SliTaz Repositories

     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/xorg-server/stuff/CVE-2023-1393.patch	Sun Jan 14 08:12:37 2024 +0000
     1.3 @@ -0,0 +1,42 @@
     1.4 +From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001
     1.5 +From: Olivier Fourdan <ofourdan@redhat.com>
     1.6 +Date: Mon, 13 Mar 2023 11:08:47 +0100
     1.7 +Subject: [PATCH] composite: Fix use-after-free of the COW
     1.8 +
     1.9 +ZDI-CAN-19866/CVE-2023-1393
    1.10 +
    1.11 +If a client explicitly destroys the compositor overlay window (aka COW),
    1.12 +we would leave a dangling pointer to that window in the CompScreen
    1.13 +structure, which will trigger a use-after-free later.
    1.14 +
    1.15 +Make sure to clear the CompScreen pointer to the COW when the latter gets
    1.16 +destroyed explicitly by the client.
    1.17 +
    1.18 +This vulnerability was discovered by:
    1.19 +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
    1.20 +
    1.21 +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    1.22 +Reviewed-by: Adam Jackson <ajax@redhat.com>
    1.23 +---
    1.24 + composite/compwindow.c | 5 +++++
    1.25 + 1 file changed, 5 insertions(+)
    1.26 +
    1.27 +diff --git a/composite/compwindow.c b/composite/compwindow.c
    1.28 +index 4e2494b86b..b30da589e9 100644
    1.29 +--- a/composite/compwindow.c
    1.30 ++++ b/composite/compwindow.c
    1.31 +@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
    1.32 +     ret = (*pScreen->DestroyWindow) (pWin);
    1.33 +     cs->DestroyWindow = pScreen->DestroyWindow;
    1.34 +     pScreen->DestroyWindow = compDestroyWindow;
    1.35 ++
    1.36 ++    /* Did we just destroy the overlay window? */
    1.37 ++    if (pWin == cs->pOverlayWin)
    1.38 ++        cs->pOverlayWin = NULL;
    1.39 ++
    1.40 + /*    compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
    1.41 +     return ret;
    1.42 + }
    1.43 +-- 
    1.44 +GitLab
    1.45 +