Blame SOURCES/0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch

fa07e0
From 94f6fe99d87cf6ba0adadd95c595158c345b7d29 Mon Sep 17 00:00:00 2001
fa07e0
From: Peter Hutterer <peter.hutterer@who-t.net>
fa07e0
Date: Tue, 29 Nov 2022 14:53:07 +1000
fa07e0
Subject: [PATCH xserver 5/7] Xext: free the screen saver resource when
fa07e0
 replacing it
fa07e0
fa07e0
This fixes a use-after-free bug:
fa07e0
fa07e0
When a client first calls ScreenSaverSetAttributes(), a struct
fa07e0
ScreenSaverAttrRec is allocated and added to the client's
fa07e0
resources.
fa07e0
fa07e0
When the same client calls ScreenSaverSetAttributes() again, a new
fa07e0
struct ScreenSaverAttrRec is allocated, replacing the old struct. The
fa07e0
old struct was freed but not removed from the clients resources.
fa07e0
fa07e0
Later, when the client is destroyed the resource system invokes
fa07e0
ScreenSaverFreeAttr and attempts to clean up the already freed struct.
fa07e0
fa07e0
Fix this by letting the resource system free the old attrs instead.
fa07e0
fa07e0
CVE-2022-46343, ZDI-CAN 19404
fa07e0
fa07e0
This vulnerability was discovered by:
fa07e0
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
fa07e0
fa07e0
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
fa07e0
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
fa07e0
---
fa07e0
 Xext/saver.c | 2 +-
fa07e0
 1 file changed, 1 insertion(+), 1 deletion(-)
fa07e0
fa07e0
diff --git a/Xext/saver.c b/Xext/saver.c
fa07e0
index f813ba08d1..fd6153c313 100644
fa07e0
--- a/Xext/saver.c
fa07e0
+++ b/Xext/saver.c
fa07e0
@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client)
fa07e0
         pVlist++;
fa07e0
     }
fa07e0
     if (pPriv->attr)
fa07e0
-        FreeScreenAttr(pPriv->attr);
fa07e0
+        FreeResource(pPriv->attr->resource, AttrType);
fa07e0
     pPriv->attr = pAttr;
fa07e0
     pAttr->resource = FakeClientID(client->index);
fa07e0
     if (!AddResource(pAttr->resource, AttrType, (void *) pAttr))
fa07e0
-- 
fa07e0
2.38.1
fa07e0