* [bug#48001] [PATCH] gnu: xorg-server: CVE-2021-3472.
@ 2021-04-24 19:38 Leo Famulari
2021-04-24 21:36 ` Leo Famulari
0 siblings, 1 reply; 2+ messages in thread
From: Leo Famulari @ 2021-04-24 19:38 UTC (permalink / raw)
To: 48001
* gnu/packages/patches/xorg-server-CVE-2021-3472.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/xorg.scm (xorg-server)[source]: Use it.
---
gnu/local.mk | 1 +
.../patches/xorg-server-CVE-2021-3472.patch | 44 +++++++++++++++++++
gnu/packages/xorg.scm | 5 ++-
3 files changed, 48 insertions(+), 2 deletions(-)
create mode 100644 gnu/packages/patches/xorg-server-CVE-2021-3472.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 50b11a8ca2..3d076de924 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1815,6 +1815,7 @@ dist_patch_DATA = \
%D%/packages/patches/xfce4-panel-plugins.patch \
%D%/packages/patches/xfce4-settings-defaults.patch \
%D%/packages/patches/xmonad-dynamic-linking.patch \
+ %D%/packages/patches/xorg-server-CVE-2021-3472.patch \
%D%/packages/patches/xplanet-1.3.1-cxx11-eof.patch \
%D%/packages/patches/xplanet-1.3.1-libdisplay_DisplayOutput.cpp.patch \
%D%/packages/patches/xplanet-1.3.1-libimage_gif.c.patch \
diff --git a/gnu/packages/patches/xorg-server-CVE-2021-3472.patch b/gnu/packages/patches/xorg-server-CVE-2021-3472.patch
new file mode 100644
index 0000000000..523a5b1dbf
--- /dev/null
+++ b/gnu/packages/patches/xorg-server-CVE-2021-3472.patch
@@ -0,0 +1,44 @@
+Fix CVE-2021-3472:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3472
+https://seclists.org/oss-sec/2021/q2/20
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/xorg/xserver/-/commit/7aaf54a1884f71dc363f0b884e57bcb67407a6cd
+
+From 7aaf54a1884f71dc363f0b884e57bcb67407a6cd Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Sun, 21 Mar 2021 18:38:57 +0100
+Subject: [PATCH] Fix XChangeFeedbackControl() request underflow
+
+CVE-2021-3472 / ZDI-CAN-1259
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ Xi/chgfctl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
+index 1de4da9ef..7a597e43d 100644
+--- a/Xi/chgfctl.c
++++ b/Xi/chgfctl.c
+@@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr client)
+ break;
+ case StringFeedbackClass:
+ {
+- xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
++ xStringFeedbackCtl *f;
+
++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq,
++ sizeof(xStringFeedbackCtl));
++ f = ((xStringFeedbackCtl *) &stuff[1]);
+ if (client->swapped) {
+ if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
+ return BadLength;
+--
+2.31.1
+
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 97ff8ab92b..df0055c704 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -5312,7 +5312,7 @@ over Xlib, including:
(base32
"16bwrf0ag41l7jbrllbix8z6avc5yimga7ihvq4ch3a5hb020x4p"))
(patches
- (list
+ (cons
;; See:
;; https://lists.fedoraproject.org/archives/list/devel@lists.
;; fedoraproject.org/message/JU655YB7AM4OOEQ4MOMCRHJTYJ76VFOK/
@@ -5324,7 +5324,8 @@ over Xlib, including:
(sha256
(base32
"0mm70y058r8s9y9jiv7q2myv0ycnaw3iqzm7d274410s0ik38w7q"))
- (file-name "xorg-server-use-intel-only-on-pre-gen4.diff"))))))
+ (file-name "xorg-server-use-intel-only-on-pre-gen4.diff"))
+ (search-patches "xorg-server-CVE-2021-3472.patch")))))
(build-system gnu-build-system)
(propagated-inputs
`(("libpciaccess" ,libpciaccess)
--
2.31.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [bug#48001] [PATCH] gnu: xorg-server: CVE-2021-3472.
2021-04-24 19:38 [bug#48001] [PATCH] gnu: xorg-server: CVE-2021-3472 Leo Famulari
@ 2021-04-24 21:36 ` Leo Famulari
0 siblings, 0 replies; 2+ messages in thread
From: Leo Famulari @ 2021-04-24 21:36 UTC (permalink / raw)
To: 48001
[-- Attachment #1.1: Type: text/plain, Size: 609 bytes --]
The first revision of this patch does not take care to avoid changing
the derivation of xorg-server-for-tests, so it would cause way too many
packages to be rebuilt.
Here is a revised patch that ensures the derivation remains the same.
For example:
------
$ guix build -e '(@@ (gnu packages xorg) xorg-server-for-tests)' --no-grafts -d
/gnu/store/nhs1c9q04g6k4prxxv4kb9q5lg1p872q-xorg-server-1.20.10.drv
$ ./pre-inst-env guix build -e '(@@ (gnu packages xorg) xorg-server-for-tests)' --no-grafts -d
/gnu/store/nhs1c9q04g6k4prxxv4kb9q5lg1p872q-xorg-server-1.20.10.drv
------
[-- Attachment #1.2: 0001-gnu-xorg-server-CVE-2021-3472.patch --]
[-- Type: text/plain, Size: 5462 bytes --]
From cc4b92215511eb4cd0853438194004159964cbd4 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Sat, 24 Apr 2021 15:34:24 -0400
Subject: [PATCH] gnu: xorg-server: CVE-2021-3472.
