From patchwork Wed Mar 5 15:58:30 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58348 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A914FC19F32 for ; Wed, 5 Mar 2025 15:59:04 +0000 (UTC) Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.web10.16547.1741190336414661643 for ; Wed, 05 Mar 2025 07:58:56 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=mUjXlnPp; spf=softfail (domain: sakoman.com, ip: 209.85.214.180, mailfrom: steve@sakoman.com) Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-2234e5347e2so144551095ad.1 for ; Wed, 05 Mar 2025 07:58:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741190335; x=1741795135; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=T2UHh5KMu24PGIZtJ21ofxf8zqPLJ5B7ookhpJVtTU4=; b=mUjXlnPprzFDOQbPZdOaLY0RI9vPPq9U6zwLqFv0eTfojqEJOmsBmBFJrJf9ev8qex 0qncDC9VPsL6RkVtRniApK6dN3CWH+3Vl/zHdlRRqlX/nQ6X+VzMvtogd1SjIL6O36uw GBla840X6LRegON4POnzlJi6qYirPAkPqazCWi+4KmWVkEhOOiHrlygbi6ibKVkMMGtM ekjStGNoamcJ8uNB+e36F8Mp3ArPC7OyBVTLA0dMOm7v0Q9KWj8+3QEPprR4pNn935h7 t8bMxoHD/CY2aUcyzIeYROuDQ6K/r6P+wiNmdc/FGN3CO0CmuGfOMiZtz7IJKgAtv8HD a81w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741190335; x=1741795135; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=T2UHh5KMu24PGIZtJ21ofxf8zqPLJ5B7ookhpJVtTU4=; b=B7ZbgwsL/zL9lg0q8QMh93V2E9Lrjeq/BoLftnrH1rN3wWLhXjzef8BbCSxd1JFxVn +LEyaHfICcaq5iIyOtVtcIbfeVb0qyFVnHjRBINsJyz3icVOEgZzfuENNWENkmtO/8GX oC4mznpOwm54mUI9v/LzIBEmpylXkCBKiuD8GppxqoCaPOw5purGDyfHc8pvmzZEjaZ/ BRcbB+wHnd++nRzWnD6d1gAz4NAAm77XlgS2HESnYj1Bd/1XT3x5opmg4pcGhslGNrEM igE2xJrSSz8vXg4iUIxFyv3g9CGtQmC9nQbRIAuqfS3+NyJUd59knJV8TRQgIZc3Wbny FU+Q== X-Gm-Message-State: AOJu0YxsgDi8JGHE4d2FBfOAQCZUyi4uMkGGI/AlBsA6UuU1y8H+qHRJ XWG09dZmEOSCK6URwSE6xVQkPzfBHPPsCnR9SmoY1Y2GgMIZe7sxlu23k+tcSI0rW36Hky2PUWx m X-Gm-Gg: ASbGncuWFwXkesgptl0eRqLVfh8PMTHnDeUggRUK05+IKqofbkk00yuOE2aKidVDvUX ozuamHh/FX4EvF7OoX/84UZbctGZfh3QgEvlTZkj6Br5zHnYMqFR8UpaQME9r0C6IUWy24XqRQZ eDFZ0FhiZY9ffLM1UIZqDdjz+Z9ON8/r2lTloR8uhpbqa40ESpbPsW+TZRVPZuT/52nxDvQla2A 7mCh/Uws5A1dstNXqM5HcQPhOyeBi6vYABOUfWNXT906Qyt71IKwPpB25ytGxc+6YKMc0S34/iV bTPzR+/Ym+8n23Hbr5dHqs44nVl/yZhRq7c= X-Google-Smtp-Source: AGHT+IFqNg/2WolbYfjib2xu8SrWGJRdHmbC4TweWjgIJ96XGeaI+zMKTGi+QwJ70MJ/T0Vh55tNTA== X-Received: by 2002:a17:902:d482:b0:221:7e04:d791 with SMTP id d9443c01a7336-223f1c9b5d4mr50171295ad.31.1741190335581; Wed, 05 Mar 2025 07:58:55 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223501f97bfsm115411025ad.85.2025.03.05.07.58.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 07:58:55 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 01/16] libxml2: mark patch as fixing CVE-2025-27113 Date: Wed, 5 Mar 2025 07:58:30 -0800 Message-ID: <204ff9dd9c62a8a346e89880b2e15a4c0e9ad6e0.1741190221.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 15:59:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212323 From: Peter Marko This vulnerability has now a CVE assigned. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- ...lation-of-explicit-child-axis.patch => CVE-2025-27113.patch} | 1 + meta/recipes-core/libxml/libxml2_2.9.14.bb | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) rename meta/recipes-core/libxml/libxml2/{0001-pattern-Fix-compilation-of-explicit-child-axis.patch => CVE-2025-27113.patch} (98%) diff --git a/meta/recipes-core/libxml/libxml2/0001-pattern-Fix-compilation-of-explicit-child-axis.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-27113.patch similarity index 98% rename from meta/recipes-core/libxml/libxml2/0001-pattern-Fix-compilation-of-explicit-child-axis.patch rename to meta/recipes-core/libxml/libxml2/CVE-2025-27113.patch index 932c0ec422..92713375eb 100644 --- a/meta/recipes-core/libxml/libxml2/0001-pattern-Fix-compilation-of-explicit-child-axis.patch +++ b/meta/recipes-core/libxml/libxml2/CVE-2025-27113.patch @@ -6,6 +6,7 @@ Subject: [PATCH] pattern: Fix compilation of explicit child axis The child axis is the default axis and should generate XML_OP_ELEM like the case without an axis. +CVE: CVE-2025-27113 Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/503f788e84f1c1f1d769c2c7258d77faee94b5a3] Signed-off-by: Peter Marko --- diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb index 8f1d882505..1cbd620b34 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.14.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb @@ -34,7 +34,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt file://CVE-2024-25062.patch \ file://CVE-2024-34459.patch \ file://CVE-2022-49043.patch \ - file://0001-pattern-Fix-compilation-of-explicit-child-axis.patch \ + file://CVE-2025-27113.patch \ file://CVE-2024-56171.patch \ file://CVE-2025-24928.patch \ " From patchwork Wed Mar 5 15:58:31 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58347 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A6BB8C282DE for ; Wed, 5 Mar 2025 15:59:04 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web11.16701.1741190337946481430 for ; Wed, 05 Mar 2025 07:58:58 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=ncczN74t; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-22359001f1aso161139645ad.3 for ; Wed, 05 Mar 2025 07:58:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741190337; x=1741795137; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=8Yb3eqoUe9GC7QHGUVL5+wDSpEnZerSbqoioQeD6nm8=; b=ncczN74tRvl2F0littzs4Czg6TH3gzQYxqqqru4AoUc+WsdKWjYYZs4qsASyWYXsWg y13zuiy8czxRG4HijZo1Pfib7E/XcCAKQizBJCGbgaRSez24Vqg6xKqDMaO9ydqyw9GZ GWhMFGRsjWEfsmvNbRpL6aPl1t/HauEYGGeLl3TzRNYdGoNc+iT1Wj94sSBzsbxRjoz7 RviKZJrhgb2eQyM56RYvyrjOgwIKtnr3uIhO70HPpNSoFBn0HyPrwVa+EPuhluOcihMW mM1Rlf104U9RGDLDnjLMyH4DFAtxHsFiRjEyY3w98+5TSg68zNX67JXDs3jw/hB4i0OH 3JTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741190337; x=1741795137; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8Yb3eqoUe9GC7QHGUVL5+wDSpEnZerSbqoioQeD6nm8=; b=iT3+TSf3kksa85aTZDzotNii0UmrlUhWuYMQgl+Mpfkp/bCjRVJ42S7s4L1hjOzv6x astUKal9fKUiihf6Zlb6woAuBr153iPeUyrcMwBLMU+YDDh/lo6g8FSLAqTJE9KgU+8F CsJRa36Ne/JD/6j3QP10R8nLjzksDsK/rHMwyICnARzPSTFt7mvW/B25hfxFsgbvXX8V T9n6o7T9DPsVsJFtjGdonH9Q1d7xwK1vvXp2Fh3V6tmKlTeGoKfsxcuzOJnkljQtRlRz GnPZaMRf6jSZLx9vTM7aHgMCUEq+PefXyF1MI874NY5lBS0mY3DGmjC3i7qphOXhygMg wyVA== X-Gm-Message-State: AOJu0YzelqxsP0G3Qgd1hLIRsSpwg/1eKntAY+T1t59iKOSrjbBkRZwm 5NjlvAbG1BdsFgXBVFgzfe6kxsIHcJSYWOY0s6hINJ7YDPSPL17vFaRs6XU/JJoSeheXePP7FX9 o X-Gm-Gg: ASbGncvYtfG4cohX26i2hmHrygpu0qEgJkkuOBYcInrJaSquemxinwMBFr8SzfZUOk9 c0y6bNzgWIzYBCy6JASQQ5hZJuICIvO9vsYlt3jqri4yjDnk7dBPoJ3iWiBRSQL3rOwbLFHqQ+R 67P4s9SzJ3vN3ZSlRoCGsjfXvnuhZPXQzYVKTnapndSkPLMs96VWz9RZWdmp7nZQCtizYJvSDqV aLaBA3c9JZVt0OVckpdkT168/pdjKi/5KIPXlCgywEWE5kSQ5sCUpG+3FZnXq6WFZOvfg05rfpC gtw1xD9A2Dp160hrWkNOoW1pNpzSk8z9Hp0= X-Google-Smtp-Source: AGHT+IHTocIJb7T/uywTjr9TJV1CFNFi7Pw5+7EJLt6UWVPlSmLZtUDhh+uXqNC60aHI4tniKGnDXg== X-Received: by 2002:a17:902:f541:b0:21f:52e:939e with SMTP id d9443c01a7336-223f1caf82amr64485895ad.28.1741190337118; Wed, 05 Mar 2025 07:58:57 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223501f97bfsm115411025ad.85.2025.03.05.07.58.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 07:58:56 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 02/16] xwayland: Fix CVE-2024-21885 Date: Wed, 5 Mar 2025 07:58:31 -0800 Message-ID: <4b0f6aaa994eeab5d18211ace8034ec8b92b7419.1741190221.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 15:59:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212324 From: Vijay Anusuri Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2024-21885.patch | 113 ++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 114 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-21885.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-21885.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-21885.patch new file mode 100644 index 0000000000..7c8fbcc3ec --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-21885.patch @@ -0,0 +1,113 @@ +From 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Thu, 4 Jan 2024 10:01:24 +1000 +Subject: [PATCH] Xi: flush hierarchy events after adding/removing master + devices + +The `XISendDeviceHierarchyEvent()` function allocates space to store up +to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`. + +If a device with a given ID was removed and a new device with the same +ID added both in the same operation, the single device ID will lead to +two info structures being written to `info`. + +Since this case can occur for every device ID at once, a total of two +times `MAXDEVICES` info structures might be written to the allocation. + +To avoid it, once one add/remove master is processed, send out the +device hierarchy event for the current state and continue. That event +thus only ever has exactly one of either added/removed in it (and +optionally slave attached/detached). + +CVE-2024-21885, ZDI-CAN-22744 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/4a5e9b1895627d40d26045bd0b7ef3dce503cbd1] +CVE: CVE-2024-21885 +Signed-off-by: Vijay Anusuri +--- + Xi/xichangehierarchy.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c +index d2d985848d..72d00451e3 100644 +--- a/Xi/xichangehierarchy.c ++++ b/Xi/xichangehierarchy.c +@@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client) + size_t len; /* length of data remaining in request */ + int rc = Success; + int flags[MAXDEVICES] = { 0 }; ++ enum { ++ NO_CHANGE, ++ FLUSH, ++ CHANGED, ++ } changes = NO_CHANGE; + + REQUEST(xXIChangeHierarchyReq); + REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq); +@@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = add_master(client, c, flags); + if (rc != Success) + goto unwind; +- } ++ changes = FLUSH; + break; ++ } + case XIRemoveMaster: + { + xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any; +@@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = remove_master(client, r, flags); + if (rc != Success) + goto unwind; +- } ++ changes = FLUSH; + break; ++ } + case XIDetachSlave: + { + xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any; +@@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = detach_slave(client, c, flags); + if (rc != Success) + goto unwind; +- } ++ changes = CHANGED; + break; ++ } + case XIAttachSlave: + { + xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any; +@@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = attach_slave(client, c, flags); + if (rc != Success) + goto unwind; ++ changes = CHANGED; ++ break; + } ++ default: + break; + } + ++ if (changes == FLUSH) { ++ XISendDeviceHierarchyEvent(flags); ++ memset(flags, 0, sizeof(flags)); ++ changes = NO_CHANGE; ++ } ++ + len -= any->length * 4; + any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4); + } + + unwind: +- +- XISendDeviceHierarchyEvent(flags); ++ if (changes != NO_CHANGE) ++ XISendDeviceHierarchyEvent(flags); + return rc; + } +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index f639088b25..c7e5c7bd81 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -21,6 +21,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2024-0229-2.patch \ file://CVE-2024-0229-3.patch \ file://CVE-2024-0229-4.patch \ + file://CVE-2024-21885.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Wed Mar 5 15:58:32 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58350 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B9499C28B25 for ; Wed, 5 Mar 2025 15:59:04 +0000 (UTC) Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by mx.groups.io with SMTP id smtpd.web10.16552.1741190339369219146 for ; Wed, 05 Mar 2025 07:58:59 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=OaeOB3lS; spf=softfail (domain: sakoman.com, ip: 209.85.214.173, mailfrom: steve@sakoman.com) Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-2239c066347so76275305ad.2 for ; Wed, 05 Mar 2025 07:58:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741190339; x=1741795139; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=csh3GcnfGIE6T01SKbAH7aEmRpxzSueWgV5WuyK1rRc=; b=OaeOB3lSIRMc4PMyypXjmj+F4KvxS7zzqVCnxysR+Zxpc1Pr8r71RRPRgGUtU3/NDI FjZWWl0J3SGmKTxqyFaasgWwtszW/kgz5IsloFFyRkRgjMxfPNxoysGL1QrCmLeLcA/r IChf4woxQ21qnXKlsqHcHYDoJwaCssD8S3weSea3PbxBuh4jk0qPfurTyLeECcMIp+6X mjajwwkV9r0hb8ljbk8JA0YJp7hfKEGt+aATlpfp8P0wVdHaApIZFUgND3mCd+vgUVlF eOQx/w4sLK/0LDYOsUUm29H+PJ00pDYZOuxwEkDEAV1Jl5sEjEQJBMqwYoYGU7fVdpPC GD9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741190339; x=1741795139; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=csh3GcnfGIE6T01SKbAH7aEmRpxzSueWgV5WuyK1rRc=; b=ebPkkE4T3t88UEgOeHA9GctNgmajrWVQaSomz6UtYzymtP/CZAmpiPCgBh3VSO++1+ LZfClQC1wo/3PlRCrkPDDcl3H8g7gG9pWE3xxmwl5f7FE+UIMyZgmRNuq5ohhCXvo1o2 annEcl2b1sZZGOrqfxbtezC4AVRvOYssZrRoUr6QyS5vnaGmGDLwKV8/8HopY8H6DtZt zFOPexJgHrqj3F0354y/JJNDKsQ7wsY4gTJqzsgnIMHDCECqyiN2gqh5SJee9ajj6Z3P vsjMpddrv/ra+y0wxPBOVxU5UvSn4blJ3XuNVoYdJvUAOI9lxiXQLpp7EsluR3B7xWuu Fcjg== X-Gm-Message-State: AOJu0Yxevo4kLD7wFNd+B1TvBo75XsoT35bsvBi0torA8Mwd7rXU35Yk RMcQDgtnWPFhpV8VNzL+jXvclMgttyFUpz+1yYDTEIHgF4qyUNSPTHogPUdoAQOaaYmrq2Q5/k2 N X-Gm-Gg: ASbGncsMp9qBXfTWRw6kUhrbp6CwS05xzvXkEkGnm6TggU+gEw7rJwwLHu+ft6VzioH ELh5RBjktuHqoJh1cqh/LVtlco3Vgw7csoi+ySnBUSaNwJJKlG26bA7W4C7Y0hRlexH4TrBlsNE 2ioeFzQAVXYwbxMLpwGhe09B1Zh1N+DecHKafYjPJTZ/eI1JRFc78YI/HajL2F/InG2CgFjBdZg oNRCF5gaQvapEUihS/I7sZgrsvkvsALTHkmeHxfopN9UfYNxmEweUlLtFS5ke2aVRm+r/X8a+zp 2fvQ7ckkLAj4H9TdI91l1dJWHGL50QSXWeI= X-Google-Smtp-Source: AGHT+IEU4dXm2c/DE80RzPRyQjaSs2rwvze37WT4VjD2MJkOdIvAFHOq8hO5QHOWxxDWqZTdDefM9w== X-Received: by 2002:a17:902:d582:b0:223:66a1:37f3 with SMTP id d9443c01a7336-223f1c974f7mr78290145ad.22.1741190338576; Wed, 05 Mar 2025 07:58:58 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223501f97bfsm115411025ad.85.2025.03.05.07.58.