From 122b710b9c01807d8311c6db988482968dfbeaa41ca5ad95c5587d9d0e4879a6 Mon Sep 17 00:00:00 2001 From: Stefan Dirsch Date: Mon, 15 Jul 2019 09:49:23 +0000 Subject: [PATCH] - Update to version 1.0.10 * This release provides a fix for CVE-2017-2626 for platforms which don't have arc4random_buf() in their default libraries but do have getentropy(), such as Linux platforms with a kernel version of 3.17 or newer and a glibc version of 2.25 or newer. (libICE 1.0.9 already ensured that arc4random_buf() is used on platforms that have it to provide sufficient entropy in ICE key generation, but left other platforms with the weaker methods. Linux platforms could also have linked against libbsd to use arc4random_buf() with libICE 1.0.9 for stronger keys.) - supersedes U_Use-getentropy-if-arc4random_buf-is-not-available.patch OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libICE?expand=0&rev=18 --- ...y-if-arc4random_buf-is-not-available.patch | 142 ------------------ libICE-1.0.10.tar.bz2 | 3 + libICE-1.0.9.tar.bz2 | 3 - libICE.changes | 15 ++ libICE.spec | 8 +- 5 files changed, 21 insertions(+), 150 deletions(-) delete mode 100644 U_Use-getentropy-if-arc4random_buf-is-not-available.patch create mode 100644 libICE-1.0.10.tar.bz2 delete mode 100644 libICE-1.0.9.tar.bz2 diff --git a/U_Use-getentropy-if-arc4random_buf-is-not-available.patch b/U_Use-getentropy-if-arc4random_buf-is-not-available.patch deleted file mode 100644 index 99eeb1f..0000000 --- a/U_Use-getentropy-if-arc4random_buf-is-not-available.patch +++ /dev/null @@ -1,142 +0,0 @@ -From ff5e59f32255913bb1cdf51441b98c9107ae165b Mon Sep 17 00:00:00 2001 -From: Benjamin Tissoires -Date: Tue, 4 Apr 2017 19:12:53 +0200 -Subject: [PATCH] Use getentropy() if arc4random_buf() is not available - -This allows to fix CVE-2017-2626 on Linux platforms without pulling in -libbsd. -The libc getentropy() is available since glibc 2.25 but also on OpenBSD. -For Linux, we need at least a v3.17 kernel. If the recommended -arc4random_buf() function is not available, emulate it by first trying -to use getentropy() on a supported glibc and kernel. If the call fails, -fall back to the current (partly vulnerable) code. - -Signed-off-by: Benjamin Tissoires -Reviewed-by: Mark Kettenis -Reviewed-by: Alan Coopersmith -Signed-off-by: Peter Hutterer ---- - configure.ac | 2 +- - src/iceauth.c | 65 ++++++++++++++++++++++++++++++++++++++++++----------------- - 2 files changed, 47 insertions(+), 20 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 458882a..c971ab6 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -38,7 +38,7 @@ AC_DEFINE(ICE_t, 1, [Xtrans transport type]) - - # Checks for library functions. - AC_CHECK_LIB([bsd], [arc4random_buf]) --AC_CHECK_FUNCS([asprintf arc4random_buf]) -+AC_CHECK_FUNCS([asprintf arc4random_buf getentropy]) - - # Allow checking code with lint, sparse, etc. - XORG_WITH_LINT -diff --git a/src/iceauth.c b/src/iceauth.c -index ed31683..de4785b 100644 ---- a/src/iceauth.c -+++ b/src/iceauth.c -@@ -44,31 +44,19 @@ Author: Ralph Mor, X Consortium - - static int was_called_state; - --/* -- * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by -- * the SI. It is not part of standard ICElib. -- */ -+#ifndef HAVE_ARC4RANDOM_BUF - -- --char * --IceGenerateMagicCookie ( -+static void -+emulate_getrandom_buf ( -+ char *auth, - int len - ) - { -- char *auth; --#ifndef HAVE_ARC4RANDOM_BUF - long ldata[2]; - int seed; - int value; - int i; --#endif - -- if ((auth = malloc (len + 1)) == NULL) -- return (NULL); -- --#ifdef HAVE_ARC4RANDOM_BUF -- arc4random_buf(auth, len); --#else - #ifdef