping functions do not overwrite all 32 bytes of xEvent +structure, for example XSecurityAuthorizationRevoked. Two cooperating +clients, one swapped and the other not, can send +XSecurityAuthorizationRevoked event to each other to retrieve old stack data +from X server. This can be potentialy misused to go around ASLR or +stack-protector. + +Signed-off-by: Michal Srb <msrb@suse.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 11d8202..1cf118a 100644 +--- a/Xi/sendexev.c ++++ b/Xi/sendexev.c +@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client) + { + CARD32 *p; + int i; +- xEvent eventT; ++ xEvent eventT = { .u.u.type = 0 }; + xEvent *eventP; + EventSwapPtr proc; + +-- +cgit v0.10.2 + @@ -4,7 +4,7 @@ _pkgbase=xorg-server pkgname=('xorg-server-dev' 'xorg-server-xephyr-dev' 'xorg-server-xdmx-dev' 'xorg-server-xvfb-dev' 'xorg-server-xnest-dev' 'xorg-server-xwayland-dev' 'xorg-server-common-dev' 'xorg-server-devel-dev') pkgver=1.19.3 # https://lists.x.org/archives/xorg/2017-March/058662.html -pkgrel=2 # https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/xorg-server&id=013fa1ab41b5a4f8ba9bd1072810daacc17644a4 +pkgrel=3 # https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/xorg-server&id=c24304917e61de5de15695065f8a9be89d77818c arch=('i686' 'x86_64') license=('custom') groups=('xorg') @@ -20,6 +20,9 @@ source=(${url}/releases/individual/xserver/${_pkgbase}-${pkgver}.tar.bz2{,.sig} nvidia-add-modulepath-support.patch xserver-autobind-hotplug.patch modesetting-Set-correct-DRM-event-context-version.patch + CVE-2017-10971.patch + CVE-2017-10972.patch + bug99708.patch xvfb-run xvfb-run.1) validpgpkeys=('7B27A3F1A6E18CD9588B4AE8310180050905E40C' @@ -30,6 +33,9 @@ sha256sums=('677a8166e03474719238dfe396ce673c4234735464d6dadf2959b600d20e5a98' '914a8d775b708f836ae3f0eeca553da3872727a2e4262190f4d5c01241cb14e8' 'fcaf536e4fc307958923b58f2baf3d3102ad694efc28506f6f95a9e64483fa57' '831a70809e6bec766138d7a1c96643732df9a2c0c5f77ee44b47ce4be882e0af' + '3950d5d64822b4a34ca0358389216eed25e159751006d674e7cb491aa3b54d0b' + '700af48c541f613b376eb7a7e567d13c0eba7a835d0aaa9d4b0431ebdd9f397c' + '67013743ba8ff1663b233f50fae88989d36504de83fca5f93af5623f2bef6920' 'ff0156309470fc1d378fd2e104338020a884295e285972cc88e250e031cc35b9' '2460adccd3362fefd4cdc5f1c70f332d7b578091fb9167bf88b5f91265bbd776') @@ -45,11 +51,27 @@ prepare() { msg2 "merged in trunk" patch -Np1 -i ../modesetting-Set-correct-DRM-event-context-version.patch + msg2 "Security: CVE-2017-10971" + patch -Np1 -i ../CVE-2017-10971.patch + + msg2 "Security: CVE-2017-10972" + patch -Np1 -i ../CVE-2017-10972.patch + + msg2 "Fix Glamor lines: https://bugs.archlinux.org/task/53404" + patch -Np1 -i ../bug99708.patch + msg2 "Starting autoreconf..." autoreconf -vfi } build() { + # Since pacman 5.0.2-2, hardened flags are now enabled in makepkg.conf + # With them, modules fail to load with undefined symbol. + # See https://bugs.archlinux.org/task/55102 / https://bugs.archlinux.org/task/54845 + export CFLAGS=${CFLAGS/-fno-plt} + export CXXFLAGS=${CXXFLAGS/-fno-plt} + export LDFLAGS=${LDFLAGS/,-z,now} + cd "${_pkgbase}-${pkgver}" msg2 "Starting ./configure..." diff --git a/bug99708.patch b/bug99708.patch new file mode 100644 index 000000000000..f9ab520be58c --- /dev/null +++ b/bug99708.patch @@ -0,0 +1,33 @@ +From fe0b297420fc1de8a7fab28457d0864b3182e967 Mon Sep 17 00:00:00 2001 +From: Eric Anholt <eric@anholt.net> +Date: Wed, 15 Mar 2017 17:51:46 -0700 +Subject: glamor: Fix dashed line rendering. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We were binding the screen pixmap as the dash and sampling its alpha, +which is usually just 1.0 (no dashing at all). + +Please cherry-pick this to active stable branches. + +Signed-off-by: Eric Anholt <eric@anholt.net> +Reviewed-by: Keith Packard <keithp@keithp.com> +Reviewed-by: Michel Dänzer <michel.daenzer@amd.com> + +diff --git a/glamor/glamor_dash.c b/glamor/glamor_dash.c +index 78a4fa3..b53ce5c 100644 +--- a/glamor/glamor_dash.c ++++ b/glamor/glamor_dash.c +@@ -147,7 +147,7 @@ glamor_dash_setup(DrawablePtr drawable, GCPtr gc) + goto bail; + + dash_pixmap = glamor_get_dash_pixmap(gc); +- dash_priv = glamor_get_pixmap_private(pixmap); ++ dash_priv = glamor_get_pixmap_private(dash_pixmap); + + if (!GLAMOR_PIXMAP_PRIV_HAS_FBO(dash_priv)) + goto bail; +-- +cgit v0.10.2 + |