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 07:58:58 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 03/16] xwayland: Fix CVE-2024-21886 Date: Wed, 5 Mar 2025 07:58:32 -0800 Message-ID: <77487fb0756951e29628f41ff00db12a5f9d7c27.1741190221.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 15:59:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212325 From: Vijay Anusuri The patches are copied from xserver-xorg recipe. CVE reported for both and patches apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b & https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2024-21886-1.patch | 74 +++++++++++++++++++ .../xwayland/xwayland/CVE-2024-21886-2.patch | 57 ++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 2 + 3 files changed, 133 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-21886-1.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-21886-2.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-21886-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-21886-1.patch new file mode 100644 index 0000000000..1e1c782963 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-21886-1.patch @@ -0,0 +1,74 @@ +From bc1fdbe46559dd947674375946bbef54dd0ce36b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Fri, 22 Dec 2023 18:28:31 +0100 +Subject: [PATCH] Xi: do not keep linked list pointer during recursion + +The `DisableDevice()` function is called whenever an enabled device +is disabled and it moves the device from the `inputInfo.devices` linked +list to the `inputInfo.off_devices` linked list. + +However, its link/unlink operation has an issue during the recursive +call to `DisableDevice()` due to the `prev` pointer pointing to a +removed device. + +This issue leads to a length mismatch between the total number of +devices and the number of device in the list, leading to a heap +overflow and, possibly, to local privilege escalation. + +Simplify the code that checked whether the device passed to +`DisableDevice()` was in `inputInfo.devices` or not and find the +previous device after the recursion. + +CVE-2024-21886, ZDI-CAN-22840 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b] +CVE: CVE-2024-21886 +Signed-off-by: Vijay Anusuri +--- + dix/devices.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/dix/devices.c b/dix/devices.c +index dca98c8d1b..389d28a23c 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -453,14 +453,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) + { + DeviceIntPtr *prev, other; + BOOL enabled; ++ BOOL dev_in_devices_list = FALSE; + int flags[MAXDEVICES] = { 0 }; + + if (!dev->enabled) + return TRUE; + +- for (prev = &inputInfo.devices; +- *prev && (*prev != dev); prev = &(*prev)->next); +- if (*prev != dev) ++ for (other = inputInfo.devices; other; other = other->next) { ++ if (other == dev) { ++ dev_in_devices_list = TRUE; ++ break; ++ } ++ } ++ ++ if (!dev_in_devices_list) + return FALSE; + + TouchEndPhysicallyActiveTouches(dev); +@@ -511,6 +517,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) + LeaveWindow(dev); + SetFocusOut(dev); + ++ for (prev = &inputInfo.devices; ++ *prev && (*prev != dev); prev = &(*prev)->next); ++ + *prev = dev->next; + dev->next = inputInfo.off_devices; + inputInfo.off_devices = dev; +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-21886-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-21886-2.patch new file mode 100644 index 0000000000..af607df4f0 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-21886-2.patch @@ -0,0 +1,57 @@ +From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Fri, 5 Jan 2024 09:40:27 +1000 +Subject: [PATCH] dix: when disabling a master, float disabled slaved devices + too + +Disabling a master device floats all slave devices but we didn't do this +to already-disabled slave devices. As a result those devices kept their +reference to the master device resulting in access to already freed +memory if the master device was removed before the corresponding slave +device. + +And to match this behavior, also forcibly reset that pointer during +CloseDownDevices(). + +Related to CVE-2024-21886, ZDI-CAN-22840 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8] +CVE: CVE-2024-21886 +Signed-off-by: Vijay Anusuri +--- + dix/devices.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/dix/devices.c b/dix/devices.c +index 389d28a23c..84a6406d13 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) + flags[other->id] |= XISlaveDetached; + } + } ++ ++ for (other = inputInfo.off_devices; other; other = other->next) { ++ if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) { ++ AttachDevice(NULL, other, NULL); ++ flags[other->id] |= XISlaveDetached; ++ } ++ } + } + else { + for (other = inputInfo.devices; other; other = other->next) { +@@ -1088,6 +1095,11 @@ CloseDownDevices(void) + dev->master = NULL; + } + ++ for (dev = inputInfo.off_devices; dev; dev = dev->next) { ++ if (!IsMaster(dev) && !IsFloating(dev)) ++ dev->master = NULL; ++ } ++ + CloseDeviceList(&inputInfo.devices); + CloseDeviceList(&inputInfo.off_devices); + +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index c7e5c7bd81..1d4e699d94 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -22,6 +22,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2024-0229-3.patch \ file://CVE-2024-0229-4.patch \ file://CVE-2024-21885.patch \ + file://CVE-2024-21886-1.patch \ + file://CVE-2024-21886-2.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Wed Mar 5 15:58:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58346 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B8E9BC282EC for ; Wed, 5 Mar 2025 15:59:04 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web11.16702.1741190340835482090 for ; Wed, 05 Mar 2025 07:59:00 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=liFsfPuN; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-22401f4d35aso9894995ad.2 for ; Wed, 05 Mar 2025 07:59:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741190340; x=1741795140; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ynvfTxCo1YXf4irWDLt7okSJKLwwD7Xj5DhWNiyJws8=; b=liFsfPuNp1fsoVE8Uqn2iJWhtT4YMe23+2zij7QlgIM9PO/wcT47vpCxbNpMKoK2rD TEt6RkhSbNykkDG+03VA6XnVfAECHCoLjlakSUwGRe3NUlirVGaD0cQjqDy6H/9bGNLT kp03ok04SDKZu6IokSWofcl5Nhksmx++Fmr5o/vnNQQLODB4JGVzhuorACC1SNkYfnAR dc04St7exR90PL0+ZejnO59aUA89W87gYwQy2H+TI4lKoZ1oRiw3raEKLPpwirBnBsc8 14kmf0RgxktGNtnVCrn6m9GaQWZ+b8odcKXKX/mTiKvnZfdS8KfXcraBRpSjITOJGGon tYTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741190340; x=1741795140; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ynvfTxCo1YXf4irWDLt7okSJKLwwD7Xj5DhWNiyJws8=; b=Bb/kuQuIOurnJexJCqsYy0SlB8H/vdC1d04V2X89z4lowjGisFzuypD0lRu2KSmoPp IYq1cNLYJ0kK4g7nExWz1QyQq0Vf2nBiztUjjwgFUmiGu2djtnaNW5/FuYcvO8SDhcA4 +zNlfzvT3eP70Pxa+zvGI3nRwH5AIbY+ANtVsyNXVRY3GFpZlvKDvCz/BxEriMQpPTOJ olbsTa5aPQHJKe4iXC8GTQRvMA+sOFfjknnkR2yIwW2Bx5gsSA9UvPfYOVbrTR5KP5jx 61NyhLhO/UZMQB6v7Ck8E6eGhN2m5GQwqmy7SNtbmSzf5kWM72glkxykPTSefajm5rSK 1zsw== X-Gm-Message-State: AOJu0YyIPpN+dMQiAAWDKEqt9OSzl9BCLEuOkk32464O0nUhuL8CzPXa 96U/AiD/h1X8QhWtVIqieTcJRywSjdnGvHBRgRMl7YwIYQwNK0e+3Ij08JoAfNS07sCGUV1nIXv p X-Gm-Gg: ASbGncvz6efYQ97OUJFvirdptExMV/Ce5gv5P+mFw2iaoqO3tEI0Pdogyblo1NrxfkU Vob4f1dRivcITOIkCLymuu05AQtDzL6JdHlj8Gj6iqGD5As/E0x5fumHOKttQ7sp/XNe+zp/b1S bwh+cSsatOrXeoionCSzOgPUZ+vHI+njlgLVkpiM/HifVcUjdKofDy+QbbTkE/aE95QimQWRUAj S/coCU+If5je7A8L6Dz8hIBxGRJ+xJH3Nzz6n54+PfqzlPXxhUppndqz8rCGdzRCXrtj+t1VJKv OCY1Jpi1nSI1rZWEm5PIP8QxBrbhdrz1mJQ= X-Google-Smtp-Source: AGHT+IGqkOeweBNcabWa8jjQ/M9rC161PoHQvAY/W6h9TggPkuYpj6Wx6L2fRjBT6EIdCvMQQpDmRw== X-Received: by 2002:a17:902:d50f:b0:223:5e76:637a with SMTP id d9443c01a7336-223f1c97445mr44146195ad.23.1741190340069; Wed, 05 Mar 2025 07:59:00 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223501f97bfsm115411025ad.85.2025.03.05.07.58.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 07:58:59 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 04/16] xwayland: Fix CVE-2024-31080 Date: Wed, 5 Mar 2025 07:58:33 -0800 Message-ID: <4e41b1c8cccd3b2f359ee949cad402b9418f5983.1741190221.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 15:59:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212326 From: Vijay Anusuri Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2024-31080.patch | 49 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-31080.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31080.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31080.patch new file mode 100644 index 0000000000..40296903cd --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31080.patch @@ -0,0 +1,49 @@ +From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 22 Mar 2024 18:51:45 -0700 +Subject: [PATCH] Xi: ProcXIGetSelectedEvents needs to use unswapped length to + send reply + +CVE-2024-31080 + +Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762 +Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.") +Signed-off-by: Alan Coopersmith +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b] +CVE: CVE-2024-31080 +Signed-off-by: Vijay Anusuri +--- + Xi/xiselectev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c +index edcb8a0d36..ac14949871 100644 +--- a/Xi/xiselectev.c ++++ b/Xi/xiselectev.c +@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client) + InputClientsPtr others = NULL; + xXIEventMask *evmask = NULL; + DeviceIntPtr dev; ++ uint32_t length; + + REQUEST(xXIGetSelectedEventsReq); + REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq); +@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client) + } + } + ++ /* save the value before SRepXIGetSelectedEvents swaps it */ ++ length = reply.length; + WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply); + + if (reply.num_masks) +- WriteToClient(client, reply.length * 4, buffer); ++ WriteToClient(client, length * 4, buffer); + + free(buffer); + return Success; +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 1d4e699d94..78e849b305 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -24,6 +24,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2024-21885.patch \ file://CVE-2024-21886-1.patch \ file://CVE-2024-21886-2.patch \ + file://CVE-2024-31080.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Wed Mar 5 15:58:34 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58351 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C4331C28B26 for ; Wed, 5 Mar 2025 15:59:04 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web10.16558.1741190343973321189 for ; Wed, 05 Mar 2025 07:59:04 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=HCzr7eBm; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-2233622fdffso11210485ad.2 for ; Wed, 05 Mar 2025 07:59:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741190343; x=1741795143; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=jjSRWo934dVTNPAKAXrzqIwYyPzxdZuHux0mN/GuTDQ=; b=HCzr7eBmVkJeF3n6prz15Fmdz/wcC6qu2nZNfJwSAxuz6hdGRuFoGm9NLszdE9RQaD BrEtZyff7Nowz4CaCU2FHksir6Vqdd3AH3ChlC3Yp9riFKTHdMgV/u+lNoqMQ39gaQ0E BmN0gTiaLDb2kfp8WDh7BooXh8A7AhOJ0WQViTrNIi7k4gpe0zHoz8wLETPWzO4tVX7Q XLM5yriALKXe5VErVckWknsIJjHcLNYx1dnf8Z13/VhropRz22eojVkYOp4KIYf2yrWk YjFbwWZ6X1TPMoqceUUrOT1DT9XOutMbo4whvlDKNra2Z3mlLYV6QUfywwYvIM0ydgMM kl1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741190343; x=1741795143; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jjSRWo934dVTNPAKAXrzqIwYyPzxdZuHux0mN/GuTDQ=; b=S2GbXToNt8OIvwhJ7BmuutsARjdKYQMcsNY+KObOMMWMSzEXRT2D5ZlQ0Vlqxga5Fx GXdNutWIwqKup4Erkgo5c/dupwEevJJNbYb/bfi30qqphzPU+asjQSOwWZFekr8sJ8+Q edS7vuichbCenYgYchChV99m8Vw0KsVQNSYWFmk/eVkWsTKudjKb6UJV/B6/E1ND1Ujo pO0K7wtmfBYu2yclTCLgNSwcAzVbbNJzqEL5zCh2w3bTDEtM379zbDg2YM18BbNSZ//1 xGym1yzcp8uZeNFQsUhQe5C9HSDdDcGVhdUbH8Ke43v6V7MVqgP4u7OzGcDym5oI6qdT 9apQ== X-Gm-Message-State: AOJu0Yxm7Oqsg1T4IKwd78AT/nstQnH7BMgf8AXAhVDO9Gx6lgua0dBA DHOfNzdpa3xyt59eQXWrOlgjnkalFgDnDrQ58YjXy4oqLEv0nwTbK0zsAiGCUpg2s1usqL1Audu Y X-Gm-Gg: ASbGncvBhhC7KFyvcvZ54RUa2kt5OJ/dbLlpa3BuCm99E22sKzrNbnpYEOQ5ePKVs1y frazrKwq7GCbjuQ5vB1MZINbzJCP92zgKXLDqE8jUKXDBQ1cauVcKLpLpmiz6aSRxF6ci9fTwlt mHFKOONx2Azrz0vrfeQBcb0EE7YccM48esRT8tHkpP4JvuLFgnNI3ZZ0FL9gKfFxjuTYocvHEyB gGi4RynWTnR0jH6EQlpQ2eheotvlRL2OGjmMupvbFz4wSXB5gRdjv0aJTXtYZQ9JwYCD6uvViMk g7+QKwJn4b9lMs/7kudKQJIQ0cNLVoAUVik= X-Google-Smtp-Source: AGHT+IHLa4O+q7EaZ45l7WV3X+rJJDdd6s5ax03z+5Skc5CpcZWR8mw2RKyGn2t5j+3fGgHWfDtVUQ== X-Received: by 2002:a17:903:186:b0:21f:7082:1137 with SMTP id d9443c01a7336-223f1ca2630mr67355805ad.22.1741190343222; Wed, 05 Mar 2025 07:59:03 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223501f97bfsm115411025ad.85.2025.03.05.07.59.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 07:59:02 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 05/16] xwayland: Fix CVE-2024-31081 Date: Wed, 5 Mar 2025 07:58:34 -0800 Message-ID: <3575ad718c8ea7d808247842df19982f00725187.1741190221.