fix CVE-2022-3554,CVE-2022-3555

2022-10-24 19:19:42 +08:00 · 2022-10-24 19:19:42 +08:00 · 67e0a4cdca
commit 67e0a4cdca
parent b411f9cd76
4 changed files with 137 additions and 1 deletions
--- a/backport-0001-CVE-2022-3555.patch
+++ b/backport-0001-CVE-2022-3555.patch
@ -0,0 +1,37 @@
+From 8a368d808fec166b5fb3dfe6312aab22c7ee20af Mon Sep 17 00:00:00 2001
+From: Hodong <hodong@yozmos.com>
+Date: Thu, 20 Jan 2022 00:57:41 +0900
+Subject: [PATCH] Fix two memory leaks in _XFreeX11XCBStructure()
+
+Even when XCloseDisplay() was called, some memory was leaked.
+
+XCloseDisplay() calls _XFreeDisplayStructure(), which calls
+_XFreeX11XCBStructure().
+
+However, _XFreeX11XCBStructure() did not destroy the condition variables,
+resulting in the leaking of some 40 bytes.
+
+Signed-off-by: Hodong <hodong@yozmos.com>
+
+Conflict:NA
+Reference:https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8a368d808fec166b5fb3dfe6312aab22c7ee20af
+---
+ src/xcb_disp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/xcb_disp.c b/src/xcb_disp.c
+index 70a602f4..e9becee3 100644
+--- a/src/xcb_disp.c
+++ b/src/xcb_disp.c
+@@ -102,6 +102,8 @@ void _XFreeX11XCBStructure(Display *dpy)
+ 		dpy->xcb->pending_requests = tmp->next;
+ 		free(tmp);
+ 	}
+	xcondition_clear(dpy->xcb->event_notify);
+	xcondition_clear(dpy->xcb->reply_notify);
+ 	xcondition_free(dpy->xcb->event_notify);
+ 	xcondition_free(dpy->xcb->reply_notify);
+ 	Xfree(dpy->xcb);
+-- 
+2.27.0
+
--- a/backport-0002-CVE-2022-3555.patch
+++ b/backport-0002-CVE-2022-3555.patch
@ -0,0 +1,37 @@
+From 76d1cc3c1ce943c6ff81dc8c62a1d1b30fabf02e Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@debian.org>
+Date: Sun, 3 Apr 2022 14:23:36 +0100
+Subject: Don't try to destroy NULL condition variables
+
+This avoids a segfault during error-unwinding if an invalid display name
+is passed to XOpenDisplay().
+
+Fixes: 8a368d80 "Fix two memory leaks in _XFreeX11XCBStructure()"
+Resolves: #155
+Signed-off-by: Simon McVittie <smcv@debian.org>
+
+Conflict:NA
+Reference:https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=76d1cc3c1ce943c6ff81dc8c62a1d1b30fabf02e
+---
+ src/xcb_disp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/xcb_disp.c b/src/xcb_disp.c
+index e9becee3..63e344af 100644
+--- a/src/xcb_disp.c
+++ b/src/xcb_disp.c
+@@ -102,8 +102,10 @@ void _XFreeX11XCBStructure(Display *dpy)
+ 		dpy->xcb->pending_requests = tmp->next;
+ 		free(tmp);
+ 	}
+-	xcondition_clear(dpy->xcb->event_notify);
+-	xcondition_clear(dpy->xcb->reply_notify);
+	if (dpy->xcb->event_notify)
+		xcondition_clear(dpy->xcb->event_notify);
+	if (dpy->xcb->reply_notify)
+		xcondition_clear(dpy->xcb->reply_notify);
+ 	xcondition_free(dpy->xcb->event_notify);
+ 	xcondition_free(dpy->xcb->reply_notify);
+ 	Xfree(dpy->xcb);
+-- 
+cgit v1.2.1
--- a/backport-CVE-2022-3554.patch
+++ b/backport-CVE-2022-3554.patch
@ -0,0 +1,56 @@
+From 1d11822601fd24a396b354fa616b04ed3df8b4ef Mon Sep 17 00:00:00 2001
+From: "Thomas E. Dickey" <dickey@invisible-island.net>
+Date: Tue, 4 Oct 2022 18:26:17 -0400
+Subject: [PATCH] fix a memory leak in XRegisterIMInstantiateCallback
+
+Analysis:
+
+    _XimRegisterIMInstantiateCallback() opens an XIM and closes it using
+    the internal function pointers, but the internal close function does
+    not free the pointer to the XIM (this would be done in XCloseIM()).
+
+Report/patch:
+
+    Date: Mon, 03 Oct 2022 18:47:32 +0800
+    From: Po Lu <luangruo@yahoo.com>
+    To: xorg-devel@lists.x.org
+    Subject: Re: Yet another leak in Xlib
+
+    For reference, here's how I'm calling XRegisterIMInstantiateCallback:
+
+    XSetLocaleModifiers ("");
+    XRegisterIMInstantiateCallback (compositor.display,
+                                    XrmGetDatabase (compositor.display),
+                                    (char *) compositor.resource_name,
+                                    (char *) compositor.app_name,
+                                    IMInstantiateCallback, NULL);
+
+    and XMODIFIERS is:
+
+        @im=ibus
+
+Signed-off-by: Thomas E. Dickey <dickey@invisible-island.net>
+
+Conflict:NA
+Reference:https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=1d11822601fd24a396b354fa616b04ed3df8b4ef
+---
+ modules/im/ximcp/imInsClbk.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/modules/im/ximcp/imInsClbk.c b/modules/im/ximcp/imInsClbk.c
+index 95b379cb..c10e347f 100644
+--- a/modules/im/ximcp/imInsClbk.c
+++ b/modules/im/ximcp/imInsClbk.c
+@@ -212,6 +212,9 @@ _XimRegisterIMInstantiateCallback(
+     if( xim ) {
+ 	lock = True;
+ 	xim->methods->close( (XIM)xim );
+	/* XIMs must be freed manually after being opened; close just
+	   does the protocol to deinitialize the IM.  */
+	XFree( xim );
+ 	lock = False;
+ 	icb->call = True;
+ 	callback( display, client_data, NULL );
+-- 
+2.27.0
+
--- a/libX11.spec
+++ b/libX11.spec
@ -1,6 +1,6 @@
 Name:		libX11
 Version:	1.7.2
-Release:	3
+Release:	4
 Summary:	Core X11 protocol client library
 License:	MIT
 URL:		http://www.x.org
@ -8,6 +8,9 @@ Source0:	https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.

 Patch1:         dont-forward-keycode-0.patch
 Patch2:         backport-makekeys-handle-the-new-EVDEVK-xorgproto-symbols.patch
+Patch6001:	backport-CVE-2022-3554.patch
+Patch6002:	backport-0001-CVE-2022-3555.patch
+Patch6003:	backport-0002-CVE-2022-3555.patch

 BuildRequires:	xorg-x11-util-macros >= 1.11 xorg-x11-proto-devel perl-Pod-Usage libXau-devel
 BuildRequires:  libxcb-devel >= 1.2 libXdmcp-devel xorg-x11-xtrans-devel >= 1.0.3-4
@ -74,6 +77,9 @@ make %{?_smp_mflags} check
 %{_mandir}/*/*

 %changelog
+* Mon Oct 24 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 1.7.2-4
+- fix CVE-2022-3554,CVE-2022-3555
+
 * Tue Jun 21 2022 wangkerong <wangkerong@h-partners.com> - 1.7.2-3
 - fix error from unkown X86FMacroxx keysym