Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xwayland for openSUSE:Factory checked in at 2023-01-01 09:38:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xwayland (Old) and /work/SRC/openSUSE:Factory/.xwayland.new.1563 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "xwayland" Sun Jan 1 09:38:28 2023 rev:18 rq:1045936 version:22.1.7 Changes: -------- --- /work/SRC/openSUSE:Factory/xwayland/xwayland.changes 2022-12-15 19:24:19.683756875 +0100 +++ /work/SRC/openSUSE:Factory/.xwayland.new.1563/xwayland.changes 2023-01-01 09:38:34.586685932 +0100 @@ -1,0 +2,33 @@ +Sat Dec 31 15:51:38 UTC 2022 - Stefan Dirsch <sndirsch@suse.com> + +- Update to version 22.1.7 + * This release fixes an invalid event type mask in + XTestSwapFakeInput which was inadvertently changed from octal + 0177 to hexadecimal 0x177 in the fix for CVE-2022-46340. + +------------------------------------------------------------------- +Thu Dec 15 15:15:47 UTC 2022 - Bj��rn Lie <bjorn.lie@gmail.com> + +- Update to version 22.1.6: + * Fixes CVE-2022-46340, CVE-2022-46341, CVE-2022-46342, + CVE-2022-46343, CVE-2022-46344, CVE-2022-4283. + * Xtest: disallow GenericEvents in XTestSwapFakeInput + * Xi: disallow passive grabs with a detail > 255 + * Xext: free the XvRTVideoNotify when turning off from the same + client + * Xext: free the screen saver resource when replacing it + * Xi: return an error from XI property changes if verification + failed + * Xi: avoid integer truncation in length check of + ProcXIChangeProperty + * xkb: reset the radio_groups pointer to NULL after freeing it +- Drop patches fixed upstream: + * U_0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch + * U_0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch + * U_0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch + * U_0004-Xi-disallow-passive-grabs-with-a-detail-255.patch + * U_0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch + * U_0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch + * U_0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch + +------------------------------------------------------------------- Old: ---- U_0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch U_0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch U_0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch U_0004-Xi-disallow-passive-grabs-with-a-detail-255.patch U_0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch U_0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch U_0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch xwayland-22.1.5.tar.xz xwayland-22.1.5.tar.xz.sig New: ---- xwayland-22.1.7.tar.xz xwayland-22.1.7.tar.xz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xwayland.spec ++++++ --- /var/tmp/diff_new_pack.VCDhm3/_old 2023-01-01 09:38:35.222689410 +0100 +++ /var/tmp/diff_new_pack.VCDhm3/_new 2023-01-01 09:38:35.226689432 +0100 @@ -24,22 +24,16 @@ %endif Name: xwayland -Version: 22.1.5 +Version: 22.1.7 Release: 0 -URL: http://xorg.freedesktop.org/ +URL: http://xorg.freedesktop.org Summary: X License: MIT Group: System/X11/Servers/XF86_4 Source0: %{url}/archive/individual/xserver/%{name}-%{version}.tar.xz Source1: %{url}/archive/individual/xserver/%{name}-%{version}.tar.xz.sig Source2: xwayland.keyring -Patch1205874: U_0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch -Patch1205875: U_0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch -Patch1205876: U_0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch -Patch1205877: U_0004-Xi-disallow-passive-grabs-with-a-detail-255.patch -Patch1205878: U_0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch -Patch1205879: U_0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch -Patch1206017: U_0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch + BuildRequires: meson BuildRequires: ninja BuildRequires: pkgconfig ++++++ xwayland-22.1.5.tar.xz -> xwayland-22.1.7.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xwayland-22.1.5/Xext/saver.c new/xwayland-22.1.7/Xext/saver.c --- old/xwayland-22.1.5/Xext/saver.c 2022-11-02 10:01:42.000000000 +0100 +++ new/xwayland-22.1.7/Xext/saver.c 2022-12-19 10:17:57.000000000 +0100 @@ -1051,7 +1051,7 @@ pVlist++; } if (pPriv->attr) - FreeScreenAttr(pPriv->attr); + FreeResource(pPriv->attr->resource, AttrType); pPriv->attr = pAttr; pAttr->resource = FakeClientID(client->index); if (!AddResource(pAttr->resource, AttrType, (void *) pAttr)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xwayland-22.1.5/Xext/xtest.c new/xwayland-22.1.7/Xext/xtest.c --- old/xwayland-22.1.5/Xext/xtest.c 2022-11-02 10:01:42.000000000 +0100 +++ new/xwayland-22.1.7/Xext/xtest.c 2022-12-19 10:17:57.000000000 +0100 @@ -502,10 +502,11 @@ nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent); for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) { + int