fix CVE-2021-3472

2021-06-03 16:17:06 +08:00 · 2021-06-03 16:17:06 +08:00 · 2087fe3477
commit 2087fe3477
parent 9e4652f421
2 changed files with 48 additions and 4 deletions
--- a/backport-CVE-2021-3472.patch
+++ b/backport-CVE-2021-3472.patch
@ -0,0 +1,36 @@
+From 7aaf54a1884f71dc363f0b884e57bcb67407a6cd Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Sun, 21 Mar 2021 18:38:57 +0100
+Subject: [PATCH] Fix XChangeFeedbackControl() request underflow
+
+CVE-2021-3472 / ZDI-CAN-1259
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+
+---
+ Xi/chgfctl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
+index 1de4da9..7a597e4 100644
+--- a/Xi/chgfctl.c
+++ b/Xi/chgfctl.c
+@@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr client)
+         break;
+     case StringFeedbackClass:
+     {
+-        xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
+        xStringFeedbackCtl *f;
+ 
+        REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq,
+                                    sizeof(xStringFeedbackCtl));
+        f = ((xStringFeedbackCtl *) &stuff[1]);
+         if (client->swapped) {
+             if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
+                 return BadLength;
+-- 
+2.23.0
+
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -16,7 +16,7 @@

 Name:           xorg-x11-server
 Version:        1.20.8
-Release:        4
+Release:        5
 Summary:        X.Org X11 X server
 License:        MIT and GPLv2
 URL:            https://www.x.org
@ -85,6 +85,8 @@ Patch0033: CVE-2020-14345.patch
 Patch0034: backport-CVE-2020-25712.patch
 Patch0035: backport-CVE-2020-14360.patch
 Patch0036: backport-CVE-2020-14347.patch
+Patch0037: backport-CVE-2021-3472.patch
+

 BuildRequires:  audit-libs-devel autoconf automake bison dbus-devel flex flex-devel git
 BuildRequires:  systemtap-sdt-devel libtool pkgconfig 
@ -194,9 +196,9 @@ test `getminor extension` == %{extension_minor}

 %build

-export LDFLAGS="$RPM_LD_FLAGS -specs=/usr/lib/rpm/%{_vendor}/%{_vendor}-hardened-ld"
-export CXXFLAGS="$RPM_OPT_FLAGS -specs=/usr/lib/rpm/%{_vendor}/%{_vendor}-hardened-cc1"
-export CFLAGS="$RPM_OPT_FLAGS -specs=/usr/lib/rpm/%{_vendor}/%{_vendor}-hardened-cc1"
+export LDFLAGS="$RPM_LD_FLAGS -specs=/usr/lib/rpm/generic-hardened-ld"
+export CXXFLAGS="$RPM_OPT_FLAGS -specs=/usr/lib/rpm/generic-hardened-cc1"
+export CFLAGS="$RPM_OPT_FLAGS -specs=/usr/lib/rpm/generic-hardened-cc1"

 %ifnarch %{ix86} x86_64
 %global no_int10 --disable-vbe --disable-int10-module
@ -327,6 +329,12 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
 %{_libdir}/xorg/protocol.txt

 %changelog
+* Thu Jun 03 2021 zhanzhimin<zhanzhimin@huawei.com> - 1.20.8-5
+- Type:CVE
+- Id:CVE-2021-3472
+- SUG:NA
+- DESC:fix CVE-2021-3472
+
 * Mon Feb 01 2020 yeah_wang<wangye70@huawei.com> - 1.20.8-4
 - Type:CVE
 - Id:CVE-2020-14347 CVE-2020-14360 CVE-2020-25712