From: Vijay Anusuri Date: Tue, 4 Mar 2025 12:19:10 +0000 (+0530) Subject: xwayland: Fix CVE-2024-9632 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2158a34839068b878344d214d3fc9feeb17e504a;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git xwayland: Fix CVE-2024-9632 Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ba1d14f8eff2a123bd7ff4d48c02e1d5131358e0 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch new file mode 100644 index 0000000000..54888f6347 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch @@ -0,0 +1,59 @@ +From ba1d14f8eff2a123bd7ff4d48c02e1d5131358e0 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 10 Oct 2024 10:37:28 +0200 +Subject: [PATCH] xkb: Fix buffer overflow in _XkbSetCompatMap() + +The _XkbSetCompatMap() function attempts to resize the `sym_interpret` +buffer. + +However, It didn't update its size properly. It updated `num_si` only, +without updating `size_si`. + +This may lead to local privilege escalation if the server is run as root +or remote code execution (e.g. x11 over ssh). + +CVE-2024-9632, ZDI-CAN-24756 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Reviewed-by: Peter Hutterer +Tested-by: Peter Hutterer +Reviewed-by: José Expósito +(cherry picked from commit 85b77657) + +Part-of: + +CVE: CVE-2024-9632 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ba1d14f8eff2a123bd7ff4d48c02e1d5131358e0] + +Signed-off-by: Yogita Urade +Signed-off-by: Vijay Anusuri +--- + xkb/xkb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 276dc19..7da00a0 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -2992,13 +2992,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, + XkbSymInterpretPtr sym; + unsigned int skipped = 0; + +- if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) { +- compat->num_si = req->firstSI + req->nSI; ++ if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) { ++ compat->num_si = compat->size_si = req->firstSI + req->nSI; + compat->sym_interpret = reallocarray(compat->sym_interpret, +- compat->num_si, ++ compat->size_si, + sizeof(XkbSymInterpretRec)); + if (!compat->sym_interpret) { +- compat->num_si = 0; ++ compat->num_si = compat->size_si = 0; + return BadAlloc; + } + } +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 258a875697..23575b387e 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -28,6 +28,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2024-31081.patch \ file://CVE-2024-31083-0001.patch \ file://CVE-2024-31083-0002.patch \ + file://CVE-2024-9632.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"