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 15:59:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212327 From: Vijay Anusuri Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2024-31081.patch | 47 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-31081.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31081.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31081.patch new file mode 100644 index 0000000000..4380004700 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31081.patch @@ -0,0 +1,47 @@ +From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 22 Mar 2024 18:56:27 -0700 +Subject: [PATCH] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to + send reply + +CVE-2024-31081 + +Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.") +Signed-off-by: Alan Coopersmith +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee] +CVE: CVE-2024-31081 +Signed-off-by: Vijay Anusuri +--- + Xi/xipassivegrab.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c +index c9ac2f8553..896233bec2 100644 +--- a/Xi/xipassivegrab.c ++++ b/Xi/xipassivegrab.c +@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client) + GrabParameters param; + void *tmp; + int mask_len; ++ uint32_t length; + + REQUEST(xXIPassiveGrabDeviceReq); + REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, +@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client) + } + } + ++ /* save the value before SRepXIPassiveGrabDevice swaps it */ ++ length = rep.length; + WriteReplyToClient(client, sizeof(rep), &rep); + if (rep.num_modifiers) +- WriteToClient(client, rep.length * 4, modifiers_failed); ++ WriteToClient(client, length * 4, modifiers_failed); + + out: + free(modifiers_failed); +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 78e849b305..5fa2402234 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -25,6 +25,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2024-21886-1.patch \ file://CVE-2024-21886-2.patch \ file://CVE-2024-31080.patch \ + file://CVE-2024-31081.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Wed Mar 5 15:58:35 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58353 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BDF6EC282DE for ; Wed, 5 Mar 2025 15:59:14 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.web11.16708.1741190345893471680 for ; Wed, 05 Mar 2025 07:59:05 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=zwS4GF5F; spf=softfail (domain: sakoman.com, ip: 209.85.214.178, mailfrom: steve@sakoman.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-223f4c06e9fso16589415ad.1 for ; Wed, 05 Mar 2025 07:59:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741190345; x=1741795145; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=TfhRfLsxYdBnmBQ7dcOmTDhQKiiCuIsJd38MmyhSFX0=; b=zwS4GF5FSWzr7U+d5KGWJjOw78kUqAulUWEfO8KGAMceQA1Jxb4McKil7NzP56f3jV 7+VAvOxWAufUo/z+zifNKTri7vYoHd66lEbGyC1sOXvdPOFqRrcZX9ktfkkK73g3iA/c tLn+h2+pEYhIYybeDKGuLj4biX9K93H/eaMn0Nh7TaGj4BtFkOmWJe3sbKCB3zB8dKhj 2o5xCSDtIxR7mLghSXnDA0Cy+PLsBUloFk06YT52gnXctDXQtY5y3HLc95V4edavspeE QnVvTpdBRE3cQXWR4OISeIrn9L5v6/9I7q8jrPJIqZ8sYPr187Pu6PziP3GvVTK/2Eis SzLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741190345; x=1741795145; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TfhRfLsxYdBnmBQ7dcOmTDhQKiiCuIsJd38MmyhSFX0=; b=oZwkxUzQFSw1rggAfi+BqyXFVxeUZpY+qTzDpi7owjjSin7X2uaIEXdY36YOXHveE/ 3xN9MLOYEthPpdknviH2gTvuLbZC3UcFZkZuszW46AdFvutBrW9nue7mmj0DzupEMUx2 8VI/0gbbd9Zo5ukrDU+Aa/ooxUnpHjRy8fXJgHDnGhlLbWN3BOH9/qww0Rr8Pz+b2ofx 5Cwu7aLnSmr/lx5Uu8XDtUga/qzZ6BORH4VnfFr4kKpyviEDNcsKXTB2/pOqFDZJkTWp iwIQxi/6gnNEY32TWvf6/2ee9L6Jx0HuErb5bK+qIqi6GNhDwbwq89bZ/mR3k9odaXn8 cqxg== X-Gm-Message-State: AOJu0YweWgnAid71X73QC3zHC6jcgzZ39jWJ7v38K/AjzRo9XgwFAsiR XIQ/F+jBe9wkQOvDv4YHjnR9rUDmHBshqjkv+nWnu802P7GEZsx+kWwcu+JYvuvBCMcxVGk6Ubx 4 X-Gm-Gg: ASbGncuN4SSUyIz3uHpeQrusdR6wyl0XpTWx07WgmG9+6dZhZvNY5SvuB7DUdayTA2j eT6IM1a8/vGFat1pZtDMufgufOf/6AHA9gsOh2lXx6KD+9IHUMmp8eRoezp4xeRpjXL/F0HzzgE fimzEU/2Q+HzeKGyOAc+KospHr4TmkKK0RLSrv3aLAQhgoa0aARnPT5MBqItltipwVobVt+3iiY kCfR7pJavq9ouqPkrflnqLEMFOKrX/+FWc7780sCdnNOoS4EE0XBNI55jdvEfSXGmE5+V+ls2Oa vVyO3B0EomTjNifUY9fjIez0RbNo+6bHD4g= X-Google-Smtp-Source: AGHT+IHRcH5J+iB1kwXvm35zEv6hIoSYSV3Jesj6ywzehHaCBvMLliBYWjtiFIf7e9b9jKeNqg9MUw== X-Received: by 2002:a17:903:1252:b0:223:4d5e:76a6 with SMTP id d9443c01a7336-223f1d0198cmr57375735ad.1.1741190345025; Wed, 05 Mar 2025 07:59:05 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223501f97bfsm115411025ad.85.2025.03.05.07.59.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 07:59:04 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 06/16] xwayland: Fix CVE-2024-31083 Date: Wed, 5 Mar 2025 07:58:35 -0800 Message-ID: <1c4b1e7877210243707a91d6a9d37ed4546bc8a7.1741190221.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 15:59:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212328 From: Vijay Anusuri The patches are copied from xserver-xorg recipe. CVE reported for both and patches apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdca6c3d1f5057ee & https://gitlab.freedesktop.org/xorg/xserver/-/commit/337d8d48b618d4fc Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/CVE-2024-31083-0001.patch | 118 ++++++++++++++++++ .../xwayland/CVE-2024-31083-0002.patch | 77 ++++++++++++ .../xwayland/xwayland_22.1.8.bb | 2 + 3 files changed, 197 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-31083-0001.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-31083-0002.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31083-0001.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31083-0001.patch new file mode 100644 index 0000000000..754e03961a --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31083-0001.patch @@ -0,0 +1,118 @@ +From bdca6c3d1f5057eeb31609b1280fc93237b00c77 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 30 Jan 2024 13:13:35 +1000 +Subject: [PATCH] render: fix refcounting of glyphs during ProcRenderAddGlyphs + +Previously, AllocateGlyph would return a new glyph with refcount=0 and a +re-used glyph would end up not changing the refcount at all. The +resulting glyph_new array would thus have multiple entries pointing to +the same non-refcounted glyphs. + +AddGlyph may free a glyph, resulting in a UAF when the same glyph +pointer is then later used. + +Fix this by returning a refcount of 1 for a new glyph and always +incrementing the refcount for a re-used glyph, followed by dropping that +refcount back down again when we're done with it. + +CVE-2024-31083, ZDI-CAN-22880 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Part-of: + +CVE: CVE-2024-31083 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdca6c3d1f5057ee] + +Signed-off-by: Archana Polampalli +Signed-off-by: Vijay Anusuri +--- + render/glyph.c | 5 +++-- + render/glyphstr.h | 2 ++ + render/render.c | 15 +++++++++++---- + 3 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/render/glyph.c b/render/glyph.c +index f3ed9cf..d5fc5f3 100644 +--- a/render/glyph.c ++++ b/render/glyph.c +@@ -245,10 +245,11 @@ FreeGlyphPicture(GlyphPtr glyph) + } + } + +-static void ++void + FreeGlyph(GlyphPtr glyph, int format) + { + CheckDuplicates(&globalGlyphs[format], "FreeGlyph"); ++ BUG_RETURN(glyph->refcnt == 0); + if (--glyph->refcnt == 0) { + GlyphRefPtr gr; + int i; +@@ -354,7 +355,7 @@ AllocateGlyph(xGlyphInfo * gi, int fdepth) + glyph = (GlyphPtr) malloc(size); + if (!glyph) + return 0; +- glyph->refcnt = 0; ++ glyph->refcnt = 1; + glyph->size = size + sizeof(xGlyphInfo); + glyph->info = *gi; + dixInitPrivates(glyph, (char *) glyph + head_size, PRIVATE_GLYPH); +diff --git a/render/glyphstr.h b/render/glyphstr.h +index 2f51bd2..68f8c9e 100644 +--- a/render/glyphstr.h ++++ b/render/glyphstr.h +@@ -117,6 +117,8 @@ extern GlyphSetPtr AllocateGlyphSet(int fdepth, PictFormatPtr format); + extern int + FreeGlyphSet(void *value, XID gid); + ++void FreeGlyph(GlyphPtr glyph, int format); ++ + #define GLYPH_HAS_GLYPH_PICTURE_ACCESSOR 1 /* used for api compat */ + extern _X_EXPORT PicturePtr + GetGlyphPicture(GlyphPtr glyph, ScreenPtr pScreen); +diff --git a/render/render.c b/render/render.c +index 456f156..5bc2a20 100644 +--- a/render/render.c ++++ b/render/render.c +@@ -1076,6 +1076,7 @@ ProcRenderAddGlyphs(ClientPtr client) + + if (glyph_new->glyph && glyph_new->glyph != DeletedGlyph) { + glyph_new->found = TRUE; ++ ++glyph_new->glyph->refcnt; + } + else { + GlyphPtr glyph; +@@ -1168,8 +1169,10 @@ ProcRenderAddGlyphs(ClientPtr client) + err = BadAlloc; + goto bail; + } +- for (i = 0; i < nglyphs; i++) ++ for (i = 0; i < nglyphs; i++) { + AddGlyph(glyphSet, glyphs[i].glyph, glyphs[i].id); ++ FreeGlyph(glyphs[i].glyph, glyphSet->fdepth); ++ } + + if (glyphsBase != glyphsLocal) + free(glyphsBase); +@@ -1179,9 +1182,13 @@ ProcRenderAddGlyphs(ClientPtr client) + FreePicture((void *) pSrc, 0); + if (pSrcPix) + FreeScratchPixmapHeader(pSrcPix); +- for (i = 0; i < nglyphs; i++) +- if (glyphs[i].glyph && !glyphs[i].found) +- free(glyphs[i].glyph); ++ for (i = 0; i < nglyphs; i++) { ++ if (glyphs[i].glyph) { ++ --glyphs[i].glyph->refcnt; ++ if (!glyphs[i].found) ++ free(glyphs[i].glyph); ++ } ++ } + if (glyphsBase != glyphsLocal) + free(glyphsBase); + return err; +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31083-0002.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31083-0002.patch new file mode 100644 index 0000000000..c597e9b575 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31083-0002.patch @@ -0,0 +1,77 @@ +From 337d8d48b618d4fc0168a7b978be4c3447650b04 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Fri, 5 Apr 2024 15:24:49 +0200 +Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs() + ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and + then frees it using FreeGlyph() to decrease the reference count, after + AddGlyph() has increased it. + +AddGlyph() however may chose to reuse an existing glyph if it's already +in the glyphSet, and free the glyph that was given, in which case the +caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an +already freed glyph, as reported by ASan: + + READ of size 4 thread T0 + #0 in FreeGlyph xserver/render/glyph.c:252 + #1 in ProcRenderAddGlyphs xserver/render/render.c:1174 + #2 in Dispatch xserver/dix/dispatch.c:546 + #3 in dix_main xserver/dix/main.c:271 + #4 in main xserver/dix/stubmain.c:34 + #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + #6 in __libc_start_main_impl ../csu/libc-start.c:360 + #7 (/usr/bin/Xwayland+0x44fe4) + Address is located 0 bytes inside of 64-byte region + freed by thread T0 here: + #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52 + #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538 + #2 in AddGlyph xserver/render/glyph.c:295 + #3 in ProcRenderAddGlyphs xserver/render/render.c:1173 + #4 in Dispatch xserver/dix/dispatch.c:546 + #5 in dix_main xserver/dix/main.c:271 + #6 in main xserver/dix/stubmain.c:34 + #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + previously allocated by thread T0 here: + #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69 + #1 in AllocateGlyph xserver/render/glyph.c:355 + #2 in ProcRenderAddGlyphs xserver/render/render.c:1085 + #3 in Dispatch xserver/dix/dispatch.c:546 + #4 in dix_main xserver/dix/main.c:271 + #5 in main xserver/dix/stubmain.c:34 + #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph + +To avoid that, make sure not to free the given glyph in AddGlyph(). + +v2: Simplify the test using the boolean returned from AddGlyph() (Michel) +v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter) + +Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs +Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659 +Signed-off-by: Olivier Fourdan +Part-of: + +CVE: CVE-2024-31083 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/337d8d48b618d4fc] + +Signed-off-by: Archana Polampalli +Signed-off-by: Vijay Anusuri +--- + render/glyph.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/render/glyph.c b/render/glyph.c +index d5fc5f3..f5069d4 100644 +--- a/render/glyph.c ++++ b/render/glyph.c +@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id) + gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature, + TRUE, glyph->sha1); + if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) { +- FreeGlyphPicture(glyph); +- dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH); + glyph = gr->glyph; + } + else if (gr->glyph != glyph) { +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 5fa2402234..258a875697 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -26,6 +26,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2024-21886-2.patch \ file://CVE-2024-31080.patch \ file://CVE-2024-31081.patch \ + file://CVE-2024-31083-0001.patch \ + file://CVE-2024-31083-0002.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Wed Mar 5 15:58:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58352 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BDF3CC19F32 for ; Wed, 5 Mar 2025 15:59:14 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.web11.16709.1741190347240167173 for ; Wed, 05 Mar 2025 07:59:07 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=2CPVhnG2; spf=softfail (domain: sakoman.com, ip: 209.85.214.181, mailfrom: steve@sakoman.