wok-current diff xorg-server/stuff/CVE-2024-31082.patch @ rev 25695
Up linux 5.10.214, Patch xorg-server (CVE-2024-31080, CVE-2024-31081, CVE-2024-31082, CVE-2024-31083)
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Thu Apr 04 08:53:51 2024 +0000 (5 months ago) |
| parents | |
| children |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/xorg-server/stuff/CVE-2024-31082.patch Thu Apr 04 08:53:51 2024 +0000 1.3 @@ -0,0 +1,47 @@ 1.4 +From 6c684d035c06fd41c727f0ef0744517580864cef Mon Sep 17 00:00:00 2001 1.5 +From: Alan Coopersmith <alan.coopersmith@oracle.com> 1.6 +Date: Fri, 22 Mar 2024 19:07:34 -0700 1.7 +Subject: [PATCH] Xquartz: ProcAppleDRICreatePixmap needs to use unswapped 1.8 + length to send reply 1.9 + 1.10 +CVE-2024-31082 1.11 + 1.12 +Fixes: 14205ade0 ("XQuartz: appledri: Fix byte swapping in replies") 1.13 +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> 1.14 +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463> 1.15 +--- 1.16 + hw/xquartz/xpr/appledri.c | 4 +++- 1.17 + 1 file changed, 3 insertions(+), 1 deletion(-) 1.18 + 1.19 +diff --git a/hw/xquartz/xpr/appledri.c b/hw/xquartz/xpr/appledri.c 1.20 +index 77574655b2..40422b61a9 100644 1.21 +--- a/hw/xquartz/xpr/appledri.c 1.22 ++++ b/hw/xquartz/xpr/appledri.c 1.23 +@@ -272,6 +272,7 @@ ProcAppleDRICreatePixmap(ClientPtr client) 1.24 + xAppleDRICreatePixmapReply rep; 1.25 + int width, height, pitch, bpp; 1.26 + void *ptr; 1.27 ++ CARD32 stringLength; 1.28 + 1.29 + REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq); 1.30 + 1.31 +@@ -307,6 +308,7 @@ ProcAppleDRICreatePixmap(ClientPtr client) 1.32 + if (sizeof(rep) != sz_xAppleDRICreatePixmapReply) 1.33 + ErrorF("error sizeof(rep) is %zu\n", sizeof(rep)); 1.34 + 1.35 ++ stringLength = rep.stringLength; /* save unswapped value */ 1.36 + if (client->swapped) { 1.37 + swaps(&rep.sequenceNumber); 1.38 + swapl(&rep.length); 1.39 +@@ -319,7 +321,7 @@ ProcAppleDRICreatePixmap(ClientPtr client) 1.40 + } 1.41 + 1.42 + WriteToClient(client, sizeof(rep), &rep); 1.43 +- WriteToClient(client, rep.stringLength, path); 1.44 ++ WriteToClient(client, stringLength, path); 1.45 + 1.46 + return Success; 1.47 + } 1.48 +-- 1.49 +GitLab 1.50 +