Update to xserver 21.1.12

The security patches were already commited, sync with the rest
of the 21.1.12 relase.

1 files changed, 214 insertions, 0 deletions

diff --git a/xserver/ChangeLog b/xserver/ChangeLog
index 4f43caad8..baea527b3 100644
--- a/xserver/ChangeLog
+++ b/xserver/ChangeLog
@@ -1,3 +1,217 @@
+commit 101caa1b03bc26b718f4618eb24104add5d14a4b
+Author: Povilas Kanapickas <povilas@radix.lt>
+Date:   Wed Apr 3 23:43:42 2024 +0300
+
+    xserver 21.1.12
+    
+    Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
+
+commit 1173156404be826f50f453ca11bda28ccb5a5268
+Author: Peter Hutterer <peter.hutterer@who-t.net>
+Date:   Tue Jan 30 13:13:35 2024 +1000
+
+    render: fix refcounting of glyphs during ProcRenderAddGlyphs
+    
+    Previously, AllocateGlyph would return a new glyph with refcount=0 and a
+    re-used glyph would end up not changing the refcount at all. The
+    resulting glyph_new array would thus have multiple entries pointing to
+    the same non-refcounted glyphs.
+    
+    AddGlyph may free a glyph, resulting in a UAF when the same glyph
+    pointer is then later used.
+    
+    Fix this by returning a refcount of 1 for a new glyph and always
+    incrementing the refcount for a re-used glyph, followed by dropping that
+    refcount back down again when we're done with it.
+    
+    CVE-2024-31083, ZDI-CAN-22880
+    
+    This vulnerability was discovered by:
+    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+    
+    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+    (cherry picked from commit bdca6c3d1f5057eeb31609b1280fc93237b00c77)
+
+commit 0e34d8ebc98a0ba6f9f0a2f8f5045761bccc45d3
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Fri Mar 22 19:07:34 2024 -0700
+
+    Xquartz: ProcAppleDRICreatePixmap needs to use unswapped length to send reply
+    
+    CVE-2024-31082
+    
+    Fixes: 14205ade0 ("XQuartz: appledri: Fix byte swapping in replies")
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+    (cherry picked from commit 6c684d035c06fd41c727f0ef0744517580864cef)
+
+commit cea92ca78f900bfb4c9a5540dfd631e065b9151b
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Fri Mar 22 18:56:27 2024 -0700
+
+    Xi: ProcXIPassiveGrabDevice needs to use unswapped length to send reply
+    
+    CVE-2024-31081
+    
+    Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+    (cherry picked from commit 3e77295f888c67fc7645db5d0c00926a29ffecee)
+
+commit 8a7cd0e3ef194610300c1a38fb5a5423b23dd6a5
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Fri Mar 22 18:51:45 2024 -0700
+
+    Xi: ProcXIGetSelectedEvents needs to use unswapped length to send reply
+    
+    CVE-2024-31080
+    
+    Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
+    Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+    (cherry picked from commit 96798fc1967491c80a4d0c8d9e0a80586cb2152b)
+
+commit 5ca3a95135d9c89753e2af19da5a2615ea2be1c3
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Thu Mar 21 18:08:35 2024 -0700
+
+    Xext: SProcSyncCreateFence needs to swap drawable id too
+    
+    Otherwise it causes the server to return BadDrawable giving a
+    byte-swapped resource id instead of the real id the client sent.
+    
+    Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
+    Fixes: 397dfd9f8 ("Create/Destroy/Trigger/Reset/Query Fence Sync objs")
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+    ---
+    (cherry picked from commit e6573baa7d99a77f44229b9a96a41bbda57e2387)
+    
+    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1438>
+
+commit 5d7272f05d9ef6bef93419febee3c9dfc63ec055
+Author: Peter Hutterer <peter.hutterer@who-t.net>
+Date:   Sat Mar 23 10:42:33 2024 -0700
+
+    Allow disabling byte-swapped clients
+    
+    The X server swapping code is a huge attack surface, much of this code
+    is untested and prone to security issues. The use-case of byte-swapped
+    clients is very niche, so allow users to disable this if they don't
+    need it, using either a config option or commandline flag.
+    
+    For Xorg, this adds the ServerFlag "AllowByteSwappedClients" "off".
+    For all DDX, this adds the commandline options +byteswappedclients and
+    -byteswappedclients to enable or disable, respectively.
+    
+    Fixes #1201
+    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+    ---
+    (cherry picked from commit 412777664a20dd3561b936c02c96571a756fe9b2)
+    (cherry picked from commit af5cd5acc9012e527ee869f8e98bf6c2e9a02ca4)
+    Backport to server-21.1-branch modified to keep byte-swapping enabled
+    by default but easy to disable by users or admins (or even by distros
+    shipping an xorg.conf.d fragment in their packages).
