reverted last commit
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=44
This commit is contained in:
Git OBS Bridge
parent
b3142d5467
commit
5d22bf2264
@ -1,13 +1,3 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Aug 20 12:15:47 UTC 2018 - sndirsch@suse.com
|
||||
|
||||
- u_off-by-one-write-in-XListExtensions.patch
|
||||
* fixes off-by-one write in XListExtensions (bsc#1102062, CVE-2018-14599)
|
||||
- u_out-of-boundary-write-in-XListExtensions.patch
|
||||
* fixes out of boundary write in XListExtensions (bsc#1102068, CVE-2018-14600)
|
||||
- u_crash-on-invalid-reply-in-XListExtensions.patch
|
||||
* crash on invalid reply in XListExtensions (bsc#1102073, CVE-2018-14598)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 15 09:01:19 UTC 2018 - msrb@suse.com
|
||||
|
||||
|
||||
@ -36,12 +36,6 @@ Patch9: p_xlib_skip_ext_env.diff
|
||||
Patch15: en-locales.diff
|
||||
# PATCH-FIX-UPSTREAM u_Use-flexible-array-member-instead-of-fake-size.patch -- Fix build error with gcc8.
|
||||
Patch16: u_Use-flexible-array-member-instead-of-fake-size.patch
|
||||
# CVE-2018-14599
|
||||
Patch1102062: u_off-by-one-write-in-XListExtensions.patch
|
||||
# CVE-2018-14600
|
||||
Patch1102068: u_out-of-boundary-write-in-XListExtensions.patch
|
||||
# CVE-2018-14598
|
||||
Patch1102073: u_crash-on-invalid-reply-in-XListExtensions.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
BuildRequires: autoconf >= 2.60
|
||||
@ -151,9 +145,6 @@ test -f nls/ja.S90/XLC_LOCALE.pre && exit 1
|
||||
%patch9 -p0
|
||||
%patch15 -p0
|
||||
%patch16 -p1
|
||||
%patch1102062 -p1
|
||||
%patch1102068 -p1
|
||||
%patch1102073 -p1
|
||||
|
||||
%build
|
||||
# Got patches which change auto*files
|
||||
|
||||
@ -1,46 +0,0 @@
|
||||
From 060fc58795737e13639f381a7ea55675fd5339c2 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Dirsch <sndirsch@suse.de>
|
||||
Date: Tue, 14 Aug 2018 11:46:40 +0200
|
||||
Subject: [PATCH] crash on invalid reply in XListExtensions
|
||||
References: bsc#1102073 CVE-2018-14598
|
||||
|
||||
If the server sends a reply in which even the first string would
|
||||
overflow the transmitted bytes, list[0] will be set to NULL and
|
||||
a count of 0 is returned.
|
||||
|
||||
If the resulting list is freed with XFreeExtensionList later on,
|
||||
the first Xfree call:
|
||||
|
||||
Xfree (list[0]-1)
|
||||
turns into
|
||||
Xfree (NULL-1)
|
||||
|
||||
which will most likely trigger a segmentation fault.
|
||||
|
||||
I have modified the code to return NULL if the first string would
|
||||
overflow, thus protecting XFreeExtensionList later on.
|
||||
|
||||
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
---
|
||||
src/ListExt.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/src/ListExt.c b/src/ListExt.c
|
||||
index 6537c4dc..ece9ba31 100644
|
||||
--- a/src/ListExt.c
|
||||
+++ b/src/ListExt.c
|
||||
@@ -83,6 +83,11 @@ char **XListExtensions(
|
||||
length = (unsigned char) *ch;
|
||||
*ch = '\0'; /* and replace with null-termination */
|
||||
count++;
|
||||
+ } else if (i == 0) {
|
||||
+ Xfree(list);
|
||||
+ Xfree(ch);
|
||||
+ list = NULL;
|
||||
+ break;
|
||||
} else
|
||||
list[i] = NULL;
|
||||
}
|
||||
--
|
||||
2.16.4
|
||||
|
||||
@ -1,67 +0,0 @@
|
||||
From b4692168dfd66cdcd91d970ff255ded144d6ef95 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Dirsch <sndirsch@suse.de>
|
||||
Date: Mon, 23 Jul 2018 14:26:05 +0200
|
||||
Subject: [PATCH] off-by-one write in XListExtensions
|
||||
References: bsc#1102062 CVE-2018-14599
|
||||
|
||||
The function XListExtensions is vulnerable to an off-by-one override on
|
||||
malicious server responses.