evtype = ev->u.u.type & 0177; /* Swap event */ - proc = EventSwapVector[ev->u.u.type & 0177]; + proc = EventSwapVector[evtype]; /* no swapping proc; invalid event type? */ - if (!proc || proc == NotImplemented) { + if (!proc || proc == NotImplemented || evtype == GenericEvent) { client->errorValue = ev->u.u.type; return BadValue; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xwayland-22.1.5/Xext/xvmain.c new/xwayland-22.1.7/Xext/xvmain.c --- old/xwayland-22.1.5/Xext/xvmain.c 2022-11-02 10:01:42.000000000 +0100 +++ new/xwayland-22.1.7/Xext/xvmain.c 2022-12-19 10:17:57.000000000 +0100 @@ -811,8 +811,10 @@ tpn = pn; while (tpn) { if (tpn->client == client) { - if (!onoff) + if (!onoff) { tpn->client = NULL; + FreeResource(tpn->id, XvRTVideoNotify); + } return Success; } if (!tpn->client) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xwayland-22.1.5/Xi/xipassivegrab.c new/xwayland-22.1.7/Xi/xipassivegrab.c --- old/xwayland-22.1.5/Xi/xipassivegrab.c 2022-11-02 10:01:42.000000000 +0100 +++ new/xwayland-22.1.7/Xi/xipassivegrab.c 2022-12-19 10:17:57.000000000 +0100 @@ -137,6 +137,12 @@ return BadValue; } + /* XI2 allows 32-bit keycodes but thanks to XKB we can never + * implement this. Just return an error for all keycodes that + * cannot work anyway, same for buttons > 255. */ + if (stuff->detail > 255) + return XIAlreadyGrabbed; + if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1], stuff->mask_len * 4) != Success) return BadValue; @@ -207,14 +213,8 @@ ¶m, XI2, &mask); break; case XIGrabtypeKeycode: - /* XI2 allows 32-bit keycodes but thanks to XKB we can never - * implement this. Just return an error for all keycodes that - * cannot work anyway */ - if (stuff->detail > 255) - status = XIAlreadyGrabbed; - else - status = GrabKey(client, dev, mod_dev, stuff->detail, - ¶m, XI2, &mask); + status = GrabKey(client, dev, mod_dev, stuff->detail, + ¶m, XI2, &mask); break; case XIGrabtypeEnter: case XIGrabtypeFocusIn: @@ -333,6 +333,12 @@ client->errorValue = stuff->detail; return BadValue; } + + /* We don't allow passive grabs for details > 255 anyway */ + if (stuff->detail > 255) { + client->errorValue = stuff->detail; + return BadValue; + } rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess); if (rc != Success) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xwayland-22.1.5/Xi/xiproperty.c new/xwayland-22.1.7/Xi/xiproperty.c --- old/xwayland-22.1.5/Xi/xiproperty.c 2022-11-02 10:01:42.000000000 +0100 +++ new/xwayland-22.1.7/Xi/xiproperty.c 2022-12-19 10:17:57.000000000 +0100 @@ -890,7 +890,7 @@ REQUEST(xChangeDevicePropertyReq); DeviceIntPtr dev; unsigned long len; - int totalSize; + uint64_t totalSize; int rc; REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq); @@ -902,6 +902,8 @@ rc = check_change_property(client, stuff->property, stuff->type, stuff->format, stuff->mode, stuff->nUnits); + if (rc != Success) + return rc; len = stuff->nUnits; if (len > (bytes_to_int32(0xffffffff - sizeof(xChangeDevicePropertyReq)))) @@ -1128,7 +1130,7 @@ { int rc; DeviceIntPtr dev; - int totalSize; + uint64_t totalSize; unsigned long len; REQUEST(xXIChangePropertyReq); @@ -1141,6 +1143,9 @@ rc = check_change_property(client, stuff->property, stuff->type, stuff->format, stuff->mode, stuff->num_items); + if (rc != Success) + return rc; + len = stuff->num_items; if (len > bytes_to_int32(0xffffffff - sizeof(xXIChangePropertyReq))) return BadLength; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xwayland-22.1.5/dix/property.c new/xwayland-22.1.7/dix/property.c --- old/xwayland-22.1.5/dix/property.c 2022-11-02 10:01:42.000000000 +0100 +++ new/xwayland-22.1.7/dix/property.c 2022-12-19 10:17:57.000000000 +0100 @@ -205,7 +205,8 @@ WindowPtr pWin; char format, mode; unsigned long len; - int sizeInBytes, totalSize, err; + int sizeInBytes, err; + uint64_t totalSize; REQUEST(xChangePropertyReq); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xwayland-22.1.5/meson.build new/xwayland-22.1.7/meson.build --- old/xwayland-22.1.5/meson.build 2022-11-02 10:01:42.000000000 +0100 +++ new/xwayland-22.1.7/meson.build 2022-12-19 10:17:57.000000000 +0100 @@ -3,10 +3,10 @@ 'buildtype=debugoptimized', 'c_std=gnu99', ], - version: '22.1.5', + version: '22.1.7', meson_version: '>= 0.47.0', ) -release_date = '2021-07-05' +release_date = '2022-12-19' add_project_arguments('-DHAVE_DIX_CONFIG_H', language: ['c', 'objc']) cc = meson.get_compiler('c') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xwayland-22.1.5/xkb/xkbUtils.c new/xwayland-22.1.7/xkb/xkbUtils.c --- old/xwayland-22.1.5/xkb/xkbUtils.c 2022-11-02 10:01:42.000000000 +0100 +++ new/xwayland-22.1.7/xkb/xkbUtils.c 2022-12-19 10:17:57.000000000 +0100 @@ -1327,6 +1327,7 @@ } else { free(dst->names->radio_groups); + dst->names->radio_groups = NULL; } dst->names->num_rg = src->names->num_rg;