#48001 - [PATCH] gnu: xorg-server: CVE-2021-3472.

Package	Source(s)		Maintainer(s)
guix-patches		PTS Buildd Popcon

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 24 Apr 2021 19:39:21 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sat Apr 24 15:39:21 2021
Received: from localhost ([127.0.0.1]:41538 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1laO7V-0005s2-Sm
	for submit@debbugs.gnu.org; Sat, 24 Apr 2021 15:39:21 -0400
Received: from lists.gnu.org ([209.51.188.17]:59042)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1laO7R-0005rs-QU
 for submit@debbugs.gnu.org; Sat, 24 Apr 2021 15:39:12 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:59326)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@famulari.name>) id 1laO7R-0000OW-I5
 for guix-patches@gnu.org; Sat, 24 Apr 2021 15:39:09 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:59841)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@famulari.name>) id 1laO7P-00011d-A8
 for guix-patches@gnu.org; Sat, 24 Apr 2021 15:39:09 -0400
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.nyi.internal (Postfix) with ESMTP id 910EA5C007E;
 Sat, 24 Apr 2021 15:39:05 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute3.internal (MEProxy); Sat, 24 Apr 2021 15:39:05 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=from:to:subject:date:message-id:mime-version
 :content-transfer-encoding; s=mesmtp; bh=0hbgAzY7RA0V8kmojY1b7C6
 DX0MiHBuv4ptZdVEHQZk=; b=ke1VxbIansmz2Zrv80Cc71K7HMuQECPef6otb2p
 UyN+20ZUtVbEpAESahtekSmbYAqczgRvm2qwbsqHA+f/ZW2DIrly2elPlv/l/aYv
 n8mzZkZxfm4MBLgDV0xpfeR4wsa/DXqwNS0lKW5RGBoXo5truBB71q6TgmJS3H7S
 ZyP4=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-transfer-encoding:date:from
 :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy
 :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=0hbgAzY7RA0V8kmoj
 Y1b7C6DX0MiHBuv4ptZdVEHQZk=; b=lJ0OHEzFNtrAiOV2/J8k43Kryzm7+tHEW
 W56GpztzN/9V/6bX420n3MK1BDVn9Br2/6jsHMwGBqMHgS78oYDhbP9K3JzRGAN0
 vK9W7lq9DTEk9QdNy0u6xhaI/vliU3+S0RC7w5KyPVcKCdS9zrJW6Xs6JEEhvFDW
 TBJbWLnQXOvnvcJKI20V4rxGd1sG5hveqTjnTeGA5AcAj+jhgeMHZ0lZHAB+iWZR
 Odx76Ab6pkA73e6+Au/DZJyzfiWOerM4wQ5cjqBMqOhoa5cajikKQUuVUPssgGiq
 mnGL/xRCM0mtUB79L1EGXgl86K9RfQ3E98l6Npg2MuM1ah8bBV+0Q==
X-ME-Sender: <xms:2XOEYHef3qSHHuD3v5zmqPJDXl1CposdJ3oCIpsrAEMHniFiNLnCLQ>
 <xme:2XOEYNPruLHhYU_ERKwFUByYD4ulo6U6SVsJjc_xnLNLKPWt9liU_aQWAKxyKifMB
 6ky64MgphbW7RGYnQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvddugedgudegtdcutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecunecujfgurhephffvufffkffoggfgsedtkeertd
 ertddtnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr
 ihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeekvdelffelteekledutdejueffgedvue
 ffjeeiveejudfhtedtgfelgeffgfduhfenucffohhmrghinhepmhhithhrvgdrohhrghdp
 shgvtghlihhsthhsrdhorhhgpdhfrhgvvgguvghskhhtohhprdhorhhgpdhfvgguohhrrg
 hprhhojhgvtghtrdhorhhgnecukfhppedutddtrdduuddrudeiledruddukeenucevlhhu
 shhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvghosehfrghmuh
 hlrghrihdrnhgrmhgv
X-ME-Proxy: <xmx:2XOEYAhTgCct0ea0onlX1SigxDeF05yNqHHFjkiECD-D7bgtoi1vqA>
 <xmx:2XOEYI_2f9zjugGoO9BFXlSI03zgfBXmxn-ec4bCP99042QJ1WqrZQ>
 <xmx:2XOEYDs5GGRZKXIP4SIRqy5E8vZb136QPbvmWLIVVz2G5r8TJaienw>
 <xmx:2XOEYB7iQAca6yRXsAoHX_pbxi2PBFyfA2eGXv3auxP7wFyuGEhJpA>
Received: from jasmine.lan (pool-100-11-169-118.phlapa.fios.verizon.net
 [100.11.169.118])
 by mail.messagingengine.com (Postfix) with ESMTPA id 2965824005C
 for <guix-patches@gnu.org>; Sat, 24 Apr 2021 15:39:05 -0400 (EDT)
From: Leo Famulari <leo@famulari.name>
To: guix-patches@gnu.org
Subject: [PATCH] gnu: xorg-server: CVE-2021-3472.
Date: Sat, 24 Apr 2021 15:38:58 -0400
Message-Id: <dacfdb6bb4549e538777842d345baa860de6d114.1619293138.git.leo@famulari.name>
X-Mailer: git-send-email 2.31.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=66.111.4.26; envelope-from=leo@famulari.name;
 helo=out2-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.1 (/)

