new file mode 100644
@@ -0,0 +1,65 @@
+From a0952cc293c0fbda15e7519b1af9c1c2d3d9475f Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Mon, 27 Nov 2023 16:27:49 +1000
+Subject: [PATCH] randr: avoid integer truncation in length check of
+ ProcRRChange*Property
+
+From: Peter Hutterer <peter.hutterer@who-t.net>
+
+Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
+See also xserver@8f454b79 where this same bug was fixed for the core
+protocol and XI.
+
+This fixes an OOB read and the resulting information disclosure.
+
+Length calculation for the request was clipped to a 32-bit integer. With
+the correct stuff->nUnits value the expected request size was
+truncated, passing the REQUEST_FIXED_SIZE check.
+
+The server then proceeded with reading at least stuff->num_items bytes
+(depending on stuff->format) from the request and stuffing whatever it
+finds into the property. In the process it would also allocate at least
+stuff->nUnits bytes, i.e. 4GB.
+
+CVE-2023-6478, ZDI-CAN-22561
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+(cherry picked from commit 14f480010a93ff962fef66a16412fafff81ad632)
+(cherry picked from commit 58e83c683950ac9e253ab05dd7a13a8368b70a3c)
+
+CVE: CVE-2023-6478
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/58e83c683950ac9e253ab05dd7a13a8368b70a3c]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ randr/rrproperty.c | 2 +-
+ randr/rrproviderproperty.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/randr/rrproperty.c b/randr/rrproperty.c
+index c2fb9585c..1fb89e67e 100644
+--- a/randr/rrproperty.c
++++ b/randr/rrproperty.c
+@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
+ char format, mode;
+ unsigned long len;
+ int sizeInBytes;
+- int totalSize;
++ uint64_t totalSize;
+ int err;
+
+ REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
+diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
+index b79c17f9b..90c5a9a93 100644
+--- a/randr/rrproviderproperty.c
++++ b/randr/rrproviderproperty.c
+@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
+ char format, mode;
+ unsigned long len;
+ int sizeInBytes;
+- int totalSize;
++ uint64_t totalSize;
+ int err;
+
+ REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
@@ -22,6 +22,7 @@ SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.11-branch;protocol=ht
file://0003-add-missing-dynamic-library-to-FLTK_LIBRARIES.patch \
file://0004-tigervnc-add-fPIC-option-to-COMPILE_FLAGS.patch \
file://CVE-2023-6377.patch;patchdir=${XORG_S} \
+ file://CVE-2023-6478.patch;patchdir=${XORG_S} \
"
# Keep sync with xorg-server in oe-core
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-6478 Pick the backported version of the commit referenced by the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../tigervnc/files/CVE-2023-6478.patch | 65 +++++++++++++++++++ .../tigervnc/tigervnc_1.11.0.bb | 1 + 2 files changed, 66 insertions(+) create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2023-6478.patch