diff --git a/U_001-ChangeTheData_lenParameterOf_XimAttributeToValueToCARD16.patch b/U_001-ChangeTheData_lenParameterOf_XimAttributeToValueToCARD16.patch deleted file mode 100644 index ed63332..0000000 --- a/U_001-ChangeTheData_lenParameterOf_XimAttributeToValueToCARD16.patch +++ /dev/null @@ -1,23 +0,0 @@ -It's coming from a length in the protocol (unsigned) and passed -to functions that expect unsigned int parameters (_XCopyToArg() -and memcpy()). - -Signed-off-by: Matthieu Herrb -Reviewed-by: Todd Carson ---- - modules/im/ximcp/imRmAttr.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: libX11-1.6.5/modules/im/ximcp/imRmAttr.c -=================================================================== ---- libX11-1.6.5.orig/modules/im/ximcp/imRmAttr.c -+++ libX11-1.6.5/modules/im/ximcp/imRmAttr.c -@@ -214,7 +214,7 @@ _XimAttributeToValue( - Xic ic, - XIMResourceList res, - CARD16 *data, -- INT16 data_len, -+ CARD16 data_len, - XPointer value, - BITMASK32 mode) - { diff --git a/U_002-FixIntegerOverflowsIn_XimAttributeToValue.patch b/U_002-FixIntegerOverflowsIn_XimAttributeToValue.patch deleted file mode 100644 index fd5fdb9..0000000 --- a/U_002-FixIntegerOverflowsIn_XimAttributeToValue.patch +++ /dev/null @@ -1,75 +0,0 @@ -From: Todd Carson - -Signed-off-by: Matthieu Herrb -Reviewed-by: Matthieu Herrb ---- - modules/im/ximcp/imRmAttr.c | 22 ++++++++++++++++++---- - 1 file changed, 18 insertions(+), 4 deletions(-) - -diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c -index d5d1939e..db3639de 100644 ---- a/modules/im/ximcp/imRmAttr.c -+++ b/modules/im/ximcp/imRmAttr.c -@@ -29,6 +29,8 @@ PERFORMANCE OF THIS SOFTWARE. - #ifdef HAVE_CONFIG_H - #include - #endif -+#include -+ - #include "Xlibint.h" - #include "Xlcint.h" - #include "Ximint.h" -@@ -250,18 +252,24 @@ _XimAttributeToValue( - - case XimType_XIMStyles: - { -- INT16 num = data[0]; -+ CARD16 num = data[0]; - register CARD32 *style_list = (CARD32 *)&data[2]; - XIMStyle *style; - XIMStyles *rep; - register int i; - char *p; -- int alloc_len; -+ unsigned int alloc_len; - - if (!(value)) - return False; - -+ if (num > (USHRT_MAX / sizeof(XIMStyle))) -+ return False; -+ if ((sizeof(num) + (num * sizeof(XIMStyle))) > data_len) -+ return False; - alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num; -+ if (alloc_len < sizeof(XIMStyles)) -+ return False; - if (!(p = Xmalloc(alloc_len))) - return False; - -@@ -357,19 +365,25 @@ _XimAttributeToValue( - - case XimType_XIMHotKeyTriggers: - { -- INT32 num = *((CARD32 *)data); -+ CARD32 num = *((CARD32 *)data); - register CARD32 *key_list = (CARD32 *)&data[2]; - XIMHotKeyTrigger *key; - XIMHotKeyTriggers *rep; - register int i; - char *p; -- int alloc_len; -+ unsigned int alloc_len; - - if (!(value)) - return False; - -+ if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger))) -+ return False; -+ if ((sizeof(num) + (num * sizeof(XIMHotKeyTrigger))) > data_len) -+ return False; - alloc_len = sizeof(XIMHotKeyTriggers) - + sizeof(XIMHotKeyTrigger) * num; -+ if (alloc_len < sizeof(XIMHotKeyTriggers)) -+ return False; - if (!