|
||||
|
||||
The server reply consists of extension names consisting of a length byte
|
||||
followed by actual string, which is not NUL-terminated.
|
||||
|
||||
While parsing the response, the length byte is overridden with '\0',
|
||||
thus the memory area can be used as storage of C strings later on. To
|
||||
be able to NUL-terminate the last string, the buffer is reserved with
|
||||
an additional byte of space.
|
||||
|
||||
For a boundary check, the variable chend (end of ch) was introduced,
|
||||
pointing at the end of the buffer which ch initially points to.
|
||||
Unfortunately there is a difference in handling "the end of ch".
|
||||
|
||||
While chend points at the first byte that must not be written to,
|
||||
the for-loop uses chend as the last byte that can be written to.
|
||||
|
||||
Therefore, an off-by-one can occur.
|
||||
|
||||
I have refactored the code so chend actually points to the last byte
|
||||
that can be written to without an out of boundary access. As it is not
|
||||
possible to achieve "ch + length < chend" and "ch + length + 1 > chend"
|
||||
with the corrected chend meaning, I removed the inner if-check.
|
||||
|
||||
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
---
|
||||
src/ListExt.c | 12 ++++--------
|
||||
1 file changed, 4 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/ListExt.c b/src/ListExt.c
|
||||
index 7fdf9932..8f344ac0 100644
|
||||
--- a/src/ListExt.c
|
||||
+++ b/src/ListExt.c
|
||||
@@ -74,19 +74,15 @@ char **XListExtensions(
|
||||
/*
|
||||
* unpack into null terminated strings.
|
||||
*/
|
||||
- chend = ch + (rlen + 1);
|
||||
+ chend = ch + rlen;
|
||||
length = *ch;
|
||||
for (i = 0; i < rep.nExtensions; i++) {
|
||||
if (ch + length < chend) {
|
||||
list[i] = ch+1; /* skip over length */
|
||||
ch += length + 1; /* find next length ... */
|
||||
- if (ch <= chend) {
|
||||
- length = *ch;
|
||||
- *ch = '\0'; /* and replace with null-termination */
|
||||
- count++;
|
||||
- } else {
|
||||
- list[i] = NULL;
|
||||
- }
|
||||
+ length = *ch;
|
||||
+ *ch = '\0'; /* and replace with null-termination */
|
||||
+ count++;
|
||||
} else
|
||||
list[i] = NULL;
|
||||
}
|
||||
--
|
||||
2.16.4
|
||||
|
||||
@ -1,41 +0,0 @@
|
||||
From 7ca52a28d0423642b6640b15fb150cac3eef7177 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Dirsch <sndirsch@suse.de>
|
||||
Date: Mon, 23 Jul 2018 14:30:54 +0200
|
||||
Subject: [PATCH] out of boundary write in XListExtensions
|
||||
References: bsc#1102068 CVE-2018-14600
|
||||
|
||||
The length value is interpreted as signed char on many systems
|
||||
(depending on default signedness of char), which can lead to an out of
|
||||
boundary write up to 128 bytes in front of the allocated storage, but
|
||||
limited to NUL byte(s).
|
||||
|
||||
Casting the length value to unsigned char fixes the problem and allows
|
||||
string values with up to 255 characters.
|
||||
|
||||
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
---
|
||||
src/ListExt.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/ListExt.c b/src/ListExt.c
|
||||
index 8f344ac0..6537c4dc 100644
|
||||
--- a/src/ListExt.c
|
||||
+++ b/src/ListExt.c
|
||||
@@ -75,12 +75,12 @@ char **XListExtensions(
|
||||
* unpack into null terminated strings.
|
||||
*/
|
||||
chend = ch + rlen;
|
||||
- length = *ch;
|
||||
+ length = (unsigned char) *ch;
|
||||
for (i = 0; i < rep.nExtensions; i++) {
|
||||
if (ch + length < chend) {
|
||||
list[i] = ch+1; /* skip over length */
|
||||
ch += length + 1; /* find next length ... */
|
||||
- length = *ch;
|
||||
+ length = (unsigned char) *ch;
|
||||
*ch = '\0'; /* and replace with null-termination */
|
||||
count++;
|
||||
} else
|
||||
--
|
||||
2.16.4
|
||||
|
||||
Loading…
Reference in New Issue
Block a user