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-223f4c06e9fso16589925ad.1 for ; Wed, 05 Mar 2025 07:59:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741190346; x=1741795146; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=tnsLbBVOXuuSioqP9PnrzqOLx6rIIRiocH/PhMxqrFM=; b=2CPVhnG2VOBWulFUopk+ZNqWw6NzDjaD/Gk9Yt/j9FcsX9kmjZ77WzK+wrNz6vxl0S tKCvXIrfWtOf64iF6qJLuMe1ZFVvtSdOoWwwvQwPLudkALIop15rX8xjL+oeEVjKpJs2 fTgJyHI+qg5O0wCMHkqQhZm47kJixiGVOgq/uIes1cFURiGk5RTO2nNTYbTyb+aTeGbo OQ/iI6tnTK8MSh9mEbs64Jv5vF0Gjs109UEAz9aB4DwIXVVWw1PyC87FS3FNgfmtWsW+ VvHccMfxtTA3CbvUvJkqfUdBqPnEm4kRIOzI/mYQn1gP/57V2Kn6j4vBAeMD6CC29j83 gF2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741190346; x=1741795146; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=tnsLbBVOXuuSioqP9PnrzqOLx6rIIRiocH/PhMxqrFM=; b=taerpwztyVvBM1VZRF4bGsVMqJePSxTsponwlwdyBTQaxL56fVsS5dWQQDqHqku08+ xP8lAqSLFLIWTIrzUZXV1DLk7iynhXLCGJtqbXwmwDl3MBJK4pGr+R49LmLJWKijmypd t65o3uPg2WtTigtmvvS79N1zdUOflzDzvrURP332I+twB8zfVS1ghVIDsUb3RUsNlOmv RTXWqUMXypRtTgOYafUJkSmmgKgWQnvSNsb7E0nfncrwnxSkJ52Nmx6U7smPoFmtgWk1 9wVZjiJeyOpoiG9i7RGGuWM2HP8a12r4ZQSLZSPrmYLVUc/uLCYAy0in1oUSg10iXZJn OUZw== X-Gm-Message-State: AOJu0YxMKugZn0gFmJpo0dfvnvLEbRmtcdrj+/E3/kuUYfFInq67dayW uYtxJ51+AjxiMlhFk5k8UAU5hEedmQcWIy/tL/TZK9r0F+MHFGFDAmuUPUVO7/RDjIqk7DmHtNq i X-Gm-Gg: ASbGncuCEGJ48nLJPEOOzO1UIP2MfX791Njl/krkFX0cOZ7hlcRWjxpV9OdLmbizJZj B8uG7p7c6O7WWlhegPae7nvEov5+JrBzKZGXsUInlGuij4LNKDL9UJEdhfg41ErpnPDjEubFLiu hZrqGdxZSIp/c2h5DNXQoS1sqOBysRFgjafYcClCGLzLA8wEXl5WZKf6wSO+uXm7t7XX+V1DIKJ 5yFlIvZk3yEWNlRZg8d6TQgeWoSYndK/CrVWXzAyPIRnBQzN25vAD0k8IDrY0I5O0ej4fyygpMz 9bFLK1/FNacedlkMyqi9WhO2EzwIgRIQpYc= X-Google-Smtp-Source: AGHT+IHpMSFLkNJaWyhNFLahSH2JGuQC62RqWw/KCvSsbfg3eZTecH/Id8+wn4sl7Jz4E28E9NIxUg== X-Received: by 2002:a17:903:41cd:b0:220:fe36:650c with SMTP id d9443c01a7336-223f1e074e1mr62690025ad.23.1741190346524; Wed, 05 Mar 2025 07:59:06 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223501f97bfsm115411025ad.85.2025.03.05.07.59.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 07:59:06 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 07/16] xwayland: Fix CVE-2024-9632 Date: Wed, 5 Mar 2025 07:58:36 -0800 Message-ID: <2158a34839068b878344d214d3fc9feeb17e504a.1741190221.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 15:59:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212329 From: Vijay Anusuri Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ba1d14f8eff2a123bd7ff4d48c02e1d5131358e0 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2024-9632.patch | 59 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 60 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch new file mode 100644 index 0000000000..54888f6347 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch @@ -0,0 +1,59 @@ +From ba1d14f8eff2a123bd7ff4d48c02e1d5131358e0 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 10 Oct 2024 10:37:28 +0200 +Subject: [PATCH] xkb: Fix buffer overflow in _XkbSetCompatMap() + +The _XkbSetCompatMap() function attempts to resize the `sym_interpret` +buffer. + +However, It didn't update its size properly. It updated `num_si` only, +without updating `size_si`. + +This may lead to local privilege escalation if the server is run as root +or remote code execution (e.g. x11 over ssh). + +CVE-2024-9632, ZDI-CAN-24756 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Reviewed-by: Peter Hutterer +Tested-by: Peter Hutterer +Reviewed-by: José Expósito +(cherry picked from commit 85b77657) + +Part-of: + +CVE: CVE-2024-9632 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ba1d14f8eff2a123bd7ff4d48c02e1d5131358e0] + +Signed-off-by: Yogita Urade +Signed-off-by: Vijay Anusuri +--- + xkb/xkb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 276dc19..7da00a0 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -2992,13 +2992,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, + XkbSymInterpretPtr sym; + unsigned int skipped = 0; + +- if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) { +- compat->num_si = req->firstSI + req->nSI; ++ if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) { ++ compat->num_si = compat->size_si = req->firstSI + req->nSI; + compat->sym_interpret = reallocarray(compat->sym_interpret, +- compat->num_si, ++ compat->size_si, + sizeof(XkbSymInterpretRec)); + if (!compat->sym_interpret) { +- compat->num_si = 0; ++ compat->num_si = compat->size_si = 0; + return BadAlloc; + } + } +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 258a875697..23575b387e 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -28,6 +28,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2024-31081.patch \ file://CVE-2024-31083-0001.patch \ file://CVE-2024-31083-0002.patch \ + file://CVE-2024-9632.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Wed Mar 5 15:58:37 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58355 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C601EC282EC for ; Wed, 5 Mar 2025 15:59:14 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.web10.16561.1741190349131141351 for ; Wed, 05 Mar 2025 07:59:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Yc7NHj0X; spf=softfail (domain: sakoman.com, ip: 209.85.214.178, mailfrom: steve@sakoman.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-22356471820so115262865ad.0 for ; Wed, 05 Mar 2025 07:59:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741190348; x=1741795148; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=HjJn69h/djvMDG5KcFjH7WX+5TdBLyCQQA9MLkEPcSs=; b=Yc7NHj0XP5O58+Ji+rH+nqMMcsCt9nBtM8nduKuj0VZnXgwzxnrnVg7hnQkvfJ1jjO IJOcjxDaZfz+OADHQly+7WeVKVIgsAUDIPp9+3rbdbhXh0TnPrpOlzDWwEEUbrMfeStJ Dva2lVww59gRjmpbiprAn4c8Om68fyCcDSKHHbs/DxSA+PiaUIlmmLIdHcJcMYQ1TxvC 7v5PDA8erv5l8SukBqfp3xynhqku+fvfJg6cavFpZhRTm1DdRKvfO/nDf9yQL7H8nZff msxbWtO7lD+JacUOack6Mlu6b7MumrpqIBQzjVZRbQP+/qsQf2RvB03/F5dM9UwGlp46 XIow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741190348; x=1741795148; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HjJn69h/djvMDG5KcFjH7WX+5TdBLyCQQA9MLkEPcSs=; b=NIgfzQEspvJULEofqLpQIrVIz5eGAAc9K3M2T0emJx16L3KwIv2mGhc8xf2T/Aqunf 8Tu2powB3k85LETeyyjiD0mFYZTZQXoQOgGcrCxwh+z0TefnLfH1YP3oC7ISix6hq/ij wtawjnymBAR6QlspoSlKDCSoYU65GvTDO3CIkomxEwOr2Skg9gP6SPJTQHcbDYUWQ1mA PtyYhpORVesOysWSoIk/WMIFtOtSLvx0M+BdUqwEGlrj0rBu03aHaoU/zc1SVCh4QWsD FRrGCygycXkc92XmifVrdmN0ipSthlvZIujZSGe1q8P5G71mvOOl13nwGB1rXzNQCSoo Nmiw== X-Gm-Message-State: AOJu0YwL5aSB8/TOC8HVZReWXQtXv0fcqvDrMe+B+r7plzc9Gjn8B/Tz Imdf2Yzbg++0oH7Ons1Gs2gqTZDr1b+UaLy1gSNaCR6q+MH62YB0q/d2HtMCePqrVjA8hW3PPcx B X-Gm-Gg: ASbGnctsSGaWZbd5OU4ehKYjokALp6Yz1YVkUhcRsgP7mGDHfu/GocTGc51FvLPhSYy udo7fsWs9q9mearsISVtczVv/TIj09fD5bvOa6prtf3RQjLs1QbNRJYKznK86qX+W0BJUIZh12V c8PJIBEeYelhCXRHlpzjK6tS8eKCUoTQ2DMYaolIGuzLmQj0x5zhX4cuNfwV7cAkyOlnPHzDO2t I5hCcQUVcG8uB8E+9skW5OewJH8nHg9FkCiRussFQRwZ6am7qzgdW7js1st5ggHtgklsmL0ovWE J3L7aGu2anGrOfSJLYIgx+Mc1WrTJaLLgoc= X-Google-Smtp-Source: AGHT+IFqnW2Qzq7EF+fPu0sddTj2CVO/daXNhct8g/DZYSmsqgrVg5cVjCdcpdTX0KvsZpBdUs7EQg== X-Received: by 2002:a17:903:f8d:b0:223:402b:cce2 with SMTP id d9443c01a7336-223f1d20e3emr47703335ad.33.1741190348296; Wed, 05 Mar 2025 07:59:08 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223501f97bfsm115411025ad.85.2025.03.05.07.59.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 07:59:07 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 08/16] xwayland: Fix CVE-2025-26594 Date: Wed, 5 Mar 2025 07:58:37 -0800 Message-ID: <2d8bf72c892a3a6422e2a294fb6528ff67971e6d.1741190221.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 15:59:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212330 From: Vijay Anusuri The patches are copied from xserver-xorg recipe. CVE reported for both and patches apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/01642f26 & https://gitlab.freedesktop.org/xorg/xserver/-/commit/b0a09ba6 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-26594-1.patch | 54 +++++++++++++++++++ .../xwayland/xwayland/CVE-2025-26594-2.patch | 51 ++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 2 + 3 files changed, 107 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-1.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-2.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-1.patch new file mode 100644 index 0000000000..f34a89e6ea --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-1.patch @@ -0,0 +1,54 @@ +From 01642f263f12becf803b19be4db95a4a83f94acc Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 27 Nov 2024 11:27:05 +0100 +Subject: [PATCH] Cursor: Refuse to free the root cursor + +If a cursor reference count drops to 0, the cursor is freed. + +The root cursor however is referenced with a specific global variable, +and when the root cursor is freed, the global variable may still point +to freed memory. + +Make sure to prevent the rootCursor from being explicitly freed by a +client. + +CVE-2025-26594, ZDI-CAN-25544 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer +) +v3: Return BadCursor instead of BadValue (Michel Danzer +) + +Signed-off-by: Olivier Fourdan +Suggested-by: Peter Hutterer +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/01642f26] +CVE: CVE-2025-26594 +Signed-off-by: Vijay Anusuri +--- + dix/dispatch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index 4602961..30b95c1 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -3107,6 +3107,10 @@ ProcFreeCursor(ClientPtr client) + rc = dixLookupResourceByType((void **) &pCursor, stuff->id, RT_CURSOR, + client, DixDestroyAccess); + if (rc == Success) { ++ if (pCursor == rootCursor) { ++ client->errorValue = stuff->id; ++ return BadCursor; ++ } + FreeResource(stuff->id, RT_NONE); + return Success; + } +-- +2.25.1 + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-2.patch new file mode 100644 index 0000000000..6ebf540ab9 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-2.patch @@ -0,0 +1,51 @@ +From b0a09ba6020147961acc62d9c73d807b4cccd9f7 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Wed, 4 Dec 2024 15:49:43 +1000 +Subject: [PATCH] dix: keep a ref to the rootCursor + +CreateCursor returns a cursor with refcount 1 - that refcount is used by +the resource system, any caller needs to call RefCursor to get their own +reference. That happens correctly for normal cursors but for our +rootCursor we keep a variable to the cursor despite not having a ref for +ourselves. + +Fix this by reffing/unreffing the rootCursor to ensure our pointer is +valid. + +Related to CVE-2025-26594, ZDI-CAN-25544 + +Reviewed-by: Olivier Fourdan +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b0a09ba6] +CVE: CVE-2025-26594 +Signed-off-by: Vijay Anusuri +--- + dix/main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/dix/main.c b/dix/main.c +index bfc8add..38e29ce 100644 +--- a/dix/main.c ++++ b/dix/main.c +@@ -231,6 +231,8 @@ dix_main(int argc, char *argv[], char *envp[]) + FatalError("could not open default cursor font"); + } + ++ rootCursor = RefCursor(rootCursor); ++ + #ifdef PANORAMIX + /* + * Consolidate window and colourmap information for each screen +@@ -271,6 +273,8 @@ dix_main(int argc, char *argv[], char *envp[]) + + Dispatch(); + ++ UnrefCursor(rootCursor); ++ + UndisplayDevices(); + DisableAllDevices(); + +-- +2.25.1 + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 23575b387e..814fc1ce40 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -29,6 +29,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2024-31083-0001.patch \ file://CVE-2024-31083-0002.patch \ file://CVE-2024-9632.patch \ + file://CVE-2025-26594-1.patch \ + file://CVE-2025-26594-2.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Wed Mar 5 15:58:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58354 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CCF76C282E5 for ; Wed, 5 Mar 2025 15:59:14 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web11.16712.1741190350680188007 for ; Wed, 05 Mar 2025 07:59:10 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=pLK955ib; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-223fb0f619dso14969875ad.1 for ; Wed, 05 Mar 2025 07:59:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741190350; x=1741795150; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=n4qQ1MQ4zmKYHUtpKkTiJahtqm7yEk8n8z7u+NmY1zI=; b=pLK955ibHb8GDF2od/9S2W1hNwxECEFLJ2ApnIzRXqfgeV4Wa9+rYiXE9qk73zQBqG Byr7vDX7j8X+32vCg0RRYgKJLpsJWE6szWhb6KsWoswyIFKRbGC5mpMs6VLsuiP9Luj8 Sb2GSqZek8wmuqetHndImA84Chp1nNWsT3Rna81m0tO7tV860WrCSJePPhTonX7H5JEa 9U3P6On4qSdYIWAjFKeqYApFwBigEYK4T/f+Fy8O2fSVV7pzCtZ0GrlC1huPu+z/fDN4 hAnrPj64uP1V3sPu6Am/sQ7xDNC/m+T/KkDW3XJqrQKmnaW7e9HxUh5j7pes2r9Sk6g6 KpLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741190350; x=1741795150; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=n4qQ1MQ4zmKYHUtpKkTiJahtqm7yEk8n8z7u+NmY1zI=; b=KFsPRxMIX1efMkfCFgtBZoPYkrbySQM9jnRKlHqyZeKx70NAr0KkxHtN1SvDcXO+3y MmnZKZxaG0KlyF3FJOR1e6aPfUsYc7IHQ/aKSh1Ik1eY2fXzJO4UpUvhAcU9d+PvmlJm Mr2TfKGGGvCrwobxXdX2NorraLf7CQTFmsPpABYkXUSdrEGKStEYK2czSFjh4RHny/Hu 6q71w5M+qyfdEUCG9PYBDt/T6xpxpTRa1pGq6WYEOBp0OAI9Z/MnUUzsanNjb7x7u7a6 RLFX5ekIQmjiIB7AVZ/4PfsiNDNnFtt+QFMFDwBpXLgAKb8LoYmDDux6l+jhc+W30wA2 Ea+A== X-Gm-Message-State: AOJu0Yz0mS4kYdehMbi6H8D+rJuo0mwRw5mi55OF2uu5DizV1CtVdm1S 8Yye0mVUGLtxPvp8GSLvj4W3i6xT2GpjEGeQwhc0UxKpUPuFQCreC8wl0oRiZa1cKAMNHQWJ1kI z X-Gm-Gg: ASbGnctm9D5XHAf3+RSml1jLpa7DFJS3ZTU88v1UiQHpLKzdXsZ/6FMX//wRSn5e413 CE+PBTlrNreD/oPu8B4zzY8aW8ZPtZsA8ltSR7rVMaHnyZ8SsZfZftH/VKOnG3WvRbWLRYFtuMa hv2xI8jmk/46Vld7TpIyi5YpOBJy7gzDtGpqx2h05MRYRuPK9+Agk5cGFU6ilZHyA954UAnU/v8 QCqKoaJJdyZYqMPFstYquLJDqsHNW/FwCOVBVMTvICd+bcRj04W1aDmJciUFYmhEnUiN9oM8WE1 4JG4hfCpVWaxlwJzLxFzkXE+PrZ2Bu6O+v4= X-Google-Smtp-Source: AGHT+IFjLYRq9wOqBbHngRWHhLcMdozlcMP5Ry/FhCkR9bKeMO8GG8u8WI8FZlgomnLhLhjpQw5AIg== X-Received: by 2002:a17:902:d48c:b0:21f:81f4:21b8 with SMTP id d9443c01a7336-223f1d3bf88mr43033595ad.50.1741190349915; Wed, 05 Mar 2025 07:59:09 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223501f97bfsm115411025ad.85.2025.03.05.07.59.