diff mbox series

[meta-oe,scarthgap,RFC,06/14] tigervnc: patch CVE-2024-0409

Message ID 20260127130116.1902238-7-skandigraun@gmail.com
State New
Headers show
Series TigerVNC CVEs | expand

Commit Message

Gyorgy Sarvari Jan. 27, 2026, 1:01 p.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-0409

Pick the patch that explicitly refers to this CVE ID in its
commit message.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../tigervnc/files/CVE-2024-0409.patch        | 47 +++++++++++++++++++
 .../tigervnc/tigervnc_1.11.0.bb               |  1 +
 2 files changed, 48 insertions(+)
 create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2024-0409.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-graphics/tigervnc/files/CVE-2024-0409.patch b/meta-oe/recipes-graphics/tigervnc/files/CVE-2024-0409.patch
new file mode 100644
index 0000000000..32aba8f80e
--- /dev/null
+++ b/meta-oe/recipes-graphics/tigervnc/files/CVE-2024-0409.patch
@@ -0,0 +1,47 @@ 
+From 7018d3738102529f23904d62d7187430d2d2a281 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Wed, 6 Dec 2023 11:51:56 +0100
+Subject: [PATCH] ephyr,xwayland: Use the proper private key for cursor
+
+From: Olivier Fourdan <ofourdan@redhat.com>
+
+The cursor in DIX is actually split in two parts, the cursor itself and
+the cursor bits, each with their own devPrivates.
+
+The cursor itself includes the cursor bits, meaning that the cursor bits
+devPrivates in within structure of the cursor.
+
+Both Xephyr and Xwayland were using the private key for the cursor bits
+to store the data for the cursor, and when using XSELINUX which comes
+with its own special devPrivates, the data stored in that cursor bits'
+devPrivates would interfere with the XSELINUX devPrivates data and the
+SELINUX security ID would point to some other unrelated data, causing a
+crash in the XSELINUX code when trying to (re)use the security ID.
+
+CVE-2024-0409
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7)
+(cherry picked from commit a4f0e9466f3bc7073a8f0c28a581211c2d7adf0e)
+
+CVE: CVE-2024-0409
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/a4f0e9466f3bc7073a8f0c28a581211c2d7adf0e]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ hw/kdrive/ephyr/ephyrcursor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/kdrive/ephyr/ephyrcursor.c b/hw/kdrive/ephyr/ephyrcursor.c
+index f991899c5..3f192d034 100644
+--- a/hw/kdrive/ephyr/ephyrcursor.c
++++ b/hw/kdrive/ephyr/ephyrcursor.c
+@@ -246,7 +246,7 @@ miPointerSpriteFuncRec EphyrPointerSpriteFuncs = {
+ Bool
+ ephyrCursorInit(ScreenPtr screen)
+ {
+-    if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR_BITS,
++    if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR,
+                                sizeof(ephyrCursorRec)))
+         return FALSE;
+ 
diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb
index 4613d34833..a007297012 100644
--- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb
+++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb
@@ -24,6 +24,7 @@  SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.11-branch;protocol=ht
            file://CVE-2023-6377.patch;patchdir=${XORG_S} \
            file://CVE-2023-6478.patch;patchdir=${XORG_S} \
            file://CVE-2024-0408.patch;patchdir=${XORG_S} \
+           file://CVE-2024-0409.patch;patchdir=${XORG_S} \
 "
 
 # Keep sync with xorg-server in oe-core