(p = Xmalloc(alloc_len))) - return False; diff --git a/U_003-FixMoreUncheckedLengths.patch b/U_003-FixMoreUncheckedLengths.patch deleted file mode 100644 index 098254e..0000000 --- a/U_003-FixMoreUncheckedLengths.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Todd Carson - -Signed-off-by: Matthieu Herrb -Reviewed-by: Matthieu Herrb ---- - modules/im/ximcp/imRmAttr.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c -index db3639de..b7591a07 100644 ---- a/modules/im/ximcp/imRmAttr.c -+++ b/modules/im/ximcp/imRmAttr.c -@@ -321,7 +321,7 @@ _XimAttributeToValue( - - case XimType_XFontSet: - { -- INT16 len = data[0]; -+ CARD16 len = data[0]; - char *base_name; - XFontSet rep = (XFontSet)NULL; - char **missing_list = NULL; -@@ -332,11 +332,12 @@ _XimAttributeToValue( - return False; - if (!ic) - return False; -- -+ if (len > data_len) -+ return False; - if (!(base_name = Xmalloc(len + 1))) - return False; - -- (void)strncpy(base_name, (char *)&data[1], (int)len); -+ (void)strncpy(base_name, (char *)&data[1], (size_t)len); - base_name[len] = '\0'; - - if (mode & XIM_PREEDIT_ATTR) { diff --git a/U_004-FixSignedLengthValuesIn_XimGetAttributeID.patch b/U_004-FixSignedLengthValuesIn_XimGetAttributeID.patch deleted file mode 100644 index 9133df7..0000000 --- a/U_004-FixSignedLengthValuesIn_XimGetAttributeID.patch +++ /dev/null @@ -1,65 +0,0 @@ -From: Todd Carson - -The lengths are unsigned according to the specification. Passing -negative values can lead to data corruption. - -Signed-off-by: Matthieu Herrb -Reviewed-by: Matthieu Herrb ---- - modules/im/ximcp/imRmAttr.c | 21 +++++++++++---------- - 1 file changed, 11 insertions(+), 10 deletions(-) - -Index: libX11-1.6.5/modules/im/ximcp/imRmAttr.c -=================================================================== ---- libX11-1.6.5.orig/modules/im/ximcp/imRmAttr.c -+++ libX11-1.6.5/modules/im/ximcp/imRmAttr.c -@@ -1393,13 +1393,13 @@ _XimEncodeSavedICATTRIBUTE( - - static unsigned int - _XimCountNumberOfAttr( -- INT16 total, -- CARD16 *attr, -- int *names_len) -+ CARD16 total, -+ CARD16 *attr, -+ unsigned int *names_len) - { - unsigned int n; -- INT16 len; -- INT16 min_len = sizeof(CARD16) /* sizeof attribute ID */ -+ CARD16 len; -+ CARD16 min_len = sizeof(CARD16) /* sizeof attribute ID */ - + sizeof(CARD16) /* sizeof type of value */ - + sizeof(INT16); /* sizeof length of attribute */ - -@@ -1407,6 +1407,9 @@ _XimCountNumberOfAttr( - *names_len = 0; - while (total > min_len) { - len = attr[2]; -+ if (len >= (total - min_len)) { -+ return 0; -+ } - *names_len += (len + 1); - len += (min_len + XIM_PAD(len + 2)); - total -= len; -@@ -1421,17 +1424,15 @@ _XimGetAttributeID( - Xim im, - CARD16 *buf) - { -- unsigned int n; -+ unsigned int n, names_len, values_len; - XIMResourceList res; - char *names; -- int names_len; - XPointer tmp; - XIMValuesList *values_list; - char **values; -- int values_len; - register int i; -- INT16 len; -- INT16 min_len = sizeof(CARD16) /* sizeof attribute ID */ -+ CARD16 len; -+ CARD16 min_len = sizeof(CARD16) /* sizeof