diff -u xorg-server-1.18.4/debian/changelog xorg-server-1.18.4/debian/changelog --- xorg-server-1.18.4/debian/changelog +++ xorg-server-1.18.4/debian/changelog @@ -1,3 +1,11 @@ +xorg-server (2:1.18.4-0ubuntu0.12) xenial-security; urgency=medium + + * SECURITY UPDATE: XChangeFeedbackControl Integer Underflow + - debian/patches/CVE-2021-3472.patch: add check to Xi/chgfctl.c. + - CVE-2021-3472 + + -- Marc Deslauriers Thu, 08 Apr 2021 08:31:36 -0400 + xorg-server (2:1.18.4-0ubuntu0.11) xenial-security; urgency=medium * SECURITY UPDATE: out of bounds memory accesses on too short request diff -u xorg-server-1.18.4/debian/patches/series xorg-server-1.18.4/debian/patches/series --- xorg-server-1.18.4/debian/patches/series +++ xorg-server-1.18.4/debian/patches/series @@ -77,0 +78 @@ +CVE-2021-3472.patch only in patch2: unchanged: --- xorg-server-1.18.4.orig/debian/patches/CVE-2021-3472.patch +++ xorg-server-1.18.4/debian/patches/CVE-2021-3472.patch @@ -0,0 +1,34 @@ +From 00f8ce4dbeeb99ff8e5e9211d08058b11a1ac3c0 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Sun, 21 Mar 2021 18:38:57 +0100 +Subject: [PATCH xserver] Fix XChangeFeedbackControl() request underflow + +CVE-2021-3472 / ZDI-CAN-1259 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Matthieu Herrb +--- + Xi/chgfctl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c +index 1de4da9ef..7a597e43d 100644 +--- a/Xi/chgfctl.c ++++ b/Xi/chgfctl.c +@@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr client) + break; + case StringFeedbackClass: + { +- xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]); ++ xStringFeedbackCtl *f; + ++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq, ++ sizeof(xStringFeedbackCtl)); ++ f = ((xStringFeedbackCtl *) &stuff[1]); + if (client->swapped) { + if (len < bytes_to_int32(sizeof(xStringFeedbackCtl))) + return BadLength; +-- +2.31.0