ITIMER_REAL - { - struct timeval now; -@@ -76,13 +64,13 @@ IceGenerateMagicCookie ( - ldata[0] = now.tv_sec; - ldata[1] = now.tv_usec; - } --#else -+#else /* ITIMER_REAL */ - { - long time (); - ldata[0] = time ((long *) 0); - ldata[1] = getpid (); - } --#endif -+#endif /* ITIMER_REAL */ - seed = (ldata[0]) + (ldata[1] << 16); - srand (seed); - for (i = 0; i < len; i++) -@@ -90,7 +78,46 @@ IceGenerateMagicCookie ( - value = rand (); - auth[i] = value & 0xff; - } --#endif -+} -+ -+static void -+arc4random_buf ( -+ char *auth, -+ int len -+) -+{ -+ int ret; -+ -+#if HAVE_GETENTROPY -+ /* weak emulation of arc4random through the entropy libc */ -+ ret = getentropy (auth, len); -+ if (ret == 0) -+ return; -+#endif /* HAVE_GETENTROPY */ -+ -+ emulate_getrandom_buf (auth, len); -+} -+ -+#endif /* !defined(HAVE_ARC4RANDOM_BUF) */ -+ -+/* -+ * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by -+ * the SI. It is not part of standard ICElib. -+ */ -+ -+ -+char * -+IceGenerateMagicCookie ( -+ int len -+) -+{ -+ char *auth; -+ -+ if ((auth = malloc (len + 1)) == NULL) -+ return (NULL); -+ -+ arc4random_buf (auth, len); -+ - auth[len] = '\0'; - return (auth); - } --- -2.12.3 - diff --git a/libICE-1.0.10.tar.bz2 b/libICE-1.0.10.tar.bz2 new file mode 100644 index 0000000..aa89dd5 --- /dev/null +++ b/libICE-1.0.10.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6f86dce12cf4bcaf5c37dddd8b1b64ed2ddf1ef7b218f22b9942595fb747c348 +size 393116 diff --git a/libICE-1.0.9.tar.bz2 b/libICE-1.0.9.tar.bz2 deleted file mode 100644 index 6a6dbee..0000000 --- a/libICE-1.0.9.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8f7032f2c1c64352b5423f6b48a8ebdc339cc63064af34d66a6c9aa79759e202 -size 384921 diff --git a/libICE.changes b/libICE.changes index 36fb695..bb2c5ec 100644 --- a/libICE.changes +++ b/libICE.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Mon Jul 15 09:45:31 UTC 2019 - Stefan Dirsch + +- Update to version 1.0.10 + * This release provides a fix for CVE-2017-2626 for platforms + which don't have arc4random_buf() in their default libraries + but do have getentropy(), such as Linux platforms with a kernel + version of 3.17 or newer and a glibc version of 2.25 or newer. + (libICE 1.0.9 already ensured that arc4random_buf() is used on + platforms that have it to provide sufficient entropy in ICE + key generation, but left other platforms with the weaker methods. + Linux platforms could also have linked against libbsd to use + arc4random_buf() with libICE 1.0.9 for stronger keys.) +- supersedes U_Use-getentropy-if-arc4random_buf-is-not-available.patch + ------------------------------------------------------------------- Sun Jun 11 18:00:24 UTC 2017 - sndirsch@suse.com diff --git a/libICE.spec b/libICE.spec index 04b2780..7a005cc 100644 --- a/libICE.spec +++ b/libICE.spec @@ -1,7 +1,7 @@ # # spec file for package libICE # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,13 +12,13 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: libICE %define lname libICE6 -Version: 1.0.9 +Version: 1.0.10 Release: 0 Summary: X11 Inter-Client Exchange Library License: MIT @@ -29,7 +29,6 @@ Url: http://xorg.freedesktop.org/ #Git-Web: http://cgit.freedesktop.org/xorg/lib/libICE/ Source: http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.bz2 Source1: baselibs.conf -Patch0: U_Use-getentropy-if-arc4random_buf-is-not-available.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build #git#BuildRequires: autoconf >= 2.60, automake, libtool BuildRequires: autoconf @@ -81,7 +80,6 @@ in %lname. %prep %setup -q -%patch0 -p1 %build autoreconf -fi