Mon Oct 17 19:31:45 UTC 2022

l/libqalculate-4.4.0-x86_64-1.txz:  Upgraded.
l/netpbm-11.00.01-x86_64-1.txz:  Upgraded.
x/xorg-server-21.1.4-x86_64-2.txz:  Rebuilt.
  xkb: proof GetCountedString against request length attacks.
  xkb: fix some possible memleaks in XkbGetKbdByName.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551
  (* Security fix *)
x/xorg-server-xephyr-21.1.4-x86_64-2.txz:  Rebuilt.
x/xorg-server-xnest-21.1.4-x86_64-2.txz:  Rebuilt.
x/xorg-server-xvfb-21.1.4-x86_64-2.txz:  Rebuilt.
x/xorg-server-xwayland-22.1.3-x86_64-2.txz:  Rebuilt.
  xkb: proof GetCountedString against request length attacks.
  xkb: fix some possible memleaks in XkbGetKbdByName.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551
  (* Security fix *)
xap/blueman-2.3.4-x86_64-1.txz:  Upgraded.

ChangeLog.rss

@@ -11,9 +11,39 @@
       <description>Tracking Slackware development in git.</description>
       <language>en-us</language>
       <id xmlns="http://www.w3.org/2005/Atom">urn:uuid:c964f45e-6732-11e8-bbe5-107b4450212f</id>
-      <pubDate>Mon, 17 Oct 2022 00:42:43 GMT</pubDate>
-      <lastBuildDate>Mon, 17 Oct 2022 05:00:18 GMT</lastBuildDate>
+      <pubDate>Mon, 17 Oct 2022 19:31:45 GMT</pubDate>
+      <lastBuildDate>Tue, 18 Oct 2022 05:00:16 GMT</lastBuildDate>
       <generator>maintain_current_git.sh v 1.17</generator>
+      <item>
+         <title>Mon, 17 Oct 2022 19:31:45 GMT</title>
+         <pubDate>Mon, 17 Oct 2022 19:31:45 GMT</pubDate>
+         <link>https://git.slackware.nl/current/tag/?h=20221017193145</link>
+         <guid isPermaLink="false">20221017193145</guid>
+         <description>
+           <![CDATA[<pre>
+l/libqalculate-4.4.0-x86_64-1.txz:  Upgraded.
+l/netpbm-11.00.01-x86_64-1.txz:  Upgraded.
+x/xorg-server-21.1.4-x86_64-2.txz:  Rebuilt.
+  xkb: proof GetCountedString against request length attacks.
+  xkb: fix some possible memleaks in XkbGetKbdByName.
+  For more information, see:
+    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550
+    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551
+  (* Security fix *)
+x/xorg-server-xephyr-21.1.4-x86_64-2.txz:  Rebuilt.
+x/xorg-server-xnest-21.1.4-x86_64-2.txz:  Rebuilt.
+x/xorg-server-xvfb-21.1.4-x86_64-2.txz:  Rebuilt.
+x/xorg-server-xwayland-22.1.3-x86_64-2.txz:  Rebuilt.
+  xkb: proof GetCountedString against request length attacks.
+  xkb: fix some possible memleaks in XkbGetKbdByName.
+  For more information, see:
+    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550
+    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551
+  (* Security fix *)
+xap/blueman-2.3.4-x86_64-1.txz:  Upgraded.
+           </pre>]]>
+         </description>
+      </item>
       <item>
          <title>Mon, 17 Oct 2022 00:42:43 GMT</title>
          <pubDate>Mon, 17 Oct 2022 00:42:43 GMT</pubDate>

ChangeLog.txt

@@ -1,3 +1,25 @@
+Mon Oct 17 19:31:45 UTC 2022
+l/libqalculate-4.4.0-x86_64-1.txz:  Upgraded.
+l/netpbm-11.00.01-x86_64-1.txz:  Upgraded.
+x/xorg-server-21.1.4-x86_64-2.txz:  Rebuilt.
+  xkb: proof GetCountedString against request length attacks.
+  xkb: fix some possible memleaks in XkbGetKbdByName.
+  For more information, see:
+    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550
+    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551
+  (* Security fix *)
+x/xorg-server-xephyr-21.1.4-x86_64-2.txz:  Rebuilt.
+x/xorg-server-xnest-21.1.4-x86_64-2.txz:  Rebuilt.
+x/xorg-server-xvfb-21.1.4-x86_64-2.txz:  Rebuilt.
+x/xorg-server-xwayland-22.1.3-x86_64-2.txz:  Rebuilt.
+  xkb: proof GetCountedString against request length attacks.
+  xkb: fix some possible memleaks in XkbGetKbdByName.
+  For more information, see:
+    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550
+    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551
+  (* Security fix *)
+xap/blueman-2.3.4-x86_64-1.txz:  Upgraded.
++--------------------------+
 Mon Oct 17 00:42:43 UTC 2022
 a/gettext-0.21.1-x86_64-1.txz:  Upgraded.
 a/glibc-zoneinfo-2022e-noarch-1.txz:  Upgraded.

