Accepting request 715444 from X11:XOrg

- Update to version 1.0.10 * This release provides a fix for CVE-2017-2626 for platforms which don't have arc4random_buf() in their default libraries but do have getentropy(), such as Linux platforms with a kernel version of 3.17 or newer and a glibc version of 2.25 or newer. (libICE 1.0.9 already ensured that arc4random_buf() is used on platforms that have it to provide sufficient entropy in ICE key generation, but left other platforms with the weaker methods. Linux platforms could also have linked against libbsd to use arc4random_buf() with libICE 1.0.9 for stronger keys.) - supersedes U_Use-getentropy-if-arc4random_buf-is-not-available.patch OBS-URL: https://build.opensuse.org/request/show/715444 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libICE?expand=0&rev=10
2019-07-17 12:22:43 +00:00 · 2019-07-17 12:22:43 +00:00 · 9abb62ba9b
commit 9abb62ba9b
parent abf095dd96 122b710b9c
5 changed files with 21 additions and 150 deletions
--- a/U_Use-getentropy-if-arc4random_buf-is-not-available.patch
+++ b/U_Use-getentropy-if-arc4random_buf-is-not-available.patch
@ -1,142 +0,0 @@
-From ff5e59f32255913bb1cdf51441b98c9107ae165b Mon Sep 17 00:00:00 2001
-From: Benjamin Tissoires <benjamin.tissoires@gmail.com>
-Date: Tue, 4 Apr 2017 19:12:53 +0200
-Subject: [PATCH] Use getentropy() if arc4random_buf() is not available
-
-This allows to fix CVE-2017-2626 on Linux platforms without pulling in
-libbsd.
-The libc getentropy() is available since glibc 2.25 but also on OpenBSD.
-For Linux, we need at least a v3.17 kernel. If the recommended
-arc4random_buf() function is not available, emulate it by first trying
-to use getentropy() on a supported glibc and kernel. If the call fails,
-fall back to the current (partly vulnerable) code.
-
-Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
-Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
-Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
- configure.ac  |  2 +-
- src/iceauth.c | 65 ++++++++++++++++++++++++++++++++++++++++++-----------------
- 2 files changed, 47 insertions(+), 20 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 458882a..c971ab6 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -38,7 +38,7 @@ AC_DEFINE(ICE_t, 1, [Xtrans transport type])
- 
- # Checks for library functions.
- AC_CHECK_LIB([bsd], [arc4random_buf])
-AC_CHECK_FUNCS([asprintf arc4random_buf])
-+AC_CHECK_FUNCS([asprintf arc4random_buf getentropy])
- 
- # Allow checking code with lint, sparse, etc.
- XORG_WITH_LINT
-diff --git a/src/iceauth.c b/src/iceauth.c
-index ed31683..de4785b 100644
--- a/src/iceauth.c
-+++ b/src/iceauth.c
-@@ -44,31 +44,19 @@ Author: Ralph Mor, X Consortium
- 
- static int was_called_state;
- 
-/*
- * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by
- * the SI.  It is not part of standard ICElib.
- */
-+#ifndef HAVE_ARC4RANDOM_BUF
- 
-
-char *
-IceGenerateMagicCookie (
-+static void
-+emulate_getrandom_buf (
-+	char *auth,
- 	int len
- )
- {
-    char    *auth;
-#ifndef HAVE_ARC4RANDOM_BUF
-     long    ldata[2];
-     int	    seed;
-     int	    value;
-     int	    i;
-#endif
- 
-    if ((auth = malloc (len + 1)) == NULL)
-	return (NULL);
-
-#ifdef HAVE_ARC4RANDOM_BUF
-    arc4random_buf(auth, len);
-#else
- #ifdef ITIMER_REAL
-     {
- 	struct timeval  now;
-@@ -76,13 +64,13 @@ IceGenerateMagicCookie (
- 	ldata[0] = now.tv_sec;
- 	ldata[1] = now.tv_usec;
-     }
