From 0edaf941c5104d6cea81060d42fdb161bb5999da Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Feb 09 2023 06:12:13 +0000 Subject: import xorg-x11-server-Xwayland-21.1.3-10.el8 --- diff --git a/SOURCES/0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch b/SOURCES/0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch new file mode 100644 index 0000000..595f75e --- /dev/null +++ b/SOURCES/0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch @@ -0,0 +1,36 @@ +From 8660dd164882ce5fc1f274427e2ff3dc020d6273 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Wed, 25 Jan 2023 11:41:40 +1000 +Subject: [PATCH xserver] Xi: fix potential use-after-free in + DeepCopyPointerClasses + +CVE-2023-0494, ZDI-CAN-19596 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer +(cherry picked from commit 0ba6d8c37071131a49790243cdac55392ecf71ec) +--- + Xi/exevents.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/Xi/exevents.c b/Xi/exevents.c +index 217baa956..dcd4efb3b 100644 +--- a/Xi/exevents.c ++++ b/Xi/exevents.c +@@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) + memcpy(to->button->xkb_acts, from->button->xkb_acts, + sizeof(XkbAction)); + } +- else ++ else { + free(to->button->xkb_acts); ++ to->button->xkb_acts = NULL; ++ } + + memcpy(to->button->labels, from->button->labels, + from->button->numButtons * sizeof(Atom)); +-- +2.39.1 + diff --git a/SPECS/xorg-x11-server-Xwayland.spec b/SPECS/xorg-x11-server-Xwayland.spec index b2d87ad..0f1d4bb 100644 --- a/SPECS/xorg-x11-server-Xwayland.spec +++ b/SPECS/xorg-x11-server-Xwayland.spec @@ -9,7 +9,7 @@ Summary: Xwayland Name: xorg-x11-server-Xwayland Version: 21.1.3 -Release: 9%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist} +Release: 10%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist} URL: http://www.x.org %if 0%{?gitdate} @@ -55,6 +55,8 @@ Patch10023: 0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch Patch10024: 0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch # Follow-up to CVE-2022-46340 Patch10025: 0008-Xext-fix-invalid-event-type-mask-in-XTestSwapFakeInp.patch +# CVE-2023-0494 +Patch10026: 0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch License: MIT @@ -162,6 +164,9 @@ rm -Rf $RPM_BUILD_ROOT%{_localstatedir}/lib/xkb %{_libdir}/pkgconfig/xwayland.pc %changelog +* Tue Feb 7 2023 Olivier Fourdan - 21.1.3-10 +- Fix CVE-2023-0494 (#2166972) + * Mon Dec 19 2022 Peter Hutterer - 21.1.3-9 - Follow-up fix for CVE-2022-46340 (#2151777)