diff -Nru xwayland-22.1.1/debian/changelog xwayland-22.1.1/debian/changelog --- xwayland-22.1.1/debian/changelog 2023-03-29 13:05:35.000000000 +0000 +++ xwayland-22.1.1/debian/changelog 2023-10-16 13:20:53.000000000 +0000 @@ -1,3 +1,13 @@ +xwayland (2:22.1.1-1ubuntu0.7) jammy-security; urgency=medium + + * SECURITY UPDATE: OOB write in XIChangeDeviceProperty and + RRChangeOutputProperty + - debian/patches/CVE-2023-5367.patch: fix handling of PropModeAppend + and PropModePrepend in Xi/xiproperty.c, randr/rrproperty.c. + - CVE-2023-5367 + + -- Marc Deslauriers Mon, 16 Oct 2023 09:20:53 -0400 + xwayland (2:22.1.1-1ubuntu0.6) jammy-security; urgency=medium * SECURITY UPDATE: Overlay Window Use-After-Free diff -Nru xwayland-22.1.1/debian/patches/CVE-2023-5367.patch xwayland-22.1.1/debian/patches/CVE-2023-5367.patch --- xwayland-22.1.1/debian/patches/CVE-2023-5367.patch 1970-01-01 00:00:00.000000000 +0000 +++ xwayland-22.1.1/debian/patches/CVE-2023-5367.patch 2023-10-16 13:20:48.000000000 +0000 @@ -0,0 +1,80 @@ +From 69ceb12e9c9dc42175aba48bb86f2842423d7082 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 3 Oct 2023 11:53:05 +1000 +Subject: [PATCH xserver 1/4] Xi/randr: fix handling of PropModeAppend/Prepend + +The handling of appending/prepending properties was incorrect, with at +least two bugs: the property length was set to the length of the new +part only, i.e. appending or prepending N elements to a property with P +existing elements always resulted in the property having N elements +instead of N + P. + +Second, when pre-pending a value to a property, the offset for the old +values was incorrect, leaving the new property with potentially +uninitalized values and/or resulting in OOB memory writes. +For example, prepending a 3 element value to a 5 element property would +result in this 8 value array: + [N, N, N, ?, ?, P, P, P ] P, P + ^OOB write + +The XI2 code is a copy/paste of the RandR code, so the bug exists in +both. + +CVE-2023-5367, ZDI-CAN-22153 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer +--- + Xi/xiproperty.c | 4 ++-- + randr/rrproperty.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c +index 066ba21fba..d315f04d0e 100644 +--- a/Xi/xiproperty.c ++++ b/Xi/xiproperty.c +@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type, + XIDestroyDeviceProperty(prop); + return BadAlloc; + } +- new_value.size = len; ++ new_value.size = total_len; + new_value.type = type; + new_value.format = format; + +@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type, + case PropModePrepend: + new_data = new_value.data; + old_data = (void *) (((char *) new_value.data) + +- (prop_value->size * size_in_bytes)); ++ (len * size_in_bytes)); + break; + } + if (new_data) +diff --git a/randr/rrproperty.c b/randr/rrproperty.c +index c2fb9585c6..25469f57b2 100644 +--- a/randr/rrproperty.c ++++ b/randr/rrproperty.c +@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type, + RRDestroyOutputProperty(prop); + return BadAlloc; + } +- new_value.size = len; ++ new_value.size = total_len; + new_value.type = type; + new_value.format = format; + +@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type, + case PropModePrepend: + new_data = new_value.data; + old_data = (void *) (((char *) new_value.data) + +- (prop_value->size * size_in_bytes)); ++ (len * size_in_bytes)); + break; + } + if (new_data) +-- +2.41.0 + diff -Nru xwayland-22.1.1/debian/patches/series xwayland-22.1.1/debian/patches/series --- xwayland-22.1.1/debian/patches/series 2023-03-29 13:05:27.000000000 +0000 +++ xwayland-22.1.1/debian/patches/series 2023-10-16 13:20:48.000000000 +0000 @@ -13,3 +13,4 @@ CVE-2022-4283.patch CVE-2023-0494.patch CVE-2023-1393.patch +CVE-2023-5367.patch