diff --git a/tigervnc.spec b/tigervnc.spec index 84368c64e1c8d212287a3d9b0741b663d6dfd5e0..c06e9b942480a998ffbe229a3aea4422d0a92265 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -5,7 +5,7 @@ Name: tigervnc Version: 1.12.0 -Release: 17%{?dist} +Release: 18%{?dist} Summary: A TigerVNC remote display system %global _hardened_build 1 @@ -47,6 +47,8 @@ Patch110: xorg-x11-server-composite-Fix-use-after-free-of-the-COW.patch Patch111: xorg-x11-server-CVE-2023-5367.patch # https://github.com/arter97/xorg-server/commit/a7bda3080d2b44eae668cdcec7a93095385b9652 Patch112: xorg-CVE-2023-6377.patch +# https://github.com/arter97/xorg-server/commit/58e83c683950ac9e253ab05dd7a13a8368b70a3c +Patch113: xorg-CVE-2023-6478.patch BuildRequires: gcc-c++ BuildRequires: libX11-devel, automake, autoconf, libtool, gettext, gettext-autopoint @@ -172,6 +174,7 @@ done %patch110 -p1 -b .composite-Fix-use-after-free-of-the-COW %patch111 -p1 -b .CVE-2023-5367 %patch112 -p1 -b .CVE-2023-6377 +%patch113 -p1 -b .CVE-2023-6478 popd %patch1 -p1 -b .use-gnome-as-default-session @@ -339,6 +342,9 @@ fi %ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %changelog +* Thu Feb 29 2024 Kaiqiang Wang - 1.12.0-18 +- Fix CVE-2023-6478 randr: avoid integer truncation in length check of ProcRRChange*Property + * Thu Feb 29 2024 Kaiqiang Wang - 1.12.0-17 - Fix CVE-2023-6377 tigervnc: xorg-x11-server: out-of-bounds memory reads/writes in XKB button actions diff --git a/xorg-CVE-2023-6478.patch b/xorg-CVE-2023-6478.patch new file mode 100644 index 0000000000000000000000000000000000000000..d6bf8e13a9b9ff6aad66c5d8f8750a3ddf2049a9 --- /dev/null +++ b/xorg-CVE-2023-6478.patch @@ -0,0 +1,59 @@ +From 3e0222fcae552685d423914a683c1709dc5f6d6b Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 27 Nov 2023 16:27:49 +1000 +Subject: [PATCH xserver] randr: avoid integer truncation in length check of + ProcRRChange*Property + +Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty. +See also xserver@8f454b79 where this same bug was fixed for the core +protocol and XI. + +This fixes an OOB read and the resulting information disclosure. + +Length calculation for the request was clipped to a 32-bit integer. With +the correct stuff->nUnits value the expected request size was +truncated, passing the REQUEST_FIXED_SIZE check. + +The server then proceeded with reading at least stuff->num_items bytes +(depending on stuff->format) from the request and stuffing whatever it +finds into the property. In the process it would also allocate at least +stuff->nUnits bytes, i.e. 4GB. + +CVE-2023-XXXXX, ZDI-CAN-22561 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative +--- + randr/rrproperty.c | 2 +- + randr/rrproviderproperty.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/randr/rrproperty.c b/randr/rrproperty.c +index 25469f57b2..c4fef8a1f6 100644 +--- a/randr/rrproperty.c ++++ b/randr/rrproperty.c +@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client) + char format, mode; + unsigned long len; + int sizeInBytes; +- int totalSize; ++ uint64_t totalSize; + int err; + + REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq); +diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c +index b79c17f9bf..90c5a9a933 100644 +--- a/randr/rrproviderproperty.c ++++ b/randr/rrproviderproperty.c +@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client) + char format, mode; + unsigned long len; + int sizeInBytes; +- int totalSize; ++ uint64_t totalSize; + int err; + + REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq); +-- +2.43.0 +