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 07:59:09 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 09/16] xwayland: Fix CVE-2025-26595 Date: Wed, 5 Mar 2025 07:58:38 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 15:59:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212331 From: Vijay Anusuri Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-26595.patch | 65 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 66 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26595.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26595.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26595.patch new file mode 100644 index 0000000000..a7478d9e2a --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26595.patch @@ -0,0 +1,65 @@ +From 11fcda8753e994e15eb915d28cf487660ec8e722 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 27 Nov 2024 14:41:45 +0100 +Subject: [PATCH] xkb: Fix buffer overflow in XkbVModMaskText() + +The code in XkbVModMaskText() allocates a fixed sized buffer on the +stack and copies the virtual mod name. + +There's actually two issues in the code that can lead to a buffer +overflow. + +First, the bound check mixes pointers and integers using misplaced +parenthesis, defeating the bound check. + +But even though, if the check fails, the data is still copied, so the +stack overflow will occur regardless. + +Change the logic to skip the copy entirely if the bound check fails. + +CVE-2025-26595, ZDI-CAN-25545 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87] +CVE: CVE-2025-26595 +Signed-off-by: Vijay Anusuri +--- + xkb/xkbtext.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c +index 0184664207..93262528bb 100644 +--- a/xkb/xkbtext.c ++++ b/xkb/xkbtext.c +@@ -173,14 +173,14 @@ XkbVModMaskText(XkbDescPtr xkb, + len = strlen(tmp) + 1 + (str == buf ? 0 : 1); + if (format == XkbCFile) + len += 4; +- if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) { +- if (str != buf) { +- if (format == XkbCFile) +- *str++ = '|'; +- else +- *str++ = '+'; +- len--; +- } ++ if ((str - buf) + len > VMOD_BUFFER_SIZE) ++ continue; /* Skip */ ++ if (str != buf) { ++ if (format == XkbCFile) ++ *str++ = '|'; ++ else ++ *str++ = '+'; ++ len--; + } + if (format == XkbCFile) + sprintf(str, "%sMask", tmp); +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 814fc1ce40..452bae8c8d 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -31,6 +31,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2024-9632.patch \ file://CVE-2025-26594-1.patch \ file://CVE-2025-26594-2.patch \ + file://CVE-2025-26595.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Wed Mar 5 15:58:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58356 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D357AC28B25 for ; Wed, 5 Mar 2025 15:59:14 +0000 (UTC) Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mx.groups.io with SMTP id smtpd.web10.16565.1741190352053964118 for ; Wed, 05 Mar 2025 07:59:12 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=bYeEmaJ2; spf=softfail (domain: sakoman.com, ip: 209.85.214.172, mailfrom: steve@sakoman.com) Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-223f4c06e9fso16591895ad.1 for ; Wed, 05 Mar 2025 07:59:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741190351; x=1741795151; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=f3awRCTCaUt+ORA3HqqP9LaMWdDp4SbH0k+t+Ca1oOE=; b=bYeEmaJ2FaYDcwNXOJ0TybGLoSNuB5fP9LCwCEGYa1VBm5helfMiyyhf1lMkrBt/Vv avESpw5FRz4809p7eHfn3aJlkJT9qbC0BOmbK01HoDhKc8WXEcnJnAhWAg5A6WmTevM/ G1rtOmCsaeXF1ku3uEI16qEhizTpNqsB9tyUz5Fl1KlK5dwWrGtDTmU/Fv+1rt1hreRM XcRURFJBVJzNLhcdaTlduxPpj714cgqMb6eyFgqOVVTW/oHvLmx7Dys/VlDfY5+gZ4ac klQf7ZeL5YZrTuySEwQkAWmE42OPsFQ3qxZxu72aHGRgTQ5+o4KbeEhf2J6IongO9jUX PpnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741190351; x=1741795151; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=f3awRCTCaUt+ORA3HqqP9LaMWdDp4SbH0k+t+Ca1oOE=; b=moI+PnWlgkrkICu/UZs2KqoWhdtxHCrdiwsk6Ry+vVJyd+NOXbDw+VdTa/bB0583QP lBTOxO/8uMc+RE297PzfbLnPqBtBXsqzAxuEs/ghoX+iYnle0pyKfw8S4LwNseDwGgP0 3fcuHTHaoSg1U/PfYhKU+F8TCMbSBpdSkDiHcjiHHUHP/R9aDfllgWep70DMWVYe0WGn c1W4RW1uUd15jinY4gucdYWV1XM16YafH0Kyb5mHwEq9YMwIzgYUi5nRiqfWJD1RTWLX X/CM8rI9w8OmtihB1sBt68MK0tFN1rBO/0IQ8o+/le3nN4om67Tke5zuGGJczBA+dbF3 g7fQ== X-Gm-Message-State: AOJu0YzDeKon5blcUsyJK/yyGI1bnSdxPbFkQKVMPvNnCwu5RV0w+RlL 653XuCLeeR86YYXaw4GYtRO5ML8UaaT82tztoV6BcEUt+aPzN2VwvazmYSTubqYlNWXL4wErEuO a X-Gm-Gg: ASbGncsx2uy1E9R9tFzs79c7d79MCSnWktFBotqIJC+Skm2wf00EmFi1rp1JIqkEqge JkZKez6fCclJdS/qnk6CmX+TDmA4b1TMaZCvjS+fPruEYrGme7kQGTNlYq0Px7hZAm3BwjJFkDO z8MihQ7wm3HKH61KBbAwW4DuqkV4pGhSsinLydJU+OCM0y7w+bZvPeuuPxQpxxSn7tBIZ4ue38V wRid5cU/vegZJosF6749TbhWqUFCq8qTUzQ6Aoty7r7L9VHsBAOiVG8xXCLNJgQMKrk40XlVNMU hG9352mS282LwQL3zEsvR9prAqDVNBHs8f4= X-Google-Smtp-Source: AGHT+IFoFYBEm6gbbqYDlyA1bDW3r7VKq9GvlspXofnCiO/apOIH+SnpGUo8vlCwqTyY+HENvhomPw== X-Received: by 2002:a17:902:ce12:b0:215:742e:5cff with SMTP id d9443c01a7336-223f1de7147mr74160855ad.16.1741190351298; Wed, 05 Mar 2025 07:59:11 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223501f97bfsm115411025ad.85.2025.03.05.07.59.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 07:59:10 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 10/16] xwayland: Fix CVE-2025-26596 Date: Wed, 5 Mar 2025 07:58:39 -0800 Message-ID: <45738e56aaf5dac1a471cb37088d3cd24764156d.1741190221.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 15:59:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212332 From: Vijay Anusuri Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/80d69f01 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-26596.patch | 49 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26596.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26596.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26596.patch new file mode 100644 index 0000000000..f9df8d75ea --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26596.patch @@ -0,0 +1,49 @@ +From 80d69f01423fc065c950e1ff4e8ddf9f675df773 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Thu, 28 Nov 2024 11:49:34 +0100 +Subject: [PATCH] xkb: Fix computation of XkbSizeKeySyms + +The computation of the length in XkbSizeKeySyms() differs from what is +actually written in XkbWriteKeySyms(), leading to a heap overflow. + +Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms() +does. + +CVE-2025-26596, ZDI-CAN-25543 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/80d69f01] +CVE: CVE-2025-26596 +Signed-off-by: Vijay Anusuri +--- + xkb/xkb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 85659382da..744dba63d7 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -1095,10 +1095,10 @@ XkbSizeKeySyms(XkbDescPtr xkb, xkbGetMapReply * rep) + len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc); + symMap = &xkb->map->key_sym_map[rep->firstKeySym]; + for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) { +- if (symMap->offset != 0) { +- nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width; +- nSyms += nSymsThisKey; +- } ++ nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width; ++ if (nSymsThisKey == 0) ++ continue; ++ nSyms += nSymsThisKey; + } + len += nSyms * 4; + rep->totalSyms = nSyms; +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 452bae8c8d..18fe2dbc98 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -32,6 +32,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26594-1.patch \ file://CVE-2025-26594-2.patch \ file://CVE-2025-26595.patch \ + file://CVE-2025-26596.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Wed Mar 5 15:58:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58357 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DACDBC28B24 for ; Wed, 5 Mar 2025 15:59:14 +0000 (UTC) Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.web10.16567.1741190354200242147 for ; Wed, 05 Mar 2025 07:59:14 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=K0N/59Kv; spf=softfail (domain: sakoman.com, ip: 209.85.214.180, mailfrom: steve@sakoman.com) Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-223f4c06e9fso16592675ad.1 for ; Wed, 05 Mar 2025 07:59:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741190353; x=1741795153; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=aKD92fB3Cs8Abur7hwa4BRzlqJMoIffaKIKGxwKQlAU=; b=K0N/59KvtD2ePMiMDNyMOcAQvf+kfSSCV/Ej4+dHoN7O2yYoXi9ECeeI0dT5wkkLwO AjEzVwuBWzqVZUoGAxZ1ZmFu4DN+GaCK4ze7w4IyraVrh6NlJbWI3vwcM/T65cVK3aqW 3N2om/Yx698McOoQECKEvA16nUfy3o5mjPawSZIHzyJnBJSJgecnetdxeopO1K1jcpYy VT7kMzjLrxc9Tv7xbPDUyo60mTS5MdDDa8uDDsy0klB2bH6ekqoDpeAsqo3jan+IA+RP gaUVBPzYEi/Puhoy/MIs1Y+MggQLGMXYD1BID+5V0ElDIXZk22oFIPtWoLVCa3k1D3tA imUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741190353; x=1741795153; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=aKD92fB3Cs8Abur7hwa4BRzlqJMoIffaKIKGxwKQlAU=; b=szGQ10wfhsg6FHWbjQ7rQ+oilHeMzIVX7r92uWFPFT3GM8KTRoomGeaQSfRoJfbpax qA3z8Ks//xQyW6hY4KQ+J2Q3PpJpsprxd2WMKHpU780ie5FLCSg9MSN0Kcx12O1Akz8R XBIahmF05LzSWRmoKYlMSfdcNH7Hg5YQxqC+AVyctbv1UVFxZNSRAJd0lFU5mSF3yaG5 sgS/jXg6xHCKnOo0ppTkzQypWWcvrlChKs9ZWVde2mgMXs0rRna/GNnMMw/Tap/it16E SIzjim4cRRPZQUkwzTfp7vyqIMgRXJYerWokahxq7ItXlBRIJ39YfkXWMPPUJR5cTq0F KgEw== X-Gm-Message-State: AOJu0Yya10t+4QHFTDqtApi2fezTQ/MUPqm+uZRxkt7/JRt9mfSV+JlD G8eoWre1n1HSjEtf+8zahbpAlPJy46ePEokjLKjVu7Y7u5llQKHJMiAFy8+pnY9xvWh9D+gPsiz b X-Gm-Gg: ASbGncuY0bq7DcV20qN6p2b1unQ0yE41cHomUIPJw88++z6dpp97Gzxfrh2qb5NgMOL ph55BSGj4wMcY8pBUVIWqCykPLXhXngOf8fgHvb6RllhHE/qHoBdjVhkrMM791fKMYAs/cQ5B8t 5OqV1+kbTM9mYdaJzL9cHeA7j01sODqCcDWVPHdef5BMNikYL5sw6sTA2+1WCqZe7rdka9BFE76 IVxAU8gxbpCCtsm7FU58XGj/cd7iQA6qce1mAMQA9QkFvvYzt8faQphzzBFVRc4RqFTEux643LQ HbLvxE3H7SxyuBorrGAwQWd9o6ARwrs3oxE= X-Google-Smtp-Source: AGHT+IEU/G1AM5SwemQRH/MSYdOQNDZCsPSbYVQyOJNaQTIiGZ/vaFIyFzvGm1toU/9xjrdqOLT9hw== X-Received: by 2002:a17:903:188:b0:221:751f:cfbe with SMTP id d9443c01a7336-223f1de4c76mr62471915ad.19.1741190352830; Wed, 05 Mar 2025 07:59:12 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223501f97bfsm115411025ad.85.2025.03.05.07.59.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 07:59:12 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 11/16] xwayland: Fix CVE-2025-26597 Date: Wed, 5 Mar 2025 07:58:40 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 15:59:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212333 From: Vijay Anusuri Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-26597.patch | 46 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch new file mode 100644 index 0000000000..b0735d0b46 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch @@ -0,0 +1,46 @@ +From 0e4ed94952b255c04fe910f6a1d9c852878dcd64 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Thu, 28 Nov 2024 14:09:04 +0100 +Subject: [PATCH] xkb: Fix buffer overflow in XkbChangeTypesOfKey() + +If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the +key syms to 0 but leave the key actions unchanged. + +If later, the same function is called with a non-zero value for nGroups, +this will cause a buffer overflow because the key actions are of the wrong +size. + +To avoid the issue, make sure to resize both the key syms and key actions +when nGroups is 0. + +CVE-2025-26597, ZDI-CAN-25683 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949] +CVE: CVE-2025-26597 +Signed-off-by: Vijay Anusuri +--- + xkb/XKBMisc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xkb/XKBMisc.c b/xkb/XKBMisc.c +index abbfed90eb..fd180fad2c 100644 +--- a/xkb/XKBMisc.c ++++ b/xkb/XKBMisc.c +@@ -553,6 +553,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb, + i = XkbSetNumGroups(i, 0); + xkb->map->key_sym_map[key].group_info = i; + XkbResizeKeySyms(xkb, key, 0); ++ XkbResizeKeyActions(xkb, key, 0); + return Success; + } + +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 18fe2dbc98..0303e39de4 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -33,6 +33,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26594-2.patch \ file://CVE-2025-26595.patch \ file://CVE-2025-26596.patch \ + file://CVE-2025-26597.