diff --git a/U_Use-getentropy-if-arc4random_buf-is-not-available.patch b/U_Use-getentropy-if-arc4random_buf-is-not-available.patch deleted file mode 100644 index 99eeb1f..0000000 --- a/U_Use-getentropy-if-arc4random_buf-is-not-available.patch +++ /dev/null @@ -1,142 +0,0 @@ -From ff5e59f32255913bb1cdf51441b98c9107ae165b Mon Sep 17 00:00:00 2001 -From: Benjamin Tissoires -Date: Tue, 4 Apr 2017 19:12:53 +0200 -Subject: [PATCH] Use getentropy() if arc4random_buf() is not available - -This allows to fix CVE-2017-2626 on Linux platforms without pulling in -libbsd. -The libc getentropy() is available since glibc 2.25 but also on OpenBSD. -For Linux, we need at least a v3.17 kernel. If the recommended -arc4random_buf() function is not available, emulate it by first trying -to use getentropy() on a supported glibc and kernel. If the call fails, -fall back to the current (partly vulnerable) code. - -Signed-off-by: Benjamin Tissoires -Reviewed-by: Mark Kettenis -Reviewed-by: Alan Coopersmith -Signed-off-by: Peter Hutterer ---- - configure.ac | 2 +- - src/iceauth.c | 65 ++++++++++++++++++++++++++++++++++++++++++----------------- - 2 files changed, 47 insertions(+), 20 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 458882a..c971ab6 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -38,7 +38,7 @@ AC_DEFINE(ICE_t, 1, [Xtrans transport type]) - - # Checks for library functions. - AC_CHECK_LIB([bsd], [arc4random_buf]) --AC_CHECK_FUNCS([asprintf arc4random_buf]) -+AC_CHECK_FUNCS([asprintf arc4random_buf getentropy]) - - # Allow checking code with lint, sparse, etc. - XORG_WITH_LINT -diff --git a/src/iceauth.c b/src/iceauth.c -index ed31683..de4785b 100644 ---- a/src/iceauth.c -+++ b/src/iceauth.c -@@ -44,31 +44,19 @@ Author: Ralph Mor, X Consortium - - static int was_called_state; - --/* -- * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by -- * the SI. It is not part of standard ICElib. -- */ -+#ifndef HAVE_ARC4RANDOM_BUF - -- --char * --IceGenerateMagicCookie ( -+static void -+emulate_getrandom_buf ( -+ char *auth, - int len - ) - { -- char *auth; --#ifndef HAVE_ARC4RANDOM_BUF - long ldata[2]; - int seed; - int value; - int i; --#endif - -- if ((auth = malloc (len + 1)) == NULL) -- return (NULL); -- --#ifdef HAVE_ARC4RANDOM_BUF -- arc4random_buf(auth, len); --#else - #ifdef ITIMER_REAL - { - struct timeval now; -@@ -76,13 +64,13 @@ IceGenerateMagicCookie ( - ldata[0] = now.tv_sec; - ldata[1] = now.tv_usec; - } --#else -+#else /* ITIMER_REAL */ - { - long time (); - ldata[0] = time ((long *) 0); - ldata[1] = getpid (); - } --#endif -+#endif /* ITIMER_REAL */ - seed = (ldata[0]) + (ldata[1] << 16); - srand (seed); - for (i = 0; i < len; i++) -@@ -90,7 +78,46 @@ IceGenerateMagicCookie ( - value = rand (); - auth[i] = value & 0xff; - } --#endif -+} -+ -+static void -+arc4random_buf ( -+ char *auth, -+ int len -+) -+{ -+ int ret; -+ -+#if HAVE_GETENTROPY -+ /* weak emulation of arc4random through the entropy libc */ -+ ret = getentropy (auth, len); -+ if (ret == 0) -+ return; -+#endif /* HAVE_GETENTROPY */ -+ -+ emulate_getrandom_buf (auth, len); -+} -+ -+#endif /* !defined(HAVE_ARC4RANDOM_BUF) */ -+ -+/* -+ * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by -+ * the SI. It is not part of standard ICElib. -+ */ -+ -+ -+char * -+IceGenerateMagicCookie ( -+ int len -+) -+{ -+ char *auth; -+ -+ if ((auth = malloc (len + 1)) == NULL) -+ return (NULL); -+ -+ arc4random_buf (auth, len); -+ - auth[len] = '\0'; - return (auth); - } --- -2.12.3 - diff --git a/libICE-1.0.10.tar.bz2 b/libICE-1.0.10.tar.bz2 new file mode 100644 index 0000000..aa89dd5 --- /dev/null +++ b/libICE-1.0.10.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6f86dce12cf4bcaf5c37dddd8b1b64ed2ddf1ef7b218f22b9942595fb747c348 +size 393116 diff --git a/libICE-1.0.9.tar.bz2 b/libICE-1.0.9.tar.bz2 deleted file mode 100644 index 6a6dbee..0000000 --- a/libICE-1.0.9.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8f7032f2c1c64352b5423f6b48a8ebdc339cc63064af34d66a6c9aa79759e202 -size 384921 diff --git a/libICE.changes b/libICE.changes index 36fb695..bb2c5ec 100644 --- a/libICE.changes +++ b/libICE.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Mon Jul 15 09:45:31 UTC 2019 - Stefan Dirsch + +- Update to version 1.0.10 + * This release provides a fix for CVE-2017-2626 for platforms + which don't have arc4random_buf() in their default libraries + but do have getentropy(), such as Linux platforms with a kernel + version of 3.17 or newer and a glibc version of 2.25 or newer. + (libICE 1.0.9 already ensured that arc4random_buf() is used on + platforms that have it to provide sufficient entropy in ICE + key generation, but left other platforms with the weaker methods. + Linux platforms could also have linked against libbsd to use + arc4random_buf() with libICE 1.0.9 for stronger keys.) +- supersedes U_Use-getentropy-if-arc4random_buf-is-not-available.patch + ------------------------------------------------------------------- Sun Jun 11 18:00:24 UTC 2017 - sndirsch@suse.com diff --git a/libICE.spec b/libICE.spec index 04b2780..7a005cc 100644 --- a/libICE.spec +++ b/libICE.spec @@ -1,7 +1,7 @@ # # spec file for package libICE # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,13 +12,13 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: libICE %define lname libICE6 -Version: 1.0.9 +Version: 1.0.10 Release: 0 Summary: X11 Inter-Client Exchange Library License: MIT @@ -29,7 +29,6 @@ Url: http://xorg.freedesktop.org/ #Git-Web: http://cgit.freedesktop.org/xorg/lib/libICE/ Source: http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.bz2 Source1: baselibs.conf -Patch0: U_Use-getentropy-if-arc4random_buf-is-not-available.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build #git#BuildRequires: autoconf >= 2.60, automake, libtool BuildRequires: autoconf @@ -81,7 +80,6 @@ in %lname. %prep %setup -q -%patch0 -p1 %build autoreconf -fi