+    
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1440>
+
+commit 8a46a463f631ed52613d67f4088924acbbb6ca20
+Author: Matthieu Herrb <matthieu@herrb.eu>
+Date:   Sun Dec 5 22:05:08 2021 +0100
+
+    Initialize Mode->name in xf86CVTMode()
+    
+    This was overlooked when converting the function to use libxcvt.
+    Bring back name initialization from old code.
+    
+    This was causing a segfault in xf86LookupMode() if modes where
+    name is NULL are present the modePool list.
+    
+    Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+    ---
+    (cherry picked from ed11c4d443ad2e82512df64358d38008e0ee7693)
+    
+    Reported-by: "Sergiy" <Black_N@ukr.net>
+    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1319>
+
+commit f653d9a0af912e577fab5c02b2a4eb380d33e8bb
+Author: Yusuf Khan <yusisamerican@gmail.com>
+Date:   Sat Feb 17 12:38:10 2024 -0800
+
+    hw/xfree86: fix NULL pointer refrence to mode name
+    
+    Potentially, the pointer to the mode name could be unset, this can
+    occur with the xf86-video-nv DDX, in that case there isnt much we can do
+    except check if the next mode is any better.
+    
+    Signed-off-by: Yusuf Khan <yusisamerican@gmail.com>
+    ---
+    (cherry picked from db3aa4e03b180244e8b4b02272c49f1e0c48b463)
+    
+    Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1309>
+
+commit 8b75ec34dfbe435cd3a17e64138e22a37395a6d8
+Author: Povilas Kanapickas <povilas@radix.lt>
+Date:   Sun Dec 19 18:11:07 2021 +0200
+
+    dix: Fix use after free in input device shutdown
+    
+    This fixes access to freed heap memory via dev->master. E.g. when
+    running BarrierNotify.ReceivesNotifyEvents/7 test from
+    xorg-integration-tests:
+    
+    ==24736==ERROR: AddressSanitizer: heap-use-after-free on address
+    0x619000065020 at pc 0x55c450e2b9cf bp 0x7fffc532fd20 sp 0x7fffc532fd10
+    READ of size 4 at 0x619000065020 thread T0
+        #0 0x55c450e2b9ce in GetMaster ../../../dix/devices.c:2722
+        #1 0x55c450e9d035 in IsFloating ../../../dix/events.c:346
+        #2 0x55c4513209c6 in GetDeviceUse ../../../Xi/xiquerydevice.c:525
+    ../../../Xi/xichangehierarchy.c:95
+        #4 0x55c450e3455c in RemoveDevice ../../../dix/devices.c:1204
+    ../../../hw/xfree86/common/xf86Xinput.c:1142
+        #6 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
+        #7 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
+        #8 0x55c450e837ef in dix_main ../../../dix/main.c:302
+        #9 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
+    (/lib/x86_64-linux-gnu/libc.so.6+0x28564)
+        #11 0x55c450d0113d in _start (/usr/lib/xorg/Xorg+0x117713d)
+    
+    0x619000065020 is located 160 bytes inside of 912-byte region
+    [0x619000064f80,0x619000065310)
+    freed by thread T0 here:
+    (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
+        #1 0x55c450e19f1c in CloseDevice ../../../dix/devices.c:1014
+        #2 0x55c450e343a4 in RemoveDevice ../../../dix/devices.c:1186
+    ../../../hw/xfree86/common/xf86Xinput.c:1142
+        #4 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
+        #5 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
+        #6 0x55c450e837ef in dix_main ../../../dix/main.c:302
+        #7 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
+    (/lib/x86_64-linux-gnu/libc.so.6+0x28564)
+    
+    previously allocated by thread T0 here:
+    (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
+        #1 0x55c450e1c57b in AddInputDevice ../../../dix/devices.c:259
+        #2 0x55c450e34840 in AllocDevicePair ../../../dix/devices.c:2755
+        #3 0x55c45130318f in add_master ../../../Xi/xichangehierarchy.c:152
+    ../../../Xi/xichangehierarchy.c:465
+        #5 0x55c4512cb9f5 in ProcIDispatch ../../../Xi/extinit.c:390
+        #6 0x55c450e6a92b in Dispatch ../../../dix/dispatch.c:551
+        #7 0x55c450e834b7 in dix_main ../../../dix/main.c:272
+        #8 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
+    (/lib/x86_64-linux-gnu/libc.so.6+0x28564)
+    
+    The problem is caused by dev->master being not reset when disabling the
+    device, which then causes dangling pointer when the master device itself
+    is being deleted when exiting whole server.
+    
+    Note that RecalculateMasterButtons() requires dev->master to be still
+    valid, so we can reset it only at the end of function.
+    
+    Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
+    (cherry picked from commit 1801fe0ac3926882d47d7e1ad6c0518a2cdffd41)
+
 commit 31407c0199da877b359b2e37bb371804321279b7
 Author: José Expósito <jose.exposito89@gmail.com>
 Date:   Tue Jan 16 10:15:15 2024 +0100