fix CVE-2022-3551,CVE-2022-3553

2022-11-18 08:25:14 +00:00 · 2022-11-18 08:25:14 +00:00 · bf666a461d
commit bf666a461d
parent bd0af6883f
3 changed files with 114 additions and 1 deletions
--- a/backport-CVE-2022-3551.patch
+++ b/backport-CVE-2022-3551.patch
@ -0,0 +1,62 @@
+From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Wed, 13 Jul 2022 11:23:09 +1000
+Subject: xkb: fix some possible memleaks in XkbGetKbdByName
+
+GetComponentByName returns an allocated string, so let's free that if we
+fail somewhere.
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+Conflict:NA
+Reference:https://cgit.freedesktop.org/xorg/xserver/commit/?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2
+---
+ xkb/xkb.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 4692895db..b79a269e3 100644
+--- a/xkb/xkb.c
+++ b/xkb/xkb.c
+@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client)
+     xkb = dev->key->xkbInfo->desc;
+     status = Success;
+     str = (unsigned char *) &stuff[1];
+-    if (GetComponentSpec(&str, TRUE, &status))  /* keymap, unsupported */
+-        return BadMatch;
+    {
+        char *keymap = GetComponentSpec(&str, TRUE, &status);  /* keymap, unsupported */
+        if (keymap) {
+            free(keymap);
+            return BadMatch;
+        }
+    }
+     names.keycodes = GetComponentSpec(&str, TRUE, &status);
+     names.types = GetComponentSpec(&str, TRUE, &status);
+     names.compat = GetComponentSpec(&str, TRUE, &status);
+     names.symbols = GetComponentSpec(&str, TRUE, &status);
+     names.geometry = GetComponentSpec(&str, TRUE, &status);
+-    if (status != Success)
+    if (status == Success) {
+        len = str - ((unsigned char *) stuff);
+        if ((XkbPaddedSize(len) / 4) != stuff->length)
+            status = BadLength;
+    }
+
+    if (status != Success) {
+        free(names.keycodes);
+        free(names.types);
+        free(names.compat);
+        free(names.symbols);
+        free(names.geometry);
+         return status;
+-    len = str - ((unsigned char *) stuff);
+-    if ((XkbPaddedSize(len) / 4) != stuff->length)
+-        return BadLength;
+    }
+ 
+     CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
+     CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
+-- 
+cgit v1.2.1
+
--- a/backport-CVE-2022-3553.patch
+++ b/backport-CVE-2022-3553.patch
@ -0,0 +1,46 @@
+From dfd057996b26420309c324ec844a5ba6dd07eda3 Mon Sep 17 00:00:00 2001
+From: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Date: Sat, 2 Jul 2022 14:17:18 -0700
+Subject: xquartz: Fix a possible crash when editing the Application menu due
+ to mutaing immutable arrays
+
+Crashing on exception: -[__NSCFArray replaceObjectAtIndex:withObject:]: mutating method sent to immutable object
+
+Application Specific Backtrace 0:
+0   CoreFoundation                      0x00007ff80d2c5e9b __exceptionPreprocess + 242
+1   libobjc.A.dylib                     0x00007ff80d027e48 objc_exception_throw + 48
+2   CoreFoundation                      0x00007ff80d38167b _CFThrowFormattedException + 194
+3   CoreFoundation                      0x00007ff80d382a25 -[__NSCFArray removeObjectAtIndex:].cold.1 + 0
+4   CoreFoundation                      0x00007ff80d2e6c0b -[__NSCFArray replaceObjectAtIndex:withObject:] + 119
+5   X11.bin                             0x00000001003180f9 -[X11Controller tableView:setObjectValue:forTableColumn:row:] + 169
+
+Fixes: https://github.com/XQuartz/XQuartz/issues/267
+Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+
+Conflict:NA
+Reference:https://cgit.freedesktop.org/xorg/xserver/commit/?id=dfd057996b26420309c324ec844a5ba6dd07eda3
+---
+ hw/xquartz/X11Controller.m | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/hw/xquartz/X11Controller.m b/hw/xquartz/X11Controller.m
+index c75493c..fd3287e 100644
+--- a/hw/xquartz/X11Controller.m
+++ b/hw/xquartz/X11Controller.m
+@@ -474,8 +474,11 @@ extern char *bundle_id_prefix;
+         oldapps = table_apps;
+ 
+     table_apps = [[NSMutableArray alloc] initWithCapacity:1];
+-    if (apps != nil)
+-        [table_apps addObjectsFromArray:apps];
+    if (apps != nil) {
+	for (NSArray <NSString *> * row in apps) {
+	    [table_apps addObject:row.mutableCopy];
+        }
+    }
+ 
+     columns = [apps_table tableColumns];
+     [[columns objectAtIndex:0] setIdentifier:@"0"];
+-- 
+2.36.1
+
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -16,7 +16,7 @@

 Name:           xorg-x11-server
 Version:        1.20.8
-Release:        12
+Release:        13
 Summary:        X.Org X11 X server
 License:        MIT and GPLv2
 URL:            https://www.x.org
@ -93,6 +93,8 @@ Patch6003: backport-CVE-2021-4011.patch
 Patch6004: backport-0001-CVE-2022-2319.patch
 Patch6005: backport-0002-CVE-2022-2319.patch
 Patch6006: backport-CVE-2022-2320.patch
+Patch6007: backport-CVE-2022-3551.patch
+Patch6008: backport-CVE-2022-3553.patch

 BuildRequires:  audit-libs-devel autoconf automake bison dbus-devel flex flex-devel git gcc
 BuildRequires:  systemtap-sdt-devel libtool pkgconfig 
@ -335,6 +337,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
 %{_libdir}/xorg/protocol.txt

 %changelog
+* Fri Nov 18 2022 wangkerong <wangkerong@h-partners.com> - 1.20.8-13
+- fix CVE-2022-3551,CVE-2022-3553
+
 * Wed Aug 03 2022 wangkerong <wangkerong@h-partners.com> - 1.20.8-12
 - fix CVE-2022-2319,CVE-2022-2320