rpms / xorg-x11-server

Clone
Source Code
GIT

Blame 0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch

ajax/upstream f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 main olpc2 olpc3 private-1_2-branch private-unbreak-domain-branch rawhide
  1.   rawhide
  2.   0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch
Blob History Raw
0ad871b 
From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001
0ad871b 
From: Alan Coopersmith <alan.coopersmith@oracle.com>
0ad871b 
Date: Fri, 22 Mar 2024 18:51:45 -0700
0ad871b 
Subject: [PATCH 1/4] Xi: ProcXIGetSelectedEvents needs to use unswapped length
0ad871b 
 to send reply
0ad871b
0ad871b 
CVE-2024-31080
0ad871b
0ad871b 
Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
0ad871b 
Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
0ad871b 
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
0ad871b 
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
0ad871b 
---
0ad871b 
 Xi/xiselectev.c | 5 ++++-
0ad871b 
 1 file changed, 4 insertions(+), 1 deletion(-)
0ad871b
0ad871b 
diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
0ad871b 
index edcb8a0d3..ac1494987 100644
0ad871b 
--- a/Xi/xiselectev.c
0ad871b 
+++ b/Xi/xiselectev.c
0ad871b 
@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
0ad871b 
     InputClientsPtr others = NULL;
0ad871b 
     xXIEventMask *evmask = NULL;
0ad871b 
     DeviceIntPtr dev;
0ad871b 
+    uint32_t length;
0ad871b
0ad871b 
     REQUEST(xXIGetSelectedEventsReq);
0ad871b 
     REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
0ad871b 
@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
0ad871b 
         }
0ad871b 
     }
0ad871b
0ad871b 
+    /* save the value before SRepXIGetSelectedEvents swaps it */
0ad871b 
+    length = reply.length;
0ad871b 
     WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
0ad871b
0ad871b 
     if (reply.num_masks)
0ad871b 
-        WriteToClient(client, reply.length * 4, buffer);
0ad871b 
+        WriteToClient(client, length * 4, buffer);
0ad871b
0ad871b 
     free(buffer);
0ad871b 
     return Success;
0ad871b 
--
0ad871b 
2.44.0
0ad871b
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.