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Wed Mar 5 15:58:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58358 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA713C19F32 for ; Wed, 5 Mar 2025 15:59:24 +0000 (UTC) Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by mx.groups.io with SMTP id smtpd.web11.16716.1741190355616547807 for ; Wed, 05 Mar 2025 07:59:15 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=1y7RfjNX; spf=softfail (domain: sakoman.com, ip: 209.85.214.171, mailfrom: steve@sakoman.com) Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-22385253e2bso103440275ad.1 for ; Wed, 05 Mar 2025 07:59:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741190355; x=1741795155; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=90WAxAYCjFoapyFpdOMKN/8SkrArE6TR2fqvxxRWZpo=; b=1y7RfjNXotX07RjuwwvfxVKdCcGd3IPzwX38zUgCLwfI8GnA8iQmPMZBbN7hteHYqF RZS88ICWr7ub4MP37i3BNxCZPVLFYhS5NNLkQpoO/oLmwZ17Uc6KGPo7O1K8n3xYWgqD wLyRWCwjBYNYStqr7+/v1Kwf7bFmE3gi1YuvnMVURjDPClSu1R1TdjrADLpS0Okvb6ht T1PoI63iUr7YXWOUW08TPzYj184gIfsAzAzwOc8D7W/76+j4+T6eNgqfFKPzeXMMZxh1 fmpy42o1Ep/AZpgzp5Wvag44GyAQlTXv9lOuDPbzZPJt7Lid2j5/WzrXCT7km1SLAOne JfFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741190355; x=1741795155; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=90WAxAYCjFoapyFpdOMKN/8SkrArE6TR2fqvxxRWZpo=; b=ekNl8OanoDi/VmSztAig5V2/xQzJLDZrVwF/wCBfTQqLt9HE1g9FjIq3bFPVJPhXFU shXvsQqFC9MsKkt9uXqG516rYURsfaiZVTuikpavhhHPvSsYPyNjfmh1nsG9innTPwTZ j787KVXyadiP1CSa2JObLjQPWY+hSAiiDfnvDUr3yAlmxjRd01dXfi9BV7L5dGkX5LPb I9LivObsLzLL3Bm3ev+zaAdM35RCDYhWEckD+y4Rxtc9efb9jaXTLXu9kCZOEhXhqC3q OeAka/wq9phjFqOcYWpDFdVrxKFsImNtIby79AayCLbr6H0AfW4uM2ryG70tp2RZJBD6 XyvQ== X-Gm-Message-State: AOJu0Ywovd+UNG6Pm4o7Ii8N+AJI/6eY7gDKJJU3LiVWxS1k/MJz09o6 X5+WJ1DsJ9kY7HH6dKBUkU1f7Y306cvcYkMiHybIyR7NUEDjlD2Xl5yozc6RpI7yo3fwQ9kAdLQ h X-Gm-Gg: ASbGncvmBRJwKfgnNJkpheEg5wYaWYkERwFGfGyD6hUlngVrrKqSnzGcDq//RtGXUUn W9ut0dxl85Kl9g0O5G9zv7wtgRZT3B9zDKNcrZ5Hprfs4JXYgk83Ir9rK6FAorbMv7zWtZkjdjP ytlGmSiurtCmNnE4PvmcT/YWANeUxWjOBQG/dZzXvG+FcQmFW2R3AKuzoTzNDRAIe2u1RHVgtHJ G0lgm788bIoHgv648m8oSkg6OhfDnbob8XNLzZHQz06TfhO4nYsl+0iyXH7FYVMrJtuGcGy8VJJ tbvk6dfiN6+BZos6M+yV1UVdFfrGN1V7YfQ= X-Google-Smtp-Source: AGHT+IGIVJ01pCgs4fB/TVvXSvRJu+r2Wi5Q3rjR5DB5e8pUigiHrczN9fnaatXQkfvpxcCWUAQtiw== X-Received: by 2002:a17:903:fb0:b0:223:536d:f67b with SMTP id d9443c01a7336-223f1cf46bcmr74290605ad.38.1741190354781; Wed, 05 Mar 2025 07:59:14 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223501f97bfsm115411025ad.85.2025.03.05.07.59.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 07:59:14 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 12/16] xwayland: Fix CVE-2025-26598 Date: Wed, 5 Mar 2025 07:58:41 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 15:59:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212334 From: Vijay Anusuri Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-26598.patch | 120 ++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 121 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch new file mode 100644 index 0000000000..210a76262a --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch @@ -0,0 +1,120 @@ +From bba9df1a9d57234c76c0b93f88dacb143d01bca2 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 16 Dec 2024 11:25:11 +0100 +Subject: [PATCH] Xi: Fix barrier device search + +The function GetBarrierDevice() would search for the pointer device +based on its device id and return the matching value, or supposedly NULL +if no match was found. + +Unfortunately, as written, it would return the last element of the list +if no matching device id was found which can lead to out of bounds +memory access. + +Fix the search function to return NULL if not matching device is found, +and adjust the callers to handle the case where the device cannot be +found. + +CVE-2025-26598, ZDI-CAN-25740 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a] +CVE: CVE-2025-26598 +Signed-off-by: Vijay Anusuri +--- + Xi/xibarriers.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c +index 700b2b8c53..6761bcb49a 100644 +--- a/Xi/xibarriers.c ++++ b/Xi/xibarriers.c +@@ -132,14 +132,15 @@ static void FreePointerBarrierClient(struct PointerBarrierClient *c) + + static struct PointerBarrierDevice *GetBarrierDevice(struct PointerBarrierClient *c, int deviceid) + { +- struct PointerBarrierDevice *pbd = NULL; ++ struct PointerBarrierDevice *p, *pbd = NULL; + +- xorg_list_for_each_entry(pbd, &c->per_device, entry) { +- if (pbd->deviceid == deviceid) ++ xorg_list_for_each_entry(p, &c->per_device, entry) { ++ if (p->deviceid == deviceid) { ++ pbd = p; + break; ++ } + } + +- BUG_WARN(!pbd); + return pbd; + } + +@@ -340,6 +341,9 @@ barrier_find_nearest(BarrierScreenPtr cs, DeviceIntPtr dev, + double distance; + + pbd = GetBarrierDevice(c, dev->id); ++ if (!pbd) ++ continue; ++ + if (pbd->seen) + continue; + +@@ -448,6 +452,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen, + nearest = &c->barrier; + + pbd = GetBarrierDevice(c, master->id); ++ if (!pbd) ++ continue; ++ + new_sequence = !pbd->hit; + + pbd->seen = TRUE; +@@ -488,6 +495,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen, + int flags = 0; + + pbd = GetBarrierDevice(c, master->id); ++ if (!pbd) ++ continue; ++ + pbd->seen = FALSE; + if (!pbd->hit) + continue; +@@ -682,6 +692,9 @@ BarrierFreeBarrier(void *data, XID id) + continue; + + pbd = GetBarrierDevice(c, dev->id); ++ if (!pbd) ++ continue; ++ + if (!pbd->hit) + continue; + +@@ -741,6 +754,8 @@ static void remove_master_func(void *res, XID id, void *devid) + barrier = container_of(b, struct PointerBarrierClient, barrier); + + pbd = GetBarrierDevice(barrier, *deviceid); ++ if (!pbd) ++ return; + + if (pbd->hit) { + BarrierEvent ev = { +@@ -905,6 +920,10 @@ ProcXIBarrierReleasePointer(ClientPtr client) + barrier = container_of(b, struct PointerBarrierClient, barrier); + + pbd = GetBarrierDevice(barrier, dev->id); ++ if (!pbd) { ++ client->errorValue = dev->id; ++ return BadDevice; ++ } + + if (pbd->barrier_event_id == event_id) + pbd->release_event_id = event_id; +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 0303e39de4..9138e1dd0e 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -34,6 +34,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26595.patch \ file://CVE-2025-26596.patch \ file://CVE-2025-26597.patch \ + file://CVE-2025-26598.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Wed Mar 5 15:58:42 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58359 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA755C282DE for ; Wed, 5 Mar 2025 15:59:24 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.web11.16718.1741190357223788023 for ; Wed, 05 Mar 2025 07:59:17 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=XbPAvd3D; spf=softfail (domain: sakoman.com, ip: 209.85.214.181, mailfrom: steve@sakoman.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-22355618fd9so123533075ad.3 for ; Wed, 05 Mar 2025 07:59:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741190356; x=1741795156; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ZbffEdnI5LN+NWaYSIZp4R0kUXtFq7TIJEg7kiG1nE4=; b=XbPAvd3DYGQ3gJCRUmHNuPx4a2OlzhBk/6hS9At4zNJT6+2o1DDTBNuVvI7x1OYUXy COs0LAa9MnipnnSfywOiaEuYyV4m6fnsStZsOUrXeyu570O6gcXz6jx1SXNUKXfRznJY ydmB7i6uAYDJe28z6iaJ50QjECZ6jxRwSoWtAnmTejywGSrFFPV0r+OAvxgAbHIHMlrG OdRJjgx8Y6adq1kyg9+cbkWc1fCLW+fgOQBILk+kMWCygqi84+Yi9Rzi8aF6CdI5xc6d sjAIOQrkvWx5td0Wr/NH1J68z32o0xLZWzO4eqSHsDu5PBIzmW6dsvEbvfPVthgyfsZy ROHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741190356; x=1741795156; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZbffEdnI5LN+NWaYSIZp4R0kUXtFq7TIJEg7kiG1nE4=; b=hc9kx4VarZq/SzZFH9wLoSRsxPTPNcOjKjxuaIoIrPCzaV9LCefXY1XQcojUWA+9n3 sI7NtKmvfYqLK6ic5PsG7lEEOIgkW6YpOzi6Zualb/9YC5koUcZ+iBbgCPWc34DbQ70+ 1fvFYlDltpLX1K/0n0Vb7hgXtLSvdjcEQ7esFcaMLB5BqU7Ar9qGeFGivNsm9zP7Ji2l A8H2/kAjFnT1IFvWEhDj8UAXa0X9BclIbXpb3+VDdOaMTf6/MVdNt5OPb4+ZJCJgr4o4 CFYKe5LOhM4VnHcO//kyD/ex6ENw+Eu2l8A4HHv/M5aSBYF57uoF4KBf7t75SJE3pvUR 0ebA== X-Gm-Message-State: AOJu0Yz7SxieE+3rHPZbFPFv42YzSp7m/L4yyIQCE8x7khVhIHAkIs/R Y5cLbRa9JFhw03bu++Q4GcF0ld7tK5Z0pZ7rKvp9Q3E0PlRCLKug872rLujyhcNMYZBqtHZwgSA i X-Gm-Gg: ASbGncsBByO3QowJ8YyTQyafGvXlXDt19o9pGnVhPVZLzoihATKZS9J4BQO+uU8521Z vMVjJDFcXy6HQF1o8gD1kRmbNk8qE1rqGSttvBkPEpqZSXaU/wRghewi339YVlPnthSVnxUPSut cwx4J1RYuZqoLC9ts+mi8wa9wQ9BHCMpbc8hG9E0mypV79REuyi/yCG82eAIT9tZUAhejwFR6K9 YBHTFVt1wYJ+wqEAVqGBwgjRTYRWKyvG3j6I5q1Jh6e/opyyG6ZMl9qmNV+8idhyflsyUu1ejBN eFIPR5T0VSZ4Jf8RGHWJhgGib8xg9AUyzB0= X-Google-Smtp-Source: AGHT+IGNwz7yZttNNj6TQ8oUNfZ9fFfufSUn1o43qUMkSNXRrPMqjal7W732GrADHrQVP+joZuYpyA== X-Received: by 2002:a17:902:e54c:b0:223:26da:4b8e with SMTP id d9443c01a7336-223f1c6a8f7mr62082835ad.4.1741190356386; Wed, 05 Mar 2025 07:59:16 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223501f97bfsm115411025ad.85.2025.03.05.07.59.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 07:59:16 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 13/16] xwayland: Fix CVE-2025-26599 Date: Wed, 5 Mar 2025 07:58:42 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 15:59:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212335 From: Vijay Anusuri The patches are copied from xserver-xorg recipe. CVE reported for both and patches apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84be & https://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-26599-1.patch | 66 +++++++++ .../xwayland/xwayland/CVE-2025-26599-2.patch | 129 ++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 2 + 3 files changed, 197 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-1.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-2.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-1.patch new file mode 100644 index 0000000000..60b68a0d9a --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-1.patch @@ -0,0 +1,66 @@ +From c1ff84bef2569b4ba4be59323cf575d1798ba9be Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Tue, 17 Dec 2024 15:19:45 +0100 +Subject: [PATCH] composite: Handle failure to redirect in compRedirectWindow() + +The function compCheckRedirect() may fail if it cannot allocate the +backing pixmap. + +In that case, compRedirectWindow() will return a BadAlloc error. + +However that failure code path will shortcut the validation of the +window tree marked just before, which leaves the validate data partly +initialized. + +That causes a use of uninitialized pointer later. + +The fix is to not shortcut the call to compHandleMarkedWindows() even in +the case of compCheckRedirect() returning an error. + +CVE-2025-26599, ZDI-CAN-25851 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84be] +CVE: CVE-2025-26599 +Signed-off-by: Vijay Anusuri +--- + composite/compalloc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/composite/compalloc.c b/composite/compalloc.c +index eaabf0d..0bbbc55 100644 +--- a/composite/compalloc.c ++++ b/composite/compalloc.c +@@ -140,6 +140,7 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update) + CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen); + WindowPtr pLayerWin; + Bool anyMarked = FALSE; ++ int status = Success; + + if (pWin == cs->pOverlayWin) { + return Success; +@@ -218,13 +219,13 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update) + + if (!compCheckRedirect(pWin)) { + FreeResource(ccw->id, RT_NONE); +- return BadAlloc; ++ status = BadAlloc; + } + + if (anyMarked) + compHandleMarkedWindows(pWin, pLayerWin); + +- return Success; ++ return status; + } + + void +-- +2.25.1 + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-2.patch new file mode 100644 index 0000000000..252b033261 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-2.patch @@ -0,0 +1,129 @@ +From b07192a8bedb90b039dc0f70ae69daf047ff9598 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 13 Jan 2025 16:09:43 +0100 +Subject: [PATCH] composite: initialize border clip even when pixmap alloc + fails + +If it fails to allocate the pixmap, the function compAllocPixmap() would +return early and leave the borderClip region uninitialized, which may +lead to the use of uninitialized value as reported by valgrind: + + Conditional jump or move depends on uninitialised value(s) + at 0x4F9B33: compClipNotify (compwindow.c:317) + by 0x484FC9: miComputeClips (mivaltree.c:476) + by 0x48559A: miValidateTree (mivaltree.c:679) + by 0x4F0685: MapWindow (window.c:2693) + by 0x4A344A: ProcMapWindow (dispatch.c:922) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + Uninitialised value was created by a heap allocation + at 0x4841866: malloc (vg_replace_malloc.c:446) + by 0x4F47BC: compRedirectWindow (compalloc.c:171) + by 0x4FA8AD: compCreateWindow (compwindow.c:592) + by 0x4EBB89: CreateWindow (window.c:925) + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + + Conditional jump or move depends on uninitialised value(s) + at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233) + by 0x4F9255: RegionTranslate (regionstr.h:312) + by 0x4F9B7E: compClipNotify (compwindow.c:319) + by 0x484FC9: miComputeClips (mivaltree.c:476) + by 0x48559A: miValidateTree (mivaltree.c:679) + by 0x4F0685: MapWindow (window.c:2693) + by 0x4A344A: ProcMapWindow (dispatch.c:922) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + Uninitialised value was created by a heap allocation + at 0x4841866: malloc (vg_replace_malloc.c:446) + by 0x4F47BC: compRedirectWindow (compalloc.c:171) + by 0x4FA8AD: compCreateWindow (compwindow.c:592) + by 0x4EBB89: CreateWindow (window.c:925) + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + + Conditional jump or move depends on uninitialised value(s) + at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241) + by 0x48EEE33: pixman_region_translate (pixman-region.c:2225) + by 0x4F9255: RegionTranslate (regionstr.h:312) + by 0x4F9B7E: compClipNotify (compwindow.c:319) + by 0x484FC9: miComputeClips (mivaltree.c:476) + by 0x48559A: miValidateTree (mivaltree.c:679) + by 0x4F0685: MapWindow (window.c:2693) + by 0x4A344A: ProcMapWindow (dispatch.c:922) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + Uninitialised value was created by a heap allocation + at 0x4841866: malloc (vg_replace_malloc.c:446) + by 0x4F47BC: compRedirectWindow (compalloc.c:171) + by 0x4FA8AD: compCreateWindow (compwindow.c:592) + by 0x4EBB89: CreateWindow (window.c:925) + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + +Fix compAllocPixmap() to initialize the border clip even if the creation +of the backing pixmap has failed, to avoid depending later on +uninitialized border clip values. + +Related to CVE-2025-26599, ZDI-CAN-25851 + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8] +CVE: CVE-2025-26599 +Signed-off-by: Vijay Anusuri +--- + composite/compalloc.