[PATCH] gnu: xorg-server: CVE-2021-3472.

  • Done
  • quality assurance status badge
Details
One participant
  • Leo Famulari
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
Merged with

Debbugs page

L
L
Leo Famulari wrote on 24 Apr 2021 12:38
(address . guix-patches@gnu.org)
dacfdb6bb4549e538777842d345baa860de6d114.1619293138.git.leo@famulari.name
* gnu/packages/patches/xorg-server-CVE-2021-3472.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/xorg.scm (xorg-server)[source]: Use it.
---
gnu/local.mk | 1 +
.../patches/xorg-server-CVE-2021-3472.patch | 44 +++++++++++++++++++
gnu/packages/xorg.scm | 5 ++-
3 files changed, 48 insertions(+), 2 deletions(-)
create mode 100644 gnu/packages/patches/xorg-server-CVE-2021-3472.patch

Toggle diff (87 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 50b11a8ca2..3d076de924 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1815,6 +1815,7 @@ dist_patch_DATA = \
%D%/packages/patches/xfce4-panel-plugins.patch \
%D%/packages/patches/xfce4-settings-defaults.patch \
%D%/packages/patches/xmonad-dynamic-linking.patch \
+ %D%/packages/patches/xorg-server-CVE-2021-3472.patch \
%D%/packages/patches/xplanet-1.3.1-cxx11-eof.patch \
%D%/packages/patches/xplanet-1.3.1-libdisplay_DisplayOutput.cpp.patch \
%D%/packages/patches/xplanet-1.3.1-libimage_gif.c.patch \
diff --git a/gnu/packages/patches/xorg-server-CVE-2021-3472.patch b/gnu/packages/patches/xorg-server-CVE-2021-3472.patch
new file mode 100644
index 0000000000..523a5b1dbf
--- /dev/null
+++ b/gnu/packages/patches/xorg-server-CVE-2021-3472.patch
@@ -0,0 +1,44 @@
+Fix CVE-2021-3472:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3472
+https://seclists.org/oss-sec/2021/q2/20
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/xorg/xserver/-/commit/7aaf54a1884f71dc363f0b884e57bcb67407a6cd
+
+From 7aaf54a1884f71dc363f0b884e57bcb67407a6cd Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Sun, 21 Mar 2021 18:38:57 +0100
+Subject: [PATCH] Fix XChangeFeedbackControl() request underflow
+
+CVE-2021-3472 / ZDI-CAN-1259
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ Xi/chgfctl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
+index 1de4da9ef..7a597e43d 100644
+--- a/Xi/chgfctl.c
++++ b/Xi/chgfctl.c
+@@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr client)
+ break;
+ case StringFeedbackClass:
+ {
+- xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
++ xStringFeedbackCtl *f;
+
++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq,
++ sizeof(xStringFeedbackCtl));
++ f = ((xStringFeedbackCtl *) &stuff[1]);
+ if (client->swapped) {
+ if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
+ return BadLength;
+--
+2.31.1
+
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 97ff8ab92b..df0055c704 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -5312,7 +5312,7 @@ over Xlib, including:
(base32
"16bwrf0ag41l7jbrllbix8z6avc5yimga7ihvq4ch3a5hb020x4p"))
(patches
- (list
+ (cons
;; See:
;; https://lists.fedoraproject.org/archives/list/devel@lists.
;; fedoraproject.org/message/JU655YB7AM4OOEQ4MOMCRHJTYJ76VFOK/
@@ -5324,7 +5324,8 @@ over Xlib, including:
(sha256
(base32
"0mm70y058r8s9y9jiv7q2myv0ycnaw3iqzm7d274410s0ik38w7q"))
- (file-name "xorg-server-use-intel-only-on-pre-gen4.diff"))))))
+ (file-name "xorg-server-use-intel-only-on-pre-gen4.diff"))
+ (search-patches "xorg-server-CVE-2021-3472.patch")))))
(build-system gnu-build-system)
(propagated-inputs
`(("libpciaccess" ,libpciaccess)
--
2.31.1
L
L
Leo Famulari wrote on 24 Apr 2021 14:36
(address . 48001@debbugs.gnu.org)
YISPXgLbiVYNzzDN@jasmine.lan
The first revision of this patch does not take care to avoid changing
the derivation of xorg-server-for-tests, so it would cause way too many
packages to be rebuilt.

Here is a revised patch that ensures the derivation remains the same.

For example:

------
$ guix build -e '(@@ (gnu packages xorg) xorg-server-for-tests)' --no-grafts -d
/gnu/store/nhs1c9q04g6k4prxxv4kb9q5lg1p872q-xorg-server-1.20.10.drv
$ ./pre-inst-env guix build -e '(@@ (gnu packages xorg) xorg-server-for-tests)' --no-grafts -d
/gnu/store/nhs1c9q04g6k4prxxv4kb9q5lg1p872q-xorg-server-1.20.10.drv
------
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmCEj14ACgkQJkb6MLrK
fwgdUg//cdMjEAoBDKyDpXX31YsG5xYVw0L0Wy91LyiGDMeBVuueqvfig7qYrZEF
u3/BwjYSbGIxrAG2NhEvQacqj6LpttIkp205isxMaMLvz/Jm9l8TixN5iBuckPIz
xuAKR5tzjL2YhQLLMCGM7jUlg7ffhFoPoXQ3sQ64pGAzUfRZO8lA8mP21PBA69YZ
2zObd8+uOE2osyJ9lt5sVaM9LPvhWaPIx1WRwhwy3TwuxEm5Y/U9jbJqJZk/mrMC
VS7efAnm8lO6DLu6GYfstzQOgKalDwOrK6ks9Hlahp4RUhuu9vL1x3XEhQ9PDHJJ
iYE0fueKgbALp2m0gVnLlJ+AaozUFa4v0nMtXscLLxsSRIYby7uDxWvMUJeCObEF
yBeMU3X3GNRmYBmyxRBeeepAI7L39BxsX7k0wraExIFpag7Km27SdemJJP8A/d0y
jQgW0Ru0o1pZAkI8mDL93q423um/GVcEeqbHPRKddkGMYm/zYKhoQfyXNAC7MUr+
pUzWfA4NKQFDb6jZIqySYTQwLO2LP0tfYbEcllgi44VsE5qXUwMmsSuD5ItVv2iy
9pdOCzEDUU/qk7NHopPz0s7n5qT5y2qZORCPkRUqJDPnj7tv0aEZpxS7BdrxBMn8
UZW8edx7RZLuSydfsKRjGY6WXG/KsU6I2AZiprkBFfezDtQtyZ8=
=+JTq
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 26 Apr 2021 12:29
(no subject)
(name . GNU bug tracker automated control server)(address . control@debbugs.gnu.org)
YIcUm//YHswe/bKP@jasmine.lan
reassign 48039 guix-patches
merge 48001 48039
?
Your comment

This issue is archived.

To comment on this conversation send an email to 48001@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 48001
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch