diff options
| author | Patrick J Volkerding <volkerdi@slackware.com> | 2022-07-13 19:56:59 +0000 |
|---|---|---|
| committer | Eric Hameleers <alien@slackware.com> | 2022-07-14 09:00:16 +0200 |
| commit | 8db980621c64bad4de1a42f9c5d110eef12758b8 (patch) | |
| tree | 2e89d361204a545b9abcdb5a7035c8ca4a9cabde /source | |
| parent | bee3d6c81b37e0eb578c0aaf4dca8202b62ab3c0 (diff) | |
| download | current-8db980621c64bad4de1a42f9c5d110eef12758b8.tar.gz | |
Wed Jul 13 19:56:59 UTC 202220220713195659
a/inih-56-x86_64-1.txz: Upgraded.
a/kernel-firmware-20220710_dfa2931-noarch-1.txz: Upgraded.
a/kernel-generic-5.18.11-x86_64-1.txz: Upgraded.
a/kernel-huge-5.18.11-x86_64-1.txz: Upgraded.
a/kernel-modules-5.18.11-x86_64-1.txz: Upgraded.
ap/mpg123-1.30.1-x86_64-1.txz: Upgraded.
d/git-2.37.1-x86_64-1.txz: Upgraded.
d/kernel-headers-5.18.11-x86-1.txz: Upgraded.
d/mercurial-6.2-x86_64-1.txz: Upgraded.
k/kernel-source-5.18.11-noarch-1.txz: Upgraded.
kde/bluedevil-5.25.3-x86_64-1.txz: Upgraded.
kde/breeze-5.25.3-x86_64-1.txz: Upgraded.
kde/breeze-grub-5.25.3-x86_64-1.txz: Upgraded.
kde/breeze-gtk-5.25.3-x86_64-1.txz: Upgraded.
kde/drkonqi-5.25.3-x86_64-1.txz: Upgraded.
kde/kactivitymanagerd-5.25.3-x86_64-1.txz: Upgraded.
kde/kde-cli-tools-5.25.3-x86_64-1.txz: Upgraded.
kde/kde-gtk-config-5.25.3-x86_64-1.txz: Upgraded.
kde/kdecoration-5.25.3-x86_64-1.txz: Upgraded.
kde/kdeplasma-addons-5.25.3-x86_64-1.txz: Upgraded.
kde/kgamma5-5.25.3-x86_64-1.txz: Upgraded.
kde/khotkeys-5.25.3-x86_64-1.txz: Upgraded.
kde/kinfocenter-5.25.3-x86_64-1.txz: Upgraded.
kde/kmenuedit-5.25.3-x86_64-1.txz: Upgraded.
kde/kscreen-5.25.3-x86_64-1.txz: Upgraded.
kde/kscreenlocker-5.25.3-x86_64-1.txz: Upgraded.
kde/ksshaskpass-5.25.3-x86_64-1.txz: Upgraded.
kde/ksystemstats-5.25.3-x86_64-1.txz: Upgraded.
kde/kwallet-pam-5.25.3-x86_64-1.txz: Upgraded.
kde/kwayland-integration-5.25.3-x86_64-1.txz: Upgraded.
kde/kwin-5.25.3-x86_64-1.txz: Upgraded.
kde/kwrited-5.25.3-x86_64-1.txz: Upgraded.
kde/layer-shell-qt-5.25.3-x86_64-1.txz: Upgraded.
kde/libkscreen-5.25.3-x86_64-1.txz: Upgraded.
kde/libksysguard-5.25.3-x86_64-1.txz: Upgraded.
kde/milou-5.25.3-x86_64-1.txz: Upgraded.
kde/oxygen-5.25.3-x86_64-1.txz: Upgraded.
kde/oxygen-sounds-5.25.3-x86_64-1.txz: Upgraded.
kde/plasma-browser-integration-5.25.3-x86_64-1.txz: Upgraded.
kde/plasma-desktop-5.25.3-x86_64-1.txz: Upgraded.
kde/plasma-disks-5.25.3-x86_64-1.txz: Upgraded.
kde/plasma-firewall-5.25.3-x86_64-1.txz: Upgraded.
kde/plasma-integration-5.25.3-x86_64-1.txz: Upgraded.
kde/plasma-nm-5.25.3-x86_64-1.txz: Upgraded.
kde/plasma-pa-5.25.3-x86_64-1.txz: Upgraded.
kde/plasma-sdk-5.25.3-x86_64-1.txz: Upgraded.
kde/plasma-systemmonitor-5.25.3-x86_64-1.txz: Upgraded.
kde/plasma-vault-5.25.3-x86_64-1.txz: Upgraded.
kde/plasma-workspace-5.25.3.1-x86_64-1.txz: Upgraded.
kde/plasma-workspace-wallpapers-5.25.3-x86_64-1.txz: Upgraded.
kde/polkit-kde-agent-1-5.25.3-x86_64-1.txz: Upgraded.
kde/powerdevil-5.25.3-x86_64-1.txz: Upgraded.
kde/qqc2-breeze-style-5.25.3-x86_64-1.txz: Upgraded.
kde/sddm-kcm-5.25.3-x86_64-1.txz: Upgraded.
kde/systemsettings-5.25.3-x86_64-1.txz: Upgraded.
kde/xdg-desktop-portal-kde-5.25.3-x86_64-1.txz: Upgraded.
l/SDL2_mixer-2.6.1-x86_64-1.txz: Upgraded.
l/gtk4-4.6.6-x86_64-2.txz: Rebuilt.
Drop embedded pango library and use "unshare -n" to prevent the issue from
happening again.
l/libuv-1.44.2-x86_64-1.txz: Upgraded.
l/pango-1.50.8-x86_64-1.txz: Upgraded.
l/pipewire-0.3.55-x86_64-1.txz: Upgraded.
x/font-util-1.3.3-x86_64-1.txz: Upgraded.
x/xorg-server-1.20.14-x86_64-4.txz: Rebuilt.
xkb: switch to array index loops to moving pointers.
xkb: add request length validation for XkbSetGeometry.
xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2319
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2320
(* Security fix *)
x/xorg-server-xephyr-1.20.14-x86_64-4.txz: Rebuilt.
x/xorg-server-xnest-1.20.14-x86_64-4.txz: Rebuilt.
x/xorg-server-xvfb-1.20.14-x86_64-4.txz: Rebuilt.
xap/mozilla-thunderbird-102.0.2-x86_64-1.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.0.2/releasenotes/
xfce/xfce4-settings-4.16.3-x86_64-1.txz: Upgraded.
isolinux/initrd.img: Rebuilt.
kernels/*: Upgraded.
usb-and-pxe-installers/usbboot.img: Rebuilt.
Diffstat (limited to 'source')
16 files changed, 544 insertions, 12 deletions
diff --git a/source/k/kernel-configs/config-generic-5.18.10 b/source/k/kernel-configs/config-generic-5.18.11 index 8656add7..5c110dfb 100644 --- a/source/k/kernel-configs/config-generic-5.18.10 +++ b/source/k/kernel-configs/config-generic-5.18.11 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.18.10 Kernel Configuration +# Linux/x86 5.18.11 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 12.1.0" CONFIG_CC_IS_GCC=y diff --git a/source/k/kernel-configs/config-generic-5.18.10.x64 b/source/k/kernel-configs/config-generic-5.18.11.x64 index 7ae88bdf..92a5ad46 100644 --- a/source/k/kernel-configs/config-generic-5.18.10.x64 +++ b/source/k/kernel-configs/config-generic-5.18.11.x64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.18.10 Kernel Configuration +# Linux/x86 5.18.11 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 12.1.0" CONFIG_CC_IS_GCC=y diff --git a/source/k/kernel-configs/config-generic-smp-5.18.10-smp b/source/k/kernel-configs/config-generic-smp-5.18.11-smp index 80afd6f1..bda27ecf 100644 --- a/source/k/kernel-configs/config-generic-smp-5.18.10-smp +++ b/source/k/kernel-configs/config-generic-smp-5.18.11-smp @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.18.10 Kernel Configuration +# Linux/x86 5.18.11 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 12.1.0" CONFIG_CC_IS_GCC=y diff --git a/source/k/kernel-configs/config-huge-5.18.10 b/source/k/kernel-configs/config-huge-5.18.11 index 5cd222b6..8fb27919 100644 --- a/source/k/kernel-configs/config-huge-5.18.10 +++ b/source/k/kernel-configs/config-huge-5.18.11 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.18.10 Kernel Configuration +# Linux/x86 5.18.11 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 12.1.0" CONFIG_CC_IS_GCC=y diff --git a/source/k/kernel-configs/config-huge-5.18.10.x64 b/source/k/kernel-configs/config-huge-5.18.11.x64 index 7753feeb..569f7223 100644 --- a/source/k/kernel-configs/config-huge-5.18.10.x64 +++ b/source/k/kernel-configs/config-huge-5.18.11.x64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.18.10 Kernel Configuration +# Linux/x86 5.18.11 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 12.1.0" CONFIG_CC_IS_GCC=y diff --git a/source/k/kernel-configs/config-huge-smp-5.18.10-smp b/source/k/kernel-configs/config-huge-smp-5.18.11-smp index f311f14e..2b845337 100644 --- a/source/k/kernel-configs/config-huge-smp-5.18.10-smp +++ b/source/k/kernel-configs/config-huge-smp-5.18.11-smp @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.18.10 Kernel Configuration +# Linux/x86 5.18.11 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 12.1.0" CONFIG_CC_IS_GCC=y diff --git a/source/l/gtk4/gtk4.SlackBuild b/source/l/gtk4/gtk4.SlackBuild index 3706fe8e..7e065ab6 100755 --- a/source/l/gtk4/gtk4.SlackBuild +++ b/source/l/gtk4/gtk4.SlackBuild @@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=gtk4 VERSION=${VERSION:-$(echo gtk-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "} @@ -82,7 +82,7 @@ export CFLAGS="$SLKCFLAGS -DG_ENABLE_DEBUG" export CXXFLAGS="$SLKCFLAGS -DG_ENABLE_DEBUG" mkdir meson-build cd meson-build -meson setup \ +unshare -n meson setup \ --prefix=/usr \ --libdir=lib${LIBDIRSUFFIX} \ --libexecdir=/usr/libexec \ diff --git a/source/x/x11/build/font-util b/source/x/x11/build/font-util index 00750edc..d00491fd 100644 --- a/source/x/x11/build/font-util +++ b/source/x/x11/build/font-util @@ -1 +1 @@ -3 +1 diff --git a/source/x/x11/build/xorg-server b/source/x/x11/build/xorg-server index 00750edc..b8626c4c 100644 --- a/source/x/x11/build/xorg-server +++ b/source/x/x11/build/xorg-server @@ -1 +1 @@ -3 +4 diff --git a/source/x/x11/patch/xorg-server.patch b/source/x/x11/patch/xorg-server.patch index e1e5d20f..a2df5194 100644 --- a/source/x/x11/patch/xorg-server.patch +++ b/source/x/x11/patch/xorg-server.patch @@ -28,3 +28,11 @@ zcat $CWD/patch/xorg-server/fix-pci-segfault.diff.gz | patch -p1 --verbose || { # Only use Intel DDX with pre-gen4 hardware. Newer hardware will the the modesetting driver by default: zcat $CWD/patch/xorg-server/06_use-intel-only-on-pre-gen4.diff.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; } + +# Fix build with gcc12: +zcat $CWD/patch/xorg-server/0001-render-Fix-build-with-gcc-12.patch.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; } + +# Patch CVE-2022-2320 and CVE-2022-2319: +zcat $CWD/patch/xorg-server/0001-f1070c01d616c5f21f939d5ebc533738779451ac.patch.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; } +zcat $CWD/patch/xorg-server/0002-dd8caf39e9e15d8f302e54045dd08d8ebf1025dc.patch.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; } +zcat $CWD/patch/xorg-server/0003-6907b6ea2b4ce949cb07271f5b678d5966d9df42.patch.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; } diff --git a/source/x/x11/patch/xorg-server/0001-f1070c01d616c5f21f939d5ebc533738779451ac.patch b/source/x/x11/patch/xorg-server/0001-f1070c01d616c5f21f939d5ebc533738779451ac.patch new file mode 100644 index 00000000..0efddcf5 --- /dev/null +++ b/source/x/x11/patch/xorg-server/0001-f1070c01d616c5f21f939d5ebc533738779451ac.patch @@ -0,0 +1,75 @@ +From f1070c01d616c5f21f939d5ebc533738779451ac Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 5 Jul 2022 12:40:47 +1000 +Subject: [PATCH] xkb: switch to array index loops to moving pointers + +Most similar loops here use a pointer that advances with each loop +iteration, let's do the same here for consistency. + +No functional changes. + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Reviewed-by: Olivier Fourdan <ofourdan@redhat.com> +--- + xkb/xkb.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index a29262c24..64e52611e 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5368,16 +5368,16 @@ _CheckSetSections(XkbGeometryPtr geom, + row->left = rWire->left; + row->vertical = rWire->vertical; + kWire = (xkbKeyWireDesc *) &rWire[1]; +- for (k = 0; k < rWire->nKeys; k++) { ++ for (k = 0; k < rWire->nKeys; k++, kWire++) { + XkbKeyPtr key; + + key = XkbAddGeomKey(row); + if (!key) + return BadAlloc; +- memcpy(key->name.name, kWire[k].name, XkbKeyNameLength); +- key->gap = kWire[k].gap; +- key->shape_ndx = kWire[k].shapeNdx; +- key->color_ndx = kWire[k].colorNdx; ++ memcpy(key->name.name, kWire->name, XkbKeyNameLength); ++ key->gap = kWire->gap; ++ key->shape_ndx = kWire->shapeNdx; ++ key->color_ndx = kWire->colorNdx; + if (key->shape_ndx >= geom->num_shapes) { + client->errorValue = _XkbErrCode3(0x10, key->shape_ndx, + geom->num_shapes); +@@ -5389,7 +5389,7 @@ _CheckSetSections(XkbGeometryPtr geom, + return BadMatch; + } + } +- rWire = (xkbRowWireDesc *) &kWire[rWire->nKeys]; ++ rWire = (xkbRowWireDesc *)kWire; + } + wire = (char *) rWire; + if (sWire->nDoodads > 0) { +@@ -5454,16 +5454,16 @@ _CheckSetShapes(XkbGeometryPtr geom, + return BadAlloc; + ol->corner_radius = olWire->cornerRadius; + ptWire = (xkbPointWireDesc *) &olWire[1]; +- for (p = 0, pt = ol->points; p < olWire->nPoints; p++, pt++) { +- pt->x = ptWire[p].x; +- pt->y = ptWire[p].y; ++ for (p = 0, pt = ol->points; p < olWire->nPoints; p++, pt++, ptWire++) { ++ pt->x = ptWire->x; ++ pt->y = ptWire->y; + if (client->swapped) { + swaps(&pt->x); + swaps(&pt->y); + } + } + ol->num_points = olWire->nPoints; +- olWire = (xkbOutlineWireDesc *) (&ptWire[olWire->nPoints]); ++ olWire = (xkbOutlineWireDesc *)ptWire; + } + if (shapeWire->primaryNdx != XkbNoShape) + shape->primary = &shape->outlines[shapeWire->primaryNdx]; +-- +GitLab + diff --git a/source/x/x11/patch/xorg-server/0001-render-Fix-build-with-gcc-12.patch b/source/x/x11/patch/xorg-server/0001-render-Fix-build-with-gcc-12.patch new file mode 100644 index 00000000..22f2e5a7 --- /dev/null +++ b/source/x/x11/patch/xorg-server/0001-render-Fix-build-with-gcc-12.patch @@ -0,0 +1,90 @@ +From 53173fdab492f0f638f6616fcf01af0b9ea6338d Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan <ofourdan@redhat.com> +Date: Thu, 20 Jan 2022 10:20:38 +0100 +Subject: [PATCH xserver] render: Fix build with gcc 12 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The xserver fails to compile with the latest gcc 12: + + render/picture.c: In function ‘CreateSolidPicture’: + render/picture.c:874:26: error: array subscript ‘union _SourcePict[0]’ is partly outside array bounds of ‘unsigned char[16]’ [-Werror=array-bounds] + 874 | pPicture->pSourcePict->type = SourcePictTypeSolidFill; + | ^~ + render/picture.c:868:45: note: object of size 16 allocated by ‘malloc’ + 868 | pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictSolidFill)); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + render/picture.c: In function ‘CreateLinearGradientPicture’: + render/picture.c:906:26: error: array subscript ‘union _SourcePict[0]’ is partly outside array bounds of ‘unsigned char[32]’ [-Werror=array-bounds] + 906 | pPicture->pSourcePict->linear.type = SourcePictTypeLinear; + | ^~ + render/picture.c:899:45: note: object of size 32 allocated by ‘malloc’ + 899 | pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictLinearGradient)); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + render/picture.c: In function ‘CreateConicalGradientPicture’: + render/picture.c:989:26: error: array subscript ‘union _SourcePict[0]’ is partly outside array bounds of ‘unsigned char[32]’ [-Werror=array-bounds] + 989 | pPicture->pSourcePict->conical.type = SourcePictTypeConical; + | ^~ + render/picture.c:982:45: note: object of size 32 allocated by ‘malloc’ + 982 | pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictConicalGradient)); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + cc1: some warnings being treated as errors + ninja: build stopped: subcommand failed. + +This is because gcc 12 has become stricter and raises a warning now. + +Fix the warning/error by allocating enough memory to store the union +struct. + +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> +Acked-by: Michel Dänzer <mdaenzer@redhat.com> +Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1256 +(cherry picked from commit c6b0dcb82d4db07a2f32c09a8c09c85a5f57248e) +--- + render/picture.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/render/picture.c b/render/picture.c +index afa0d258f..2be4b1954 100644 +--- a/render/picture.c ++++ b/render/picture.c +@@ -865,7 +865,7 @@ CreateSolidPicture(Picture pid, xRenderColor * color, int *error) + } + + pPicture->id = pid; +- pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictSolidFill)); ++ pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(SourcePict)); + if (!pPicture->pSourcePict) { + *error = BadAlloc; + free(pPicture); +@@ -896,7 +896,7 @@ CreateLinearGradientPicture(Picture pid, xPointFixed * p1, xPointFixed * p2, + } + + pPicture->id = pid; +- pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictLinearGradient)); ++ pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(SourcePict)); + if (!pPicture->pSourcePict) { + *error = BadAlloc; + free(pPicture); +@@ -936,7 +936,7 @@ CreateRadialGradientPicture(Picture pid, xPointFixed * inner, + } + + pPicture->id = pid; +- pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictRadialGradient)); ++ pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(SourcePict)); + if (!pPicture->pSourcePict) { + *error = BadAlloc; + free(pPicture); +@@ -979,7 +979,7 @@ CreateConicalGradientPicture(Picture pid, xPointFixed * center, xFixed angle, + } + + pPicture->id = pid; +- pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictConicalGradient)); ++ pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(SourcePict)); + if (!pPicture->pSourcePict) { + *error = BadAlloc; + free(pPicture); +-- +2.34.1 + diff --git a/source/x/x11/patch/xorg-server/0002-dd8caf39e9e15d8f302e54045dd08d8ebf1025dc.patch b/source/x/x11/patch/xorg-server/0002-dd8caf39e9e15d8f302e54045dd08d8ebf1025dc.patch new file mode 100644 index 00000000..72d30f36 --- /dev/null +++ b/source/x/x11/patch/xorg-server/0002-dd8caf39e9e15d8f302e54045dd08d8ebf1025dc.patch @@ -0,0 +1,178 @@ +From dd8caf39e9e15d8f302e54045dd08d8ebf1025dc Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 5 Jul 2022 09:50:41 +1000 +Subject: [PATCH] xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck + +XKB often uses a FooCheck and Foo function pair, the former is supposed +to check all values in the request and error out on BadLength, +BadValue, etc. The latter is then called once we're confident the values +are good (they may still fail on an individual device, but that's a +different topic). + +In the case of XkbSetDeviceInfo, those functions were incorrectly +named, with XkbSetDeviceInfo ending up as the checker function and +XkbSetDeviceInfoCheck as the setter function. As a result, the setter +function was called before the checker function, accessing request +data and modifying device state before we ensured that the data is +valid. + +In particular, the setter function relied on values being already +byte-swapped. This in turn could lead to potential OOB memory access. + +Fix this by correctly naming the functions and moving the length checks +over to the checker function. These were added in 87c64fc5b0 to the +wrong function, probably due to the incorrect naming. + +Fixes ZDI-CAN 16070, CVE-2022-2320. + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Introduced in c06e27b2f6fd9f7b9f827623a48876a225264132 + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + xkb/xkb.c | 46 +++++++++++++++++++++++++--------------------- + 1 file changed, 25 insertions(+), 21 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 64e52611e..34b2c290b 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -6550,7 +6550,8 @@ ProcXkbGetDeviceInfo(ClientPtr client) + static char * + CheckSetDeviceIndicators(char *wire, + DeviceIntPtr dev, +- int num, int *status_rtrn, ClientPtr client) ++ int num, int *status_rtrn, ClientPtr client, ++ xkbSetDeviceInfoReq * stuff) + { + xkbDeviceLedsWireDesc *ledWire; + int i; +@@ -6558,6 +6559,11 @@ CheckSetDeviceIndicators(char *wire, + + ledWire = (xkbDeviceLedsWireDesc *) wire; + for (i = 0; i < num; i++) { ++ if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) { ++ *status_rtrn = BadLength; ++ return (char *) ledWire; ++ } ++ + if (client->swapped) { + swaps(&ledWire->ledClass); + swaps(&ledWire->ledID); +@@ -6585,6 +6591,11 @@ CheckSetDeviceIndicators(char *wire, + atomWire = (CARD32 *) &ledWire[1]; + if (nNames > 0) { + for (n = 0; n < nNames; n++) { ++ if (!_XkbCheckRequestBounds(client, stuff, atomWire, atomWire + 1)) { ++ *status_rtrn = BadLength; ++ return (char *) atomWire; ++ } ++ + if (client->swapped) { + swapl(atomWire); + } +@@ -6596,6 +6607,10 @@ CheckSetDeviceIndicators(char *wire, + mapWire = (xkbIndicatorMapWireDesc *) atomWire; + if (nMaps > 0) { + for (n = 0; n < nMaps; n++) { ++ if (!_XkbCheckRequestBounds(client, stuff, mapWire, mapWire + 1)) { ++ *status_rtrn = BadLength; ++ return (char *) mapWire; ++ } + if (client->swapped) { + swaps(&mapWire->virtualMods); + swapl(&mapWire->ctrls); +@@ -6647,11 +6662,6 @@ SetDeviceIndicators(char *wire, + xkbIndicatorMapWireDesc *mapWire; + XkbSrvLedInfoPtr sli; + +- if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) { +- *status_rtrn = BadLength; +- return (char *) ledWire; +- } +- + namec = mapc = statec = 0; + sli = XkbFindSrvLedInfo(dev, ledWire->ledClass, ledWire->ledID, + XkbXI_IndicatorMapsMask); +@@ -6670,10 +6680,6 @@ SetDeviceIndicators(char *wire, + memset((char *) sli->names, 0, XkbNumIndicators * sizeof(Atom)); + for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) { + if (ledWire->namesPresent & bit) { +- if (!_XkbCheckRequestBounds(client, stuff, atomWire, atomWire + 1)) { +- *status_rtrn = BadLength; +- return (char *) atomWire; +- } + sli->names[n] = (Atom) *atomWire; + if (sli->names[n] == None) + ledWire->namesPresent &= ~bit; +@@ -6691,10 +6697,6 @@ SetDeviceIndicators(char *wire, + if (ledWire->mapsPresent) { + for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) { + if (ledWire->mapsPresent & bit) { +- if (!_XkbCheckRequestBounds(client, stuff, mapWire, mapWire + 1)) { +- *status_rtrn = BadLength; +- return (char *) mapWire; +- } + sli->maps[n].flags = mapWire->flags; + sli->maps[n].which_groups = mapWire->whichGroups; + sli->maps[n].groups = mapWire->groups; +@@ -6730,13 +6732,17 @@ SetDeviceIndicators(char *wire, + } + + static int +-_XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev, ++_XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev, + xkbSetDeviceInfoReq * stuff) + { + char *wire; + + wire = (char *) &stuff[1]; + if (stuff->change & XkbXI_ButtonActionsMask) { ++ int sz = stuff->nBtns * SIZEOF(xkbActionWireDesc); ++ if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz)) ++ return BadLength; ++ + if (!dev->button) { + client->errorValue = _XkbErrCode2(XkbErr_BadClass, ButtonClass); + return XkbKeyboardErrorCode; +@@ -6747,13 +6753,13 @@ _XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev, + dev->button->numButtons); + return BadMatch; + } +- wire += (stuff->nBtns * SIZEOF(xkbActionWireDesc)); ++ wire += sz; + } + if (stuff->change & XkbXI_IndicatorsMask) { + int status = Success; + + wire = CheckSetDeviceIndicators(wire, dev, stuff->nDeviceLedFBs, +- &status, client); ++ &status, client, stuff); + if (status != Success) + return status; + } +@@ -6764,8 +6770,8 @@ _XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev, + } + + static int +-_XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev, +- xkbSetDeviceInfoReq * stuff) ++_XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev, ++ xkbSetDeviceInfoReq * stuff) + { + char *wire; + xkbExtensionDeviceNotify ed; +@@ -6789,8 +6795,6 @@ _XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev, + if (stuff->firstBtn + stuff->nBtns > nBtns) + return BadValue; + sz = stuff->nBtns * SIZEOF(xkbActionWireDesc); +- if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz)) +- return BadLength; + memcpy((char *) &acts[stuff->firstBtn], (char *) wire, sz); + wire += sz; + ed.reason |= XkbXI_ButtonActionsMask; +-- +GitLab + diff --git a/source/x/x11/patch/xorg-server/0003-6907b6ea2b4ce949cb07271f5b678d5966d9df42.patch b/source/x/x11/patch/xorg-server/0003-6907b6ea2b4ce949cb07271f5b678d5966d9df42.patch new file mode 100644 index 00000000..11121070 --- /dev/null +++ b/source/x/x11/patch/xorg-server/0003-6907b6ea2b4ce949cb07271f5b678d5966d9df42.patch @@ -0,0 +1,181 @@ +From 6907b6ea2b4ce949cb07271f5b678d5966d9df42 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 5 Jul 2022 11:11:06 +1000 +Subject: [PATCH] xkb: add request length validation for XkbSetGeometry + +No validation of the various fields on that report were done, so a +malicious client could send a short request that claims it had N +sections, or rows, or keys, and the server would process the request for +N sections, running out of bounds of the actual request data. + +Fix this by adding size checks to ensure our data is valid. + +ZDI-CAN 16062, CVE-2022-2319. + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + xkb/xkb.c | 43 ++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 38 insertions(+), 5 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 34b2c290b..4692895db 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5156,7 +5156,7 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) + } + + static Status +-_CheckSetDoodad(char **wire_inout, ++_CheckSetDoodad(char **wire_inout, xkbSetGeometryReq *req, + XkbGeometryPtr geom, XkbSectionPtr section, ClientPtr client) + { + char *wire; +@@ -5167,6 +5167,9 @@ _CheckSetDoodad(char **wire_inout, + Status status; + + dWire = (xkbDoodadWireDesc *) (*wire_inout); ++ if (!_XkbCheckRequestBounds(client, req, dWire, dWire + 1)) ++ return BadLength; ++ + any = dWire->any; + wire = (char *) &dWire[1]; + if (client->swapped) { +@@ -5269,7 +5272,7 @@ _CheckSetDoodad(char **wire_inout, + } + + static Status +-_CheckSetOverlay(char **wire_inout, ++_CheckSetOverlay(char **wire_inout, xkbSetGeometryReq *req, + XkbGeometryPtr geom, XkbSectionPtr section, ClientPtr client) + { + register int r; +@@ -5280,6 +5283,9 @@ _CheckSetOverlay(char **wire_inout, + + wire = *wire_inout; + olWire = (xkbOverlayWireDesc *) wire; ++ if (!_XkbCheckRequestBounds(client, req, olWire, olWire + 1)) ++ return BadLength; ++ + if (client->swapped) { + swapl(&olWire->name); + } +@@ -5291,6 +5297,9 @@ _CheckSetOverlay(char **wire_inout, + xkbOverlayKeyWireDesc *kWire; + XkbOverlayRowPtr row; + ++ if (!_XkbCheckRequestBounds(client, req, rWire, rWire + 1)) ++ return BadLength; ++ + if (rWire->rowUnder > section->num_rows) { + client->errorValue = _XkbErrCode4(0x20, r, section->num_rows, + rWire->rowUnder); +@@ -5299,6 +5308,9 @@ _CheckSetOverlay(char **wire_inout, + row = XkbAddGeomOverlayRow(ol, rWire->rowUnder, rWire->nKeys); + kWire = (xkbOverlayKeyWireDesc *) &rWire[1]; + for (k = 0; k < rWire->nKeys; k++, kWire++) { ++ if (!_XkbCheckRequestBounds(client, req, kWire, kWire + 1)) ++ return BadLength; ++ + if (XkbAddGeomOverlayKey(ol, row, + (char *) kWire->over, + (char *) kWire->under) == NULL) { +@@ -5332,6 +5344,9 @@ _CheckSetSections(XkbGeometryPtr geom, + register int r; + xkbRowWireDesc *rWire; + ++ if (!_XkbCheckRequestBounds(client, req, sWire, sWire + 1)) ++ return BadLength; ++ + if (client->swapped) { + swapl(&sWire->name); + swaps(&sWire->top); +@@ -5357,6 +5372,9 @@ _CheckSetSections(XkbGeometryPtr geom, + XkbRowPtr row; + xkbKeyWireDesc *kWire; + ++ if (!_XkbCheckRequestBounds(client, req, rWire, rWire + 1)) ++ return BadLength; ++ + if (client->swapped) { + swaps(&rWire->top); + swaps(&rWire->left); +@@ -5371,6 +5389,9 @@ _CheckSetSections(XkbGeometryPtr geom, + for (k = 0; k < rWire->nKeys; k++, kWire++) { + XkbKeyPtr key; + ++ if (!_XkbCheckRequestBounds(client, req, kWire, kWire + 1)) ++ return BadLength; ++ + key = XkbAddGeomKey(row); + if (!key) + return BadAlloc; +@@ -5396,7 +5417,7 @@ _CheckSetSections(XkbGeometryPtr geom, + register int d; + + for (d = 0; d < sWire->nDoodads; d++) { +- status = _CheckSetDoodad(&wire, geom, section, client); ++ status = _CheckSetDoodad(&wire, req, geom, section, client); + if (status != Success) + return status; + } +@@ -5405,7 +5426,7 @@ _CheckSetSections(XkbGeometryPtr geom, + register int o; + + for (o = 0; o < sWire->nOverlays; o++) { +- status = _CheckSetOverlay(&wire, geom, section, client); ++ status = _CheckSetOverlay(&wire, req, geom, section, client); + if (status != Success) + return status; + } +@@ -5439,6 +5460,9 @@ _CheckSetShapes(XkbGeometryPtr geom, + xkbOutlineWireDesc *olWire; + XkbOutlinePtr ol; + ++ if (!_XkbCheckRequestBounds(client, req, shapeWire, shapeWire + 1)) ++ return BadLength; ++ + shape = + XkbAddGeomShape(geom, shapeWire->name, shapeWire->nOutlines); + if (!shape) +@@ -5449,12 +5473,18 @@ _CheckSetShapes(XkbGeometryPtr geom, + XkbPointPtr pt; + xkbPointWireDesc *ptWire; + ++ if (!_XkbCheckRequestBounds(client, req, olWire, olWire + 1)) ++ return BadLength; ++ + ol = XkbAddGeomOutline(shape, olWire->nPoints); + if (!ol) + return BadAlloc; + ol->corner_radius = olWire->cornerRadius; + ptWire = (xkbPointWireDesc *) &olWire[1]; + for (p = 0, pt = ol->points; p < olWire->nPoints; p++, pt++, ptWire++) { ++ if (!_XkbCheckRequestBounds(client, req, ptWire, ptWire + 1)) ++ return BadLength; ++ + pt->x = ptWire->x; + pt->y = ptWire->y; + if (client->swapped) { +@@ -5560,12 +5590,15 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client) + return status; + + for (i = 0; i < req->nDoodads; i++) { +- status = _CheckSetDoodad(&wire, geom, NULL, client); ++ status = _CheckSetDoodad(&wire, req, geom, NULL, client); + if (status != Success) + return status; + } + + for (i = 0; i < req->nKeyAliases; i++) { ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbKeyNameLength)) ++ return BadLength; ++ + if (XkbAddGeomKeyAlias(geom, &wire[XkbKeyNameLength], wire) == NULL) + return BadAlloc; + wire += 2 * XkbKeyNameLength; +-- +GitLab + diff --git a/source/x/x11/slack-desc/xorg-server b/source/x/x11/slack-desc/xorg-server index 981a1a3d..cb6b3a18 100644 --- a/source/x/x11/slack-desc/xorg-server +++ b/source/x/x11/slack-desc/xorg-server @@ -12,7 +12,7 @@ xorg-server: Xorg is a full featured X server that was originally designed for U xorg-server: and UNIX-like operating systems running on Intel x86 hardware. It now xorg-server: runs on a wider range of hardware and OS platforms. This work was xorg-server: derived by the X.Org Foundation from the XFree86 Project's XFree86 -xorg-server: 4.4rc2 release. The XFree86 release was originally derived from X386 +xorg-server: 4.4rc2 release. The XFree86 release was originally derived from X386 xorg-server: 1.2 by Thomas Roell which was contributed to X11R5 by Snitily Graphics xorg-server: Consulting Service. xorg-server: diff --git a/source/xfce/xfce4-settings/xfce4-settings.url b/source/xfce/xfce4-settings/xfce4-settings.url index a26db2af..a9acf4e3 100644 --- a/source/xfce/xfce4-settings/xfce4-settings.url +++ b/source/xfce/xfce4-settings/xfce4-settings.url @@ -1 +1 @@ -http://archive.xfce.org/src/xfce/xfce4-settings/4.16/xfce4-settings-4.16.2.tar.bz2 +http://archive.xfce.org/src/xfce/xfce4-settings/4.16/xfce4-settings-4.16.3.tar.bz2 |