* gnu/packages/patches/xorg-server-CVE-2021-3472.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/xorg.scm (xorg-server)[source]: Use it.
[xorg-server-for-tests]: Do not use it, to avoid changing the derivation of this
package.
---
gnu/local.mk | 1 +
.../patches/xorg-server-CVE-2021-3472.patch | 44 +++++++++++++++++++
gnu/packages/xorg.scm | 31 +++++++++++--
3 files changed, 73 insertions(+), 3 deletions(-)
create mode 100644 gnu/packages/patches/xorg-server-CVE-2021-3472.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 50b11a8ca2..3d076de924 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1815,6 +1815,7 @@ dist_patch_DATA = \
%D%/packages/patches/xfce4-panel-plugins.patch \
%D%/packages/patches/xfce4-settings-defaults.patch \
%D%/packages/patches/xmonad-dynamic-linking.patch \
+ %D%/packages/patches/xorg-server-CVE-2021-3472.patch \
%D%/packages/patches/xplanet-1.3.1-cxx11-eof.patch \
%D%/packages/patches/xplanet-1.3.1-libdisplay_DisplayOutput.cpp.patch \
%D%/packages/patches/xplanet-1.3.1-libimage_gif.c.patch \
diff --git a/gnu/packages/patches/xorg-server-CVE-2021-3472.patch b/gnu/packages/patches/xorg-server-CVE-2021-3472.patch
new file mode 100644
index 0000000000..523a5b1dbf
--- /dev/null
+++ b/gnu/packages/patches/xorg-server-CVE-2021-3472.patch
@@ -0,0 +1,44 @@
+Fix CVE-2021-3472:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3472
+https://seclists.org/oss-sec/2021/q2/20
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/xorg/xserver/-/commit/7aaf54a1884f71dc363f0b884e57bcb67407a6cd
+
+From 7aaf54a1884f71dc363f0b884e57bcb67407a6cd Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Sun, 21 Mar 2021 18:38:57 +0100
+Subject: [PATCH] Fix XChangeFeedbackControl() request underflow
+
+CVE-2021-3472 / ZDI-CAN-1259
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ Xi/chgfctl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
+index 1de4da9ef..7a597e43d 100644
+--- a/Xi/chgfctl.c
++++ b/Xi/chgfctl.c
+@@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr client)
+ break;
+ case StringFeedbackClass:
+ {
+- xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
++ xStringFeedbackCtl *f;
+
++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq,
++ sizeof(xStringFeedbackCtl));
++ f = ((xStringFeedbackCtl *) &stuff[1]);
+ if (client->swapped) {
+ if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
+ return BadLength;
+--
+2.31.1
+
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 97ff8ab92b..941958aa7a 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -5312,7 +5312,7 @@ over Xlib, including:
(base32
"16bwrf0ag41l7jbrllbix8z6avc5yimga7ihvq4ch3a5hb020x4p"))
(patches
- (list
+ (cons
;; See:
;; https://lists.fedoraproject.org/archives/list/devel@lists.
;; fedoraproject.org/message/JU655YB7AM4OOEQ4MOMCRHJTYJ76VFOK/
@@ -5324,7 +5324,8 @@ over Xlib, including:
(sha256
(base32
"0mm70y058r8s9y9jiv7q2myv0ycnaw3iqzm7d274410s0ik38w7q"))
- (file-name "xorg-server-use-intel-only-on-pre-gen4.diff"))))))
+ (file-name "xorg-server-use-intel-only-on-pre-gen4.diff"))
+ (search-patches "xorg-server-CVE-2021-3472.patch")))))
(build-system gnu-build-system)
(propagated-inputs
`(("libpciaccess" ,libpciaccess)
@@ -5432,7 +5433,31 @@ draggable titlebars and borders.")
(define-public xorg-server-for-tests
(hidden-package
(package
- (inherit xorg-server))))
+ (inherit xorg-server)
+ (version "1.20.10")
+ ;; Don't apply xorg-server-CVE-2021-3472.patch
+ (source
+ (origin
+ (method url-fetch)
+ (uri (string-append "mirror://xorg/individual/xserver/"
+ "xorg-server-" version ".tar.bz2"))
+ (sha256
+ (base32
+ "16bwrf0ag41l7jbrllbix8z6avc5yimga7ihvq4ch3a5hb020x4p"))
+ (patches
+ (list
+ ;; See:
+ ;; https://lists.fedoraproject.org/archives/list/devel@lists.
+ ;; fedoraproject.org/message/JU655YB7AM4OOEQ4MOMCRHJTYJ76VFOK/
+ (origin
+ (method url-fetch)
+ (uri (string-append
+ "http://pkgs.fedoraproject.org/cgit/rpms/xorg-x11-server.git"
+ "/plain/06_use-intel-only-on-pre-gen4.diff"))
+ (sha256
+ (base32
+ "0mm70y058r8s9y9jiv7q2myv0ycnaw3iqzm7d274410s0ik38w7q"))
+ (file-name "xorg-server-use-intel-only-on-pre-gen4.diff")))))))))
(define-public xorg-server-xwayland
(package/inherit xorg-server
--
2.31.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-24 21:37 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-24 19:38 [bug#48001] [PATCH] gnu: xorg-server: CVE-2021-3472 Leo Famulari
2021-04-24 21:36 ` Leo Famulari
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).