attribute ID */ - + sizeof(CARD16) /* sizeof type of value */ - + sizeof(INT16); /* sizeof length of attr */ - /* diff --git a/U_005-ZeroOutBuffersInFunctions.patch b/U_005-ZeroOutBuffersInFunctions.patch deleted file mode 100644 index 16fd340..0000000 --- a/U_005-ZeroOutBuffersInFunctions.patch +++ /dev/null @@ -1,151 +0,0 @@ -From: Todd Carson - -It looks like uninitialized stack or heap memory can leak -out via padding bytes. - -Signed-off-by: Matthieu Herrb -Reviewed-by: Matthieu Herrb ---- - modules/im/ximcp/imDefIc.c | 6 ++++-- - modules/im/ximcp/imDefIm.c | 25 +++++++++++++++++-------- - 2 files changed, 21 insertions(+), 10 deletions(-) - -Index: libX11-1.6.5/modules/im/ximcp/imDefIc.c -=================================================================== ---- libX11-1.6.5.orig/modules/im/ximcp/imDefIc.c -+++ libX11-1.6.5/modules/im/ximcp/imDefIc.c -@@ -351,7 +351,7 @@ _XimProtoGetICValues( - + sizeof(INT16) - + XIM_PAD(2 + buf_size); - -- if (!(buf = Xmalloc(buf_size))) -+ if (!(buf = Xcalloc(buf_size, 1))) - return arg->name; - buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE]; - -@@ -709,6 +709,7 @@ _XimProtoSetICValues( - #endif /* XIM_CONNECTABLE */ - - _XimGetCurrentICValues(ic, &ic_values); -+ memset(tmp_buf, 0, sizeof(tmp_buf32)); - buf = tmp_buf; - buf_size = XIM_HEADER_SIZE - + sizeof(CARD16) + sizeof(CARD16) + sizeof(INT16) + sizeof(CARD16); -@@ -731,7 +732,7 @@ _XimProtoSetICValues( - - buf_size += ret_len; - if (buf == tmp_buf) { -- if (!(tmp = Xmalloc(buf_size + data_len))) { -+ if (!(tmp = Xcalloc(buf_size + data_len, 1))) { - return tmp_name; - } - memcpy(tmp, buf, buf_size); -@@ -741,6 +742,7 @@ _XimProtoSetICValues( - Xfree(buf); - return tmp_name; - } -+ memset(&tmp[buf_size], 0, data_len); - buf = tmp; - } - } -Index: libX11-1.6.5/modules/im/ximcp/imDefIm.c -=================================================================== ---- libX11-1.6.5.orig/modules/im/ximcp/imDefIm.c -+++ libX11-1.6.5/modules/im/ximcp/imDefIm.c -@@ -62,6 +62,7 @@ PERFORMANCE OF THIS SOFTWARE. - #include "XimTrInt.h" - #include "Ximint.h" - -+#include - - int - _XimCheckDataSize( -@@ -809,12 +810,16 @@ _XimOpen( - int buf_size; - int ret_code; - char *locale_name; -+ size_t locale_len; - - locale_name = im->private.proto.locale_name; -- len = strlen(locale_name); -- buf_b[0] = (BYTE)len; /* length of locale name */ -- (void)strcpy((char *)&buf_b[1], locale_name); /* locale name */ -- len += sizeof(BYTE); /* sizeof length */ -+ locale_len = strlen(locale_name); -+ if (locale_len > UCHAR_MAX) -+ return False; -+ memset(buf32, 0, sizeof(buf32)); -+ buf_b[0] = (BYTE)locale_len; /* length of locale name */ -+ memcpy(&buf_b[1], locale_name, locale_len); /* locale name */ -+ len = (INT16)(locale_len + sizeof(BYTE)); /* sizeof length */ - XIM_SET_PAD(buf_b, len); /* pad */ - - _XimSetHeader((XPointer)buf, XIM_OPEN, 0, &len); -@@ -1289,6 +1294,7 @@ _XimProtoSetIMValues( - #endif /* XIM_CONNECTABLE */ - - _XimGetCurrentIMValues(im, &im_values); -+ memset(tmp_buf, 0, sizeof(tmp_buf32)); - buf = tmp_buf; - buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16); - data_len = BUFSIZE - buf_size; -@@ -1311,7 +1317,7 @@ _XimProtoSetIMValues( - - buf_size += ret_len; - if (buf == tmp_buf) { -- if (!