new file mode 100644
@@ -0,0 +1,65 @@
+From b4ef18cf118aa92266665009fa3edf9c03253d8a Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Wed, 6 Dec 2023 12:09:41 +0100
+Subject: [PATCH] glx: Call XACE hooks on the GLX buffer
+
+From: Olivier Fourdan <ofourdan@redhat.com>
+
+The XSELINUX code will label resources at creation by checking the
+access mode. When the access mode is DixCreateAccess, it will call the
+function to label the new resource SELinuxLabelResource().
+
+However, GLX buffers do not go through the XACE hooks when created,
+hence leaving the resource actually unlabeled.
+
+When, later, the client tries to create another resource using that
+drawable (like a GC for example), the XSELINUX code would try to use
+the security ID of that object which has never been labeled, get a NULL
+pointer and crash when checking whether the requested permissions are
+granted for subject security ID.
+
+To avoid the issue, make sure to call the XACE hooks when creating the
+GLX buffers.
+
+Credit goes to Donn Seeley <donn@xmission.com> for providing the patch.
+
+CVE-2024-0408
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit e5e8586a12a3ec915673edffa10dc8fe5e15dac3)
+(cherry picked from commit 8d825f72da71d6c38cbb02cf2ee2dd9e0e0f50f2)
+
+CVE: CVE-2024-0408
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8d825f72da71d6c38cbb02cf2ee2dd9e0e0f50f2]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ glx/glxcmds.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/glx/glxcmds.c b/glx/glxcmds.c
+index c82ce2c78..f493252cb 100644
+--- a/glx/glxcmds.c
++++ b/glx/glxcmds.c
+@@ -48,6 +48,7 @@
+ #include "indirect_util.h"
+ #include "protocol-versions.h"
+ #include "glxvndabi.h"
++#include "xace.h"
+
+ static char GLXServerVendorName[] = "SGI";
+
+@@ -1379,6 +1380,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId,
+ if (!pPixmap)
+ return BadAlloc;
+
++ err = XaceHook(XACE_RESOURCE_ACCESS, client, glxDrawableId, RT_PIXMAP,
++ pPixmap, RT_NONE, NULL, DixCreateAccess);
++ if (err != Success) {
++ (*pGlxScreen->pScreen->DestroyPixmap) (pPixmap);
++ return err;
++ }
++
+ /* Assign the pixmap the same id as the pbuffer and add it as a
+ * resource so it and the DRI2 drawable will be reclaimed when the
+ * pbuffer is destroyed. */
@@ -23,6 +23,7 @@ SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.11-branch;protocol=ht
file://0004-tigervnc-add-fPIC-option-to-COMPILE_FLAGS.patch \
file://CVE-2023-6377.patch;patchdir=${XORG_S} \
file://CVE-2023-6478.patch;patchdir=${XORG_S} \
+ file://CVE-2024-0408.patch;patchdir=${XORG_S} \
"
# Keep sync with xorg-server in oe-core
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-0408 Pick the patch that explicitly mentions this vulnerability ID in it's commit message. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../tigervnc/files/CVE-2024-0408.patch | 65 +++++++++++++++++++ .../tigervnc/tigervnc_1.11.0.bb | 1 + 2 files changed, 66 insertions(+) create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2024-0408.patch