recompress.sh

@@ -1086,6 +1086,8 @@ gzip ./source/x/xdg-utils/doinst.sh
 gzip ./source/x/ttf-indic-fonts/doinst.sh
 gzip ./source/x/noto-fonts-ttf/doinst.sh
 gzip ./source/x/libinput/libinput.less.lag.complaining.diff
+gzip ./source/x/xorg-server-xwayland/CVE-2022-3551.patch
+gzip ./source/x/xorg-server-xwayland/CVE-2022-3550.patch
 gzip ./source/x/hack-fonts-ttf/doinst.sh
 gzip ./source/x/fcitx5-gtk/doinst.sh
 gzip ./source/x/wqy-zenhei-font-ttf/wqy-zenhei.fix.fontconfig.warning.diff
@@ -1148,10 +1150,11 @@ gzip ./source/x/x11/patch/xdm/xdm.arc4random.diff
 gzip ./source/x/x11/patch/pixman/pixman.remove.tests.that.fail.to.compile.diff
 gzip ./source/x/x11/patch/xorg-server/xorg-server.combo.mouse.keyboard.layout.patch
 gzip ./source/x/x11/patch/xorg-server/0001-xfree86-use-modesetting-driver-by-default-on-GeForce.patch
+gzip ./source/x/x11/patch/xorg-server/CVE-2022-3551.patch
 gzip ./source/x/x11/patch/xorg-server/fix-nouveau-segfault.diff
 gzip ./source/x/x11/patch/xorg-server/x11.startwithblackscreen.diff
+gzip ./source/x/x11/patch/xorg-server/CVE-2022-3550.patch
 gzip ./source/x/x11/patch/xorg-server/06_use-intel-only-on-pre-gen4.diff
-gzip ./source/x/x11/patch/xorg-server/failed/0001-Always-install-vbe-and-int10-sdk-headers.patch
 gzip ./source/x/x11/patch/xinit/xinit.remove.systemd.kludge.diff
 gzip ./source/x/x11/patch/xf86-video-intel/0001-sna-Avoid-clobbering-output-physical-size-with-xf86O.patch
 gzip ./source/x/x11/patch/xf86-video-s3virge/xf86-video-s3virge.xorg-server-1.20.x.diff

source/x/x11/build/xorg-server

@@ -1 +1 @@
-1
+2

source/x/x11/patch/xorg-server.patch

@@ -20,3 +20,9 @@ zcat $CWD/patch/xorg-server/0001-xfree86-use-modesetting-driver-by-default-on-Ge
 
 # Only use Intel DDX with pre-gen4 hardware. Newer hardware will the the modesetting driver by default:
 zcat $CWD/patch/xorg-server/06_use-intel-only-on-pre-gen4.diff.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; }
+
+# Patch some more security issues:
+zcat $CWD/patch/xorg-server/CVE-2022-3550.patch.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; }
+zcat $CWD/patch/xorg-server/CVE-2022-3551.patch.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; }
+# This one doesn't apply properly, but it's for OSX anyway :)
+#zcat $CWD/patch/xorg-server/CVE-2022-3553.patch.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; }

source/x/x11/patch/xorg-server/CVE-2022-3550.patch

@@ -0,0 +1,34 @@
+From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <[email protected]>
+Date: Tue, 5 Jul 2022 12:06:20 +1000
+Subject: xkb: proof GetCountedString against request length attacks
+
+GetCountedString did a check for the whole string to be within the
+request buffer but not for the initial 2 bytes that contain the length
+field. A swapped client could send a malformed request to trigger a
+swaps() on those bytes, writing into random memory.
+
+Signed-off-by: Peter Hutterer <[email protected]>
+---
+ xkb/xkb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index f42f59ef3..1841cff26 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
+     CARD16 len;
+
+     wire = *wire_inout;
++
++    if (client->req_len <
++        bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
++        return BadValue;
++
+     len = *(CARD16 *) wire;
+     if (client->swapped) {
+         swaps(&len);
+-- 
+cgit v1.2.1
+