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/composite/compalloc.c b/composite/compalloc.c +index 7cf7351e00..4a1243170d 100644 +--- a/composite/compalloc.c ++++ b/composite/compalloc.c +@@ -605,9 +605,12 @@ compAllocPixmap(WindowPtr pWin) + int h = pWin->drawable.height + (bw << 1); + PixmapPtr pPixmap = compNewPixmap(pWin, x, y, w, h); + CompWindowPtr cw = GetCompWindow(pWin); ++ Bool status; + +- if (!pPixmap) +- return FALSE; ++ if (!pPixmap) { ++ status = FALSE; ++ goto out; ++ } + if (cw->update == CompositeRedirectAutomatic) + pWin->redirectDraw = RedirectDrawAutomatic; + else +@@ -621,14 +624,16 @@ compAllocPixmap(WindowPtr pWin) + DamageRegister(&pWin->drawable, cw->damage); + cw->damageRegistered = TRUE; + } ++ status = TRUE; + ++out: + /* Make sure our borderClip is up to date */ + RegionUninit(&cw->borderClip); + RegionCopy(&cw->borderClip, &pWin->borderClip); + cw->borderClipX = pWin->drawable.x; + cw->borderClipY = pWin->drawable.y; + +- return TRUE; ++ return status; + } + + void +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 9138e1dd0e..1e4a96f86f 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -35,6 +35,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26596.patch \ file://CVE-2025-26597.patch \ file://CVE-2025-26598.patch \ + file://CVE-2025-26599-1.patch \ + file://CVE-2025-26599-2.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Wed Mar 5 15:58:43 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58361 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E0C27C282EC for ; Wed, 5 Mar 2025 15:59:24 +0000 (UTC) Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.web11.16720.1741190358708770695 for ; Wed, 05 Mar 2025 07:59:18 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=kmvGcp/D; spf=softfail (domain: sakoman.com, ip: 209.85.214.170, mailfrom: steve@sakoman.com) Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-223594b3c6dso123554805ad.2 for ; Wed, 05 Mar 2025 07:59:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741190358; x=1741795158; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=hLDjy33rG5Qm+8LmInfiUDKXn2RPvAmZB6runjRVoh0=; b=kmvGcp/DA7xsZa3nsLWfVt2/jcpMJuzE+q6SW3AKWWlODJN6ACLM3d4OK6floGQ8UA O8nw/Leyb1ithMkUC12A17y4jDKukQ+4y5h8k5h4KQ590DKHxYrhWQBoJaNObRcZ54Zr NggSuyjVz41MCYmxAoCPe0K6Bitwc+ZfGEv/q3baIvjNkizgbnOVnGWgGl2eZ/5zwp6H n8VGEOBnsnpaFuNxRei2MEtp8Pv5PrrZZoDw84QCRfygw0MjH32dopy0D2TBp8vnurOz z8VdCyBy7fbxFF50j/3KhK5Qb4tliWMj/+WsTHkinnaZOmChxYMq7LS4O5ygqUYJZxhQ 2eAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741190358; x=1741795158; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hLDjy33rG5Qm+8LmInfiUDKXn2RPvAmZB6runjRVoh0=; b=R4LUBf/ywpbViz+olJFwhyJi6QnprwKzLsfUT1vn3AH+nyzcdVHf7DpEwUS8+9xo4r 6Ck9tJtGGpcXr5GFqeFMKbASZd50DqI3Ve1mYqwobZfZDICr2NDVcFvtO9jMa2IGD5pj cMvRyX27Snqz8eaGlZQTvE7xF54w5W4wZxmy8muGkm9P94JojSuiVw4GjSkJysVV0Lcs jakik2mJa04Zvv6PmbPT0ZumMm1RNWuierlqm4edizr2OESPQhEefxIt9+ZXWOqcFiYp YWFK+khxPg0zgdhby/S1jfjG1uUfbbBHQIJa6G3iTX/y662WBOGZNlXz/j/GJpaodVeN cvzQ== X-Gm-Message-State: AOJu0Yzxux1SwgCjWvTjVMm0D6LT0WVjiQsPzM2vWDZWn7txIbA02RyW H9dYGZeKaRoZ4KUTvl+wHf7rXD09l4rrxRWyHTBr5a/mjAItXf9hRj8dEBhi//JkPydfijXHlld 1 X-Gm-Gg: ASbGnctmJTCkAU3OOWlBK8vvYGPkDK8quaqhIle3O86hKmxD5CNZIIVnTBZUEeiHvwA LQiT1RPiuuoPbIHutSG5lRnIqTI0PyNFtcCwIGZlvPa5rBOTzzFXQRzB6ebu90qcihw5T/m/Woy dFE8zvOOeQTziBxG4dVg82sZik1XK4Bh7bjHjYdhLy/HES0FNYAVUXNo7KN7X1OSqYli7gaDx0q aCtKyrD7EtjoT55ebbv4a2pUvuqy1NP/ktAxz9z7mHwRvrSz1rwoUbMir0sepu1Ytj/FaQPaTXE HecAAQhBoF3MQObW0qUXufs2kyojkckvTn0= X-Google-Smtp-Source: AGHT+IFfr1pFu/P2ac4IWq0rCUALaxmV68pa6zpCipt4vuYiIA5kEM0qTN5Dk51wxetRhQL6J7d9lQ== X-Received: by 2002:a17:902:c952:b0:224:6ee:ad with SMTP id d9443c01a7336-22406ee0246mr11467645ad.44.1741190357914; Wed, 05 Mar 2025 07:59:17 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223501f97bfsm115411025ad.85.2025.03.05.07.59.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 07:59:17 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 14/16] xwayland: Fix CVE-2025-26600 Date: Wed, 5 Mar 2025 07:58:43 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 15:59:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212336 From: Vijay Anusuri Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-26600.patch | 68 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 69 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26600.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26600.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26600.patch new file mode 100644 index 0000000000..43b47b3ca3 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26600.patch @@ -0,0 +1,68 @@ +From 6e0f332ba4c8b8c9a9945dc9d7989bfe06f80e14 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 16 Dec 2024 16:18:04 +0100 +Subject: [PATCH] dix: Dequeue pending events on frozen device on removal + +When a device is removed while still frozen, the events queued for that +device remain while the device itself is freed. + +As a result, replaying the events will cause a use after free. + +To avoid the issue, make sure to dequeue and free any pending events on +a frozen device when removed. + +CVE-2025-26600, ZDI-CAN-25871 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b] +CVE: CVE-2025-26600 +Signed-off-by: Vijay Anusuri +--- + dix/devices.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/dix/devices.c b/dix/devices.c +index 1516147..459f1ed 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -962,6 +962,23 @@ FreeAllDeviceClasses(ClassesPtr classes) + + } + ++static void ++FreePendingFrozenDeviceEvents(DeviceIntPtr dev) ++{ ++ QdEventPtr qe, tmp; ++ ++ if (!dev->deviceGrab.sync.frozen) ++ return; ++ ++ /* Dequeue any frozen pending events */ ++ xorg_list_for_each_entry_safe(qe, tmp, &syncEvents.pending, next) { ++ if (qe->device == dev) { ++ xorg_list_del(&qe->next); ++ free(qe); ++ } ++ } ++} ++ + /** + * Close down a device and free all resources. + * Once closed down, the driver will probably not expect you that you'll ever +@@ -1026,6 +1043,7 @@ CloseDevice(DeviceIntPtr dev) + free(dev->last.touches[j].valuators); + free(dev->last.touches); + dev->config_info = NULL; ++ FreePendingFrozenDeviceEvents(dev); + dixFreePrivates(dev->devPrivates, PRIVATE_DEVICE); + free(dev); + } +-- +2.25.1 + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 1e4a96f86f..d90f9970b5 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -37,6 +37,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26598.patch \ file://CVE-2025-26599-1.patch \ file://CVE-2025-26599-2.patch \ + file://CVE-2025-26600.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Wed Mar 5 15:58:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58362 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EAC2EC282E5 for ; Wed, 5 Mar 2025 15:59:24 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web11.16721.1741190360617788014 for ; Wed, 05 Mar 2025 07:59:20 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=nlYSfz89; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-223378e2b0dso102898385ad.0 for ; Wed, 05 Mar 2025 07:59:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741190360; x=1741795160; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=63lcI/7xWco99NQCBUjRy8BdFqnAW7gK20Kar8t8twU=; b=nlYSfz89xmH+5gacGRNi7NpvUXxd+BvvZisZbf1W6h1G/51ArvcelVSnRZlWF/TASK hylwUhiID6kvn+8kNhb5XbR0nBps07WE3RNvS7GQEMH7Uc9F8MVKgezS69SXxtXigW1p ZP9sIF01o7E1JXwmzL6UiOebV39f1FQFrvMUbOus/nZEitHpyU5SMgwmzT/ih3GF6kJA wQtr0aU43ztWnrSQcD9Ieq3TPbmhPUFu3lJxiZ4nvT9PTCXtxaKw1UVdCoddqDzNla/w LtlkIXxcUr0cwaq8IN38BS3/lX+0iEHOy+Xr0uSRn6v6uzgtgmvzueiwgzc30NobV2YL 5saA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741190360; x=1741795160; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=63lcI/7xWco99NQCBUjRy8BdFqnAW7gK20Kar8t8twU=; b=X8iwLWwUByL2IfRwbuEozr9a0IDO5tVsuPJBF7IODpZOza2uIocy8+6yZj05VaLqpV 4/y2HrRf7aEyF8lm9GQ1F9BHbJM3DuC1db6W2AjfEL/OEfKJomtGaMZTcnWllOGZaX0x pJMxUCUzj6I8Y7Vfgkfg2hQJabpBWs0iPhsmtElunI0VGCAEAaApanOtf1VEimN+Fbdi pYsFHucgx/ctiPrL1v6fm+OHu0AnLkFvT2qhCFetEx3TxjMgRaIsyX8DGU4CkqXAUIcl s0+O5w5ZdJUGOdl20SYX9SWdU2j3x8LG255R/hC3YBMaDrfoXQJPCAxfTKKJywWBz2dj hkyg== X-Gm-Message-State: AOJu0YyFVA0LYJ0pYgEh+slul159mstnkYnNPECrYhQaUcQfS4cWvOOT zriEaZQh6HhYsgVnrJOXvqrUltW/+0DskyiuTpbOBU01M08m/SHan9+W+OH+Fw223ZZF8d1qv61 E X-Gm-Gg: ASbGncuVGdCgVsFxSHedA0LxET/jCqs/hQE1XE/P0XKPN+0SOnbMTEAixY/jh2jt0P6 p6A2tFbZe7mWJZY5W2wBnuaq1F4TG5U8jwMjlJfo8sLj+Y0t35mgK+7Iau5rXPihOK1hYVE8+yi mCoO7WFmabaUpBnGcvek3Z+KpnpRaOZ+n9IF9udWmHg3cSAP97qxLWWRyGsVtJl3WwxstgCZMlc hBxw0SZscE/qrsNVr1vy1lv/w40OVXANrSGtc08BdT6R8uk7JNzdp9TUdArbuHyBJ6YuXsVXNPN xI3XkytWQV2JVyAcmL8LqAoN+rycTdiqUVU= X-Google-Smtp-Source: AGHT+IF4QHfE2RnoauyHAOuMnTgt9WsmvWMSlDRWIt5YnOQU1IrFe+MXvL9mANF7iF0P/sdeVU/pCQ== X-Received: by 2002:a17:902:dac5:b0:223:60ce:2451 with SMTP id d9443c01a7336-223f1cd94efmr57633915ad.15.1741190359660; Wed, 05 Mar 2025 07:59:19 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223501f97bfsm115411025ad.85.2025.03.05.07.59.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 07:59:19 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 15/16] xwayland: Fix CVE-2025-26601 Date: Wed, 5 Mar 2025 07:58:44 -0800 Message-ID: <58f5a6a28d353f14c672bb99820608ec82f05e6e.1741190221.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 15:59:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212337 From: Vijay Anusuri The patches are copied from xserver-xorg recipe. CVE reported for both and patches apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/16a1242d & https://gitlab.freedesktop.org/xorg/xserver/-/commit/f52cea2f & https://gitlab.freedesktop.org/xorg/xserver/-/commit/8cbc90c8 & https://gitlab.freedesktop.org/xorg/xserver/-/commit/c2857989 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-26601-1.patch | 71 ++++++++++ .../xwayland/xwayland/CVE-2025-26601-2.patch | 85 +++++++++++ .../xwayland/xwayland/CVE-2025-26601-3.patch | 52 +++++++ .../xwayland/xwayland/CVE-2025-26601-4.patch | 132 ++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 4 + 5 files changed, 344 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-1.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-2.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-3.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-4.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-1.patch new file mode 100644 index 0000000000..df5416a452 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-1.patch @@ -0,0 +1,71 @@ +From 16a1242d0ffc7f45ed3c595ee7564b5c04287e0b Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 16:52:01 +0100 +Subject: [PATCH] sync: Do not let sync objects uninitialized + +When changing an alarm, the change mask values are evaluated one after +the other, changing the trigger values as requested and eventually, +SyncInitTrigger() is called. + +SyncInitTrigger() will evaluate the XSyncCACounter first and may free +the existing sync object. + +Other changes are then evaluated and may trigger an error and an early +return, not adding the new sync object. + +This can be used to cause a use after free when the alarm eventually +triggers. + +To avoid the issue, delete the existing sync object as late as possible +only once we are sure that no further error will cause an early exit. + +CVE-2025-26601, ZDI-CAN-25870 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/16a1242d] +CVE: CVE-2025-26601 +Signed-off-by: Vijay Anusuri +--- + Xext/sync.