* gnu/packages/patches/xorg-server-CVE-2021-3472.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/xorg.scm (xorg-server)[source]: Use it.
---
 gnu/local.mk                                  |  1 +
 .../patches/xorg-server-CVE-2021-3472.patch   | 44 +++++++++++++++++++
 gnu/packages/xorg.scm                         |  5 ++-
 3 files changed, 48 insertions(+), 2 deletions(-)
 create mode 100644 gnu/packages/patches/xorg-server-CVE-2021-3472.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 50b11a8ca2..3d076de924 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1815,6 +1815,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/xfce4-panel-plugins.patch		\
   %D%/packages/patches/xfce4-settings-defaults.patch		\
   %D%/packages/patches/xmonad-dynamic-linking.patch		\
+  %D%/packages/patches/xorg-server-CVE-2021-3472.patch		\
   %D%/packages/patches/xplanet-1.3.1-cxx11-eof.patch		\
   %D%/packages/patches/xplanet-1.3.1-libdisplay_DisplayOutput.cpp.patch	\
   %D%/packages/patches/xplanet-1.3.1-libimage_gif.c.patch	\
diff --git a/gnu/packages/patches/xorg-server-CVE-2021-3472.patch b/gnu/packages/patches/xorg-server-CVE-2021-3472.patch
new file mode 100644
index 0000000000..523a5b1dbf
--- /dev/null
+++ b/gnu/packages/patches/xorg-server-CVE-2021-3472.patch
@@ -0,0 +1,44 @@
+Fix CVE-2021-3472:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3472
+https://seclists.org/oss-sec/2021/q2/20
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/xorg/xserver/-/commit/7aaf54a1884f71dc363f0b884e57bcb67407a6cd
+
+From 7aaf54a1884f71dc363f0b884e57bcb67407a6cd Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Sun, 21 Mar 2021 18:38:57 +0100
+Subject: [PATCH] Fix XChangeFeedbackControl() request underflow
+
+CVE-2021-3472 / ZDI-CAN-1259
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ Xi/chgfctl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
+index 1de4da9ef..7a597e43d 100644
+--- a/Xi/chgfctl.c
++++ b/Xi/chgfctl.c
+@@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr client)
+         break;
+     case StringFeedbackClass:
+     {
+-        xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
++        xStringFeedbackCtl *f;
+ 
++        REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq,
++                                    sizeof(xStringFeedbackCtl));
++        f = ((xStringFeedbackCtl *) &stuff[1]);
+         if (client->swapped) {
+             if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
+                 return BadLength;
+-- 
+2.31.1
+
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 97ff8ab92b..df0055c704 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -5312,7 +5312,7 @@ over Xlib, including:
          (base32
           "16bwrf0ag41l7jbrllbix8z6avc5yimga7ihvq4ch3a5hb020x4p"))
         (patches
-         (list
+         (cons
           ;; See:
           ;;   https://lists.fedoraproject.org/archives/list/devel@lists.
           ;;      fedoraproject.org/message/JU655YB7AM4OOEQ4MOMCRHJTYJ76VFOK/
@@ -5324,7 +5324,8 @@ over Xlib, including:
             (sha256
              (base32
               "0mm70y058r8s9y9jiv7q2myv0ycnaw3iqzm7d274410s0ik38w7q"))
-            (file-name "xorg-server-use-intel-only-on-pre-gen4.diff"))))))
+            (file-name "xorg-server-use-intel-only-on-pre-gen4.diff"))
+          (search-patches "xorg-server-CVE-2021-3472.patch")))))
     (build-system gnu-build-system)
     (propagated-inputs
       `(("libpciaccess" ,libpciaccess)
-- 
2.31.1

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 06:56:08 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

#48001 [PATCH] gnu: xorg-server: CVE-2021-3472.