source/x/x11/patch/xorg-server/CVE-2022-3551.patch

@@ -0,0 +1,59 @@
+From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <[email protected]>
+Date: Wed, 13 Jul 2022 11:23:09 +1000
+Subject: xkb: fix some possible memleaks in XkbGetKbdByName
+
+GetComponentByName returns an allocated string, so let's free that if we
+fail somewhere.
+
+Signed-off-by: Peter Hutterer <[email protected]>
+---
+ xkb/xkb.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 4692895db..b79a269e3 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client)
+     xkb = dev->key->xkbInfo->desc;
+     status = Success;
+     str = (unsigned char *) &stuff[1];
+-    if (GetComponentSpec(&str, TRUE, &status))  /* keymap, unsupported */
+-        return BadMatch;
++    {
++        char *keymap = GetComponentSpec(&str, TRUE, &status);  /* keymap, unsupported */
++        if (keymap) {
++            free(keymap);
++            return BadMatch;
++        }
++    }
+     names.keycodes = GetComponentSpec(&str, TRUE, &status);
+     names.types = GetComponentSpec(&str, TRUE, &status);
+     names.compat = GetComponentSpec(&str, TRUE, &status);
+     names.symbols = GetComponentSpec(&str, TRUE, &status);
+     names.geometry = GetComponentSpec(&str, TRUE, &status);
+-    if (status != Success)
++    if (status == Success) {
++        len = str - ((unsigned char *) stuff);
++        if ((XkbPaddedSize(len) / 4) != stuff->length)
++            status = BadLength;
++    }
++
++    if (status != Success) {
++        free(names.keycodes);
++        free(names.types);
++        free(names.compat);
++        free(names.symbols);
++        free(names.geometry);
+         return status;
+-    len = str - ((unsigned char *) stuff);
+-    if ((XkbPaddedSize(len) / 4) != stuff->length)
+-        return BadLength;
++    }
+
+     CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
+     CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
+-- 
+cgit v1.2.1
+

source/x/xorg-server-xwayland/CVE-2022-3550.patch

@@ -0,0 +1,34 @@
+From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <[email protected]>
+Date: Tue, 5 Jul 2022 12:06:20 +1000
+Subject: xkb: proof GetCountedString against request length attacks
+
+GetCountedString did a check for the whole string to be within the
+request buffer but not for the initial 2 bytes that contain the length
+field. A swapped client could send a malformed request to trigger a
+swaps() on those bytes, writing into random memory.
+
+Signed-off-by: Peter Hutterer <[email protected]>
+---
+ xkb/xkb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index f42f59ef3..1841cff26 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
+     CARD16 len;
+
+     wire = *wire_inout;
++
++    if (client->req_len <
++        bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
++        return BadValue;
++
+     len = *(CARD16 *) wire;
+     if (client->swapped) {
+         swaps(&len);
+-- 
+cgit v1.2.1
+

source/x/xorg-server-xwayland/CVE-2022-3551.patch

@@ -0,0 +1,59 @@
+From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <[email protected]>
+Date: Wed, 13 Jul 2022 11:23:09 +1000
+Subject: xkb: fix some possible memleaks in XkbGetKbdByName
+
+GetComponentByName returns an allocated string, so let's free that if we
+fail somewhere.
+
+Signed-off-by: Peter Hutterer <[email protected]>
+---
+ xkb/xkb.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 4692895db..b79a269e3 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client)
+     xkb = dev->key->xkbInfo->desc;
+     status = Success;
+     str = (unsigned char *) &stuff[1];
+-    if (GetComponentSpec(&str, TRUE, &status))  /* keymap, unsupported */
+-        return BadMatch;
++    {
++        char *keymap = GetComponentSpec(&str, TRUE, &status);  /* keymap, unsupported */
++        if (keymap) {
++            free(keymap);
++            return BadMatch;
++        }
++    }
+     names.keycodes = GetComponentSpec(&str, TRUE, &status);
+     names.types = GetComponentSpec(&str, TRUE, &status);
+     names.compat = GetComponentSpec(&str, TRUE, &status);
+     names.symbols = GetComponentSpec(&str, TRUE, &status);
+     names.geometry = GetComponentSpec(&str, TRUE, &status);
+-    if (status != Success)
++    if (status == Success) {
++        len = str - ((unsigned char *) stuff);
++        if ((XkbPaddedSize(len) / 4) != stuff->length)
++            status = BadLength;
++    }
++
++    if (status != Success) {
++        free(names.keycodes);
++        free(names.types);
++        free(names.compat);
++        free(names.symbols);
++        free(names.geometry);
+         return status;
+-    len = str - ((unsigned char *) stuff);
+-    if ((XkbPaddedSize(len) / 4) != stuff->length)
+-        return BadLength;
++    }
+
+     CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
+     CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
+-- 
+cgit v1.2.1
+

source/x/xorg-server-xwayland/xorg-server-xwayland.SlackBuild

@@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 PKGNAM=xorg-server-xwayland
 SRCNAM=xwayland
 VERSION=${VERSION:-$(echo $SRCNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
 
 # Default font paths to be used by the X server:
 DEF_FONTPATH="/usr/share/fonts/misc,/usr/share/fonts/local,/usr/share/fonts/TTF,/usr/share/fonts/OTF,/usr/share/fonts/Type1,/usr/share/fonts/CID,/usr/share/fonts/75dpi/:unscaled,/usr/share/fonts/100dpi/:unscaled,/usr/share/fonts/75dpi,/usr/share/fonts/100dpi,/usr/share/fonts/cyrillic"
@@ -80,6 +80,10 @@ find . \
   \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
   -exec chmod 644 {} \+
 
+# Patch more security issues:
+zcat $CWD/CVE-2022-3550.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/CVE-2022-3551.patch.gz | patch -p1 --verbose || exit 1
+
 # Configure, build, and install:
 export CFLAGS="$SLKCFLAGS"
 export CXXFLAGS="$SLKCFLAGS"