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index ee0010e657..585cfa6f68 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -360,11 +360,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + client->errorValue = syncObject; + return rc; + } +- if (pSync != pTrigger->pSync) { /* new counter for trigger */ +- SyncDeleteTriggerFromSyncObject(pTrigger); +- pTrigger->pSync = pSync; +- newSyncObject = TRUE; +- } + } + + /* if system counter, ask it what the current value is */ +@@ -432,6 +427,14 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + ++ if (changes & XSyncCACounter) { ++ if (pSync != pTrigger->pSync) { /* new counter for trigger */ ++ SyncDeleteTriggerFromSyncObject(pTrigger); ++ pTrigger->pSync = pSync; ++ newSyncObject = TRUE; ++ } ++ } ++ + /* we wait until we're sure there are no errors before registering + * a new counter on a trigger + */ +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-2.patch new file mode 100644 index 0000000000..22e751c017 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-2.patch @@ -0,0 +1,85 @@ +From f52cea2f93a0c891494eb3334894442a92368030 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 16:54:30 +0100 +Subject: [PATCH] sync: Check values before applying changes + +In SyncInitTrigger(), we would set the CheckTrigger function before +validating the counter value. + +As a result, if the counter value overflowed, we would leave the +function SyncInitTrigger() with the CheckTrigger applied but without +updating the trigger object. + +To avoid that issue, move the portion of code checking for the trigger +check value before updating the CheckTrigger function. + +Related to CVE-2025-26601, ZDI-CAN-25870 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/f52cea2f] +CVE: CVE-2025-26601 +Signed-off-by: Vijay Anusuri +--- + Xext/sync.c | 36 ++++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 18 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index 585cfa6f68..10302160fb 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -381,6 +381,24 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + ++ if (changes & (XSyncCAValueType | XSyncCAValue)) { ++ if (pTrigger->value_type == XSyncAbsolute) ++ pTrigger->test_value = pTrigger->wait_value; ++ else { /* relative */ ++ Bool overflow; ++ ++ if (pCounter == NULL) ++ return BadMatch; ++ ++ overflow = checked_int64_add(&pTrigger->test_value, ++ pCounter->value, pTrigger->wait_value); ++ if (overflow) { ++ client->errorValue = pTrigger->wait_value >> 32; ++ return BadValue; ++ } ++ } ++ } ++ + if (changes & XSyncCATestType) { + + if (pSync && SYNC_FENCE == pSync->type) { +@@ -409,24 +427,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + +- if (changes & (XSyncCAValueType | XSyncCAValue)) { +- if (pTrigger->value_type == XSyncAbsolute) +- pTrigger->test_value = pTrigger->wait_value; +- else { /* relative */ +- Bool overflow; +- +- if (pCounter == NULL) +- return BadMatch; +- +- overflow = checked_int64_add(&pTrigger->test_value, +- pCounter->value, pTrigger->wait_value); +- if (overflow) { +- client->errorValue = pTrigger->wait_value >> 32; +- return BadValue; +- } +- } +- } +- + if (changes & XSyncCACounter) { + if (pSync != pTrigger->pSync) { /* new counter for trigger */ + SyncDeleteTriggerFromSyncObject(pTrigger); +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-3.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-3.patch new file mode 100644 index 0000000000..8d714f0302 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-3.patch @@ -0,0 +1,52 @@ +From 8cbc90c8817306af75a60f494ec9dbb1061e50db Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 17:06:07 +0100 +Subject: [PATCH] sync: Do not fail SyncAddTriggerToSyncObject() + +We do not want to return a failure at the very last step in +SyncInitTrigger() after having all changes applied. + +SyncAddTriggerToSyncObject() must not fail on memory allocation, if the +allocation of the SyncTriggerList fails, trigger a FatalError() instead. + +Related to CVE-2025-26601, ZDI-CAN-25870 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8cbc90c8] +CVE: CVE-2025-26601 +Signed-off-by: Vijay Anusuri +--- + Xext/sync.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index 10302160fb..65f2d43780 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -201,8 +201,8 @@ SyncAddTriggerToSyncObject(SyncTrigger * pTrigger) + return Success; + } + +- if (!(pCur = malloc(sizeof(SyncTriggerList)))) +- return BadAlloc; ++ /* Failure is not an option, it's succeed or burst! */ ++ pCur = XNFalloc(sizeof(SyncTriggerList)); + + pCur->pTrigger = pTrigger; + pCur->next = pTrigger->pSync->pTriglist; +@@ -439,8 +439,7 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + * a new counter on a trigger + */ + if (newSyncObject) { +- if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success) +- return rc; ++ SyncAddTriggerToSyncObject(pTrigger); + } + else if (pCounter && IsSystemCounter(pCounter)) { + SyncComputeBracketValues(pCounter); +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-4.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-4.patch new file mode 100644 index 0000000000..e2261192fa --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-4.patch @@ -0,0 +1,132 @@ +From c285798984c6bb99e454a33772cde23d394d3dcd Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 17:10:31 +0100 +Subject: [PATCH] sync: Apply changes last in SyncChangeAlarmAttributes() + +SyncChangeAlarmAttributes() would apply the various changes while +checking for errors. + +If one of the changes triggers an error, the changes for the trigger, +counter or delta value would remain, possibly leading to inconsistent +changes. + +Postpone the actual changes until we're sure nothing else can go wrong. + +Related to CVE-2025-26601, ZDI-CAN-25870 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/c2857989] +CVE: CVE-2025-26601 +Signed-off-by: Vijay Anusuri +--- + Xext/sync.c | 42 +++++++++++++++++++++++++++--------------- + 1 file changed, 27 insertions(+), 15 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index 65f2d43780..cab73be927 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -830,8 +830,14 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + int status; + XSyncCounter counter; + Mask origmask = mask; ++ SyncTrigger trigger; ++ Bool select_events_changed = FALSE; ++ Bool select_events_value = FALSE; ++ int64_t delta; + +- counter = pAlarm->trigger.pSync ? pAlarm->trigger.pSync->id : None; ++ trigger = pAlarm->trigger; ++ delta = pAlarm->delta; ++ counter = trigger.pSync ? trigger.pSync->id : None; + + while (mask) { + int index2 = lowbit(mask); +@@ -847,24 +853,24 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + case XSyncCAValueType: + mask &= ~XSyncCAValueType; + /* sanity check in SyncInitTrigger */ +- pAlarm->trigger.value_type = *values++; ++ trigger.value_type = *values++; + break; + + case XSyncCAValue: + mask &= ~XSyncCAValue; +- pAlarm->trigger.wait_value = ((int64_t)values[0] << 32) | values[1]; ++ trigger.wait_value = ((int64_t)values[0] << 32) | values[1]; + values += 2; + break; + + case XSyncCATestType: + mask &= ~XSyncCATestType; + /* sanity check in SyncInitTrigger */ +- pAlarm->trigger.test_type = *values++; ++ trigger.test_type = *values++; + break; + + case XSyncCADelta: + mask &= ~XSyncCADelta; +- pAlarm->delta = ((int64_t)values[0] << 32) | values[1]; ++ delta = ((int64_t)values[0] << 32) | values[1]; + values += 2; + break; + +@@ -874,10 +880,8 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + client->errorValue = *values; + return BadValue; + } +- status = SyncEventSelectForAlarm(pAlarm, client, +- (Bool) (*values++)); +- if (status != Success) +- return status; ++ select_events_value = (Bool) (*values++); ++ select_events_changed = TRUE; + break; + + default: +@@ -886,25 +890,33 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + } + } + ++ if (select_events_changed) { ++ status = SyncEventSelectForAlarm(pAlarm, client, select_events_value); ++ if (status != Success) ++ return status; ++ } ++ + /* "If the test-type is PositiveComparison or PositiveTransition + * and delta is less than zero, or if the test-type is + * NegativeComparison or NegativeTransition and delta is + * greater than zero, a Match error is generated." + */ + if (origmask & (XSyncCADelta | XSyncCATestType)) { +- if ((((pAlarm->trigger.test_type == XSyncPositiveComparison) || +- (pAlarm->trigger.test_type == XSyncPositiveTransition)) +- && pAlarm->delta < 0) ++ if ((((trigger.test_type == XSyncPositiveComparison) || ++ (trigger.test_type == XSyncPositiveTransition)) ++ && delta < 0) + || +- (((pAlarm->trigger.test_type == XSyncNegativeComparison) || +- (pAlarm->trigger.test_type == XSyncNegativeTransition)) +- && pAlarm->delta > 0) ++ (((trigger.test_type == XSyncNegativeComparison) || ++ (trigger.test_type == XSyncNegativeTransition)) ++ && delta > 0) + ) { + return BadMatch; + } + } + + /* postpone this until now, when we're sure nothing else can go wrong */ ++ pAlarm->delta = delta; ++ pAlarm->trigger = trigger; + if ((status = SyncInitTrigger(client, &pAlarm->trigger, counter, RTCounter, + origmask & XSyncCAAllTrigger)) != Success) + return status; +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index d90f9970b5..6affd80e22 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -38,6 +38,10 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26599-1.patch \ file://CVE-2025-26599-2.patch \ file://CVE-2025-26600.patch \ + file://CVE-2025-26601-1.patch \ + file://CVE-2025-26601-2.patch \ + file://CVE-2025-26601-3.patch \ + file://CVE-2025-26601-4.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Wed Mar 5 15:58:45 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58360 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id ED9FFC28B24 for ; Wed, 5 Mar 2025 15:59:24 +0000 (UTC) Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.web10.16573.1741190361830414216 for ; Wed, 05 Mar 2025 07:59:21 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=tbz/bB6R; spf=softfail (domain: sakoman.com, ip: 209.85.214.179, mailfrom: steve@sakoman.com) Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-223594b3c6dso123555745ad.2 for ; Wed, 05 Mar 2025 07:59:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741190361; x=1741795161; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=s3bmNvP43qg1JzqjGZ8Jxgfh2xH3ugv2jV7GlPY3Btk=; b=tbz/bB6R8sdd83HIyNnscjXjmzZvPShEBd2+9szqgf5wIitSRtH3f88Ps5kUIM+4d/ ozqxTQl05FF+LUohjAZ9zrUXrizt8P5DuIpciYBQZDOYTF2v3qRBE7DE3xgI7FM61oOe QI5tTSOQevbT3K/i7MHj2Bjjw+MglFIP+ik9yMTiNPSchNf/h3NcE3lwRg4yJDcuaRzA WgnRncuGebq1dhKn+N5p+SHo1dRc4YycZveOB/88L74eX44fC1nqUgXn2GoO0g5pcqxg /+ZIDv1XL02dnOsBZ66VK8vDCmy5nv0xYmRnWyxTIG0yjjTvrYLVKaE2Rr0NIUiF/0+E HEPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741190361; x=1741795161; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=s3bmNvP43qg1JzqjGZ8Jxgfh2xH3ugv2jV7GlPY3Btk=; b=F3mJ5utoZfeiInAf5NDQLAnmuolVjqRjo561/Mf2OTvRtPalxjK3svTIlM3OOh0ApO XYSu7p0x9XkYNrAIadaYWRmQKjBp36W5gCbQIpvWbClNLp8O/MAhJKzHARXiYgu35sKV EYdnj2ig8cCFO6EsdjVdIyrSBEBq+OFgXE8UvJQY7kiNgwdRQFbqTlSzrSiKoBz/tMI8 xt5Pee/uYOznD6PjdxuRv1BfashHTo53YJWyPX8Qc5IXluI3eCgM59GQD2iw/QYaAAxv f/X2ckrsCbBon1w3xRpCwpT+zXhOasPeoCqOVeLp+pMKFwnAX09U3c+I7ymZ063MnjlO Mq2g== X-Gm-Message-State: AOJu0Yxwf+skzl2pTO1QD+862EQjiytMGTGQO3JiReX1c1WHNHn1P39M zcmsWl7zXieLD4+SBsvRKwf9iJyLpnk6ryG3hXEBakG7LRU8fWTQHvo59txXIdaubYnry0VBNIm t X-Gm-Gg: ASbGncvtNu/LVDZvAH/Ab0z4uzZd4Pt3honnzGA7GVNljXijVbGTDmAAuHZEbb/F4MS IwnpooMRK5Bp2JFPYlDi7s7F1Esmn1EGbv13mOecQecGv0+1jxs4Ar1tvOtM+F9kCh5rCCBvy2c 9SV8pJWbxwV57IVt2AgV/6XWIAyt9PQQ2zn4S/3xgGzB5joEQVXGbNqUhXCH0I6hKRcbfAZoBJo R/eHd/IJfT5PisgTXABaFAh9Ch6hk4j+Gr/zWbDc/kygbXqxhdj1HJWzTyINhktsigFI6S7NuUd 2FT3gbLXRtG27GnMN0ipivDIZ9eKkFR79mQ= X-Google-Smtp-Source: AGHT+IEPraMxr2j76gfB12okfxRqXP+WZFYqGZTAKO8EQ5pWEE34riqp62ob3hwjH9C7T3T3COxN2A== X-Received: by 2002:a17:902:ce12:b0:223:5a6e:b2c with SMTP id d9443c01a7336-223f1cd7430mr60135585ad.17.1741190361083; Wed, 05 Mar 2025 07:59:21 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223501f97bfsm115411025ad.85.2025.03.05.07.59.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 07:59:20 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 16/16] mesa: Fix missing GLES3 headers in SDK sysroot Date: Wed, 5 Mar 2025 07:58:45 -0800 Message-ID: <0d9f2fcc2058407eb138297d9f8f12595851b963.1741190221.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 15:59:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212338 From: Johannes Kauffmann Building weston with core-image-weston SDK fails: ``` ../libweston/renderer-gl/gl-shader-config-color-transformation.c:29:10: fatal error: GLES3/gl3.h: No such file or directory 29 | #include | ^~~~~~~~~~~~~ ``` Both GLES2 and GLES3 implementations are contained in libGLESv2.so.2, which is packaged in libgles2-mesa. However, the headers are split between libgles2-mesa-dev and libgles3-mesa-dev, which is why the GLES3 headers end up missing in the SDK sysroot. Add a dependency so the GLES3 headers are properly associated with the GLES3 implementation. (From OE-Core rev: 7e1308ec413e69a8427ac5998431005d9e4b8033) Signed-off-by: Tom Hochstein Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie Signed-off-by: Johannes Kauffmann Signed-off-by: Steve Sakoman --- meta/recipes-graphics/mesa/mesa.inc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/meta/recipes-graphics/mesa/mesa.inc b/meta/recipes-graphics/mesa/mesa.inc index afac8014fe..3c85a3ac55 100644 --- a/meta/recipes-graphics/mesa/mesa.inc +++ b/meta/recipes-graphics/mesa/mesa.inc @@ -191,6 +191,11 @@ RDEPENDS:${PN}-dev = "" # development package of libgles3. RDEPENDS:libgles3-mesa-dev += "libgles2-mesa-dev" +# GLES2 and GLES3 implementations are packaged in a single library in libgles2-mesa. +# Add a dependency so the GLES3 dev package is associated with its implementation. +RDEPENDS:libgles2-mesa += "libgles3-mesa" +ALLOW_EMPTY:libgles3-mesa = "1" + RDEPENDS:libopencl-mesa += "${@bb.utils.contains('PACKAGECONFIG', 'opencl', 'libclc spirv-tools', '', d)}" PACKAGES =+ "libegl-mesa libegl-mesa-dev \