-#else
-+#else /* ITIMER_REAL */
-     {
- 	long    time ();
- 	ldata[0] = time ((long *) 0);
- 	ldata[1] = getpid ();
-     }
-#endif
-+#endif /* ITIMER_REAL */
-     seed = (ldata[0]) + (ldata[1] << 16);
-     srand (seed);
-     for (i = 0; i < len; i++)
-@@ -90,7 +78,46 @@ IceGenerateMagicCookie (
- 	value = rand ();
- 	auth[i] = value & 0xff;
-     }
-#endif
-+}
-+
-+static void
-+arc4random_buf (
-+	char *auth,
-+	int len
-+)
-+{
-+    int	    ret;
-+
-+#if HAVE_GETENTROPY
-+    /* weak emulation of arc4random through the entropy libc */
-+    ret = getentropy (auth, len);
-+    if (ret == 0)
-+	return;
-+#endif /* HAVE_GETENTROPY */
-+
-+    emulate_getrandom_buf (auth, len);
-+}
-+
-+#endif /* !defined(HAVE_ARC4RANDOM_BUF) */
-+
-+/*
-+ * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by
-+ * the SI.  It is not part of standard ICElib.
-+ */
-+
-+
-+char *
-+IceGenerateMagicCookie (
-+	int len
-+)
-+{
-+    char    *auth;
-+
-+    if ((auth = malloc (len + 1)) == NULL)
-+	return (NULL);
-+
-+    arc4random_buf (auth, len);
-+
-     auth[len] = '\0';
-     return (auth);
- }
-- 
-2.12.3
-
--- a/libICE-1.0.10.tar.bz2
+++ b/libICE-1.0.10.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6f86dce12cf4bcaf5c37dddd8b1b64ed2ddf1ef7b218f22b9942595fb747c348
+size 393116
--- a/libICE-1.0.9.tar.bz2
+++ b/libICE-1.0.9.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8f7032f2c1c64352b5423f6b48a8ebdc339cc63064af34d66a6c9aa79759e202
-size 384921
--- a/libICE.changes
+++ b/libICE.changes
@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Mon Jul 15 09:45:31 UTC 2019 - Stefan Dirsch <sndirsch@suse.com>
+
+- Update to version 1.0.10
+  * This release provides a fix for CVE-2017-2626 for platforms 
+    which don't have arc4random_buf() in their default libraries
+    but do have getentropy(), such as Linux platforms with a kernel
+    version of 3.17 or newer and a glibc version of 2.25 or newer.
+    (libICE 1.0.9 already ensured that arc4random_buf() is used on
+    platforms that have it to provide sufficient entropy in ICE
+    key generation, but left other platforms with the weaker methods.
+    Linux platforms could also have linked against libbsd to use
+    arc4random_buf() with libICE 1.0.9 for stronger keys.)
+- supersedes U_Use-getentropy-if-arc4random_buf-is-not-available.patch
+
 -------------------------------------------------------------------
 Sun Jun 11 18:00:24 UTC 2017 - sndirsch@suse.com

--- a/libICE.spec
+++ b/libICE.spec
@ -1,7 +1,7 @@
 #
 # spec file for package libICE
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -12,13 +12,13 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.

-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #


 Name:           libICE
 %define lname	libICE6
-Version:        1.0.9
+Version:        1.0.10
 Release:        0
 Summary:        X11 Inter-Client Exchange Library
 License:        MIT
@ -29,7 +29,6 @@ Url:            http://xorg.freedesktop.org/
 #Git-Web:	http://cgit.freedesktop.org/xorg/lib/libICE/
 Source:         http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.bz2
 Source1:        baselibs.conf
-Patch0:         U_Use-getentropy-if-arc4random_buf-is-not-available.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 #git#BuildRequires:	autoconf >= 2.60, automake, libtool
 BuildRequires:  autoconf
@ -81,7 +80,6 @@ in %lname.

 %prep
 %setup -q
-%patch0 -p1

 %build
 autoreconf -fi