(tmp = Xmalloc(buf_size + data_len))) { -+ if (!(tmp = Xcalloc(buf_size + data_len, 1))) { - return arg->name; - } - memcpy(tmp, buf, buf_size); -@@ -1321,6 +1327,7 @@ _XimProtoSetIMValues( - Xfree(buf); - return arg->name; - } -+ memset(&tmp[buf_size], 0, data_len); - buf = tmp; - } - } -@@ -1462,7 +1469,7 @@ _XimProtoGetIMValues( - + sizeof(INT16) - + XIM_PAD(buf_size); - -- if (!(buf = Xmalloc(buf_size))) -+ if (!(buf = Xcalloc(buf_size, 1))) - return arg->name; - buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE]; - -@@ -1724,7 +1731,7 @@ _XimEncodingNegotiation( - + sizeof(CARD16) - + detail_len; - -- if (!(buf = Xmalloc(XIM_HEADER_SIZE + len))) -+ if (!(buf = Xcalloc(XIM_HEADER_SIZE + len, 1))) - goto free_detail_ptr; - - buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE]; -@@ -1820,6 +1827,7 @@ _XimSendSavedIMValues( - int ret_code; - - _XimGetCurrentIMValues(im, &im_values); -+ memset(tmp_buf, 0, sizeof(tmp_buf32)); - buf = tmp_buf; - buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16); - data_len = BUFSIZE - buf_size; -@@ -1842,7 +1850,7 @@ _XimSendSavedIMValues( - - buf_size += ret_len; - if (buf == tmp_buf) { -- if (!(tmp = Xmalloc(buf_size + data_len))) { -+ if (!(tmp = Xcalloc(buf_size + data_len, 1))) { - return False; - } - memcpy(tmp, buf, buf_size); -@@ -1852,6 +1860,7 @@ _XimSendSavedIMValues( - Xfree(buf); - return False; - } -+ memset(&tmp[buf_size], 0, data_len); - buf = tmp; - } - } diff --git a/U_006-Fix-size-calculation-in-_XimAttributeToValue.patch b/U_006-Fix-size-calculation-in-_XimAttributeToValue.patch deleted file mode 100644 index 3c1f7b3..0000000 --- a/U_006-Fix-size-calculation-in-_XimAttributeToValue.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 93fce3f4e79cbc737d6468a4f68ba3de1b83953b Mon Sep 17 00:00:00 2001 -From: Yichao Yu -Date: Sun, 2 Aug 2020 13:43:58 -0400 -Subject: [PATCH] Fix size calculation in `_XimAttributeToValue`. - -The check here guards the read below. -For `XimType_XIMStyles`, these are `num` of `CARD32` and for `XimType_XIMHotKeyTriggers` -these are `num` of `XIMTRIGGERKEY` ref[1] which is defined as 3 x `CARD32`. -(There are data after the `XIMTRIGGERKEY` according to the spec but they are not read by this -function and doesn't need to be checked.) - -The old code here used the native datatype size instead of the wire protocol size causing -the check to always fail. - -Also fix the size calculation for the header (size). It is 2 x CARD16 for both types -despite the unused `CARD16` for `XimType_XIMStyles`. - -[1] https://www.x.org/releases/X11R7.6/doc/libX11/specs/XIM/xim.html#Input_Method_Styles - -This fixes a regression caused by 388b303c62aa35a245f1704211a023440ad2c488 in 1.6.10. - -Fix #116 ---- - modules/im/ximcp/imRmAttr.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c -index 2491908e7091..919c5564718c 100644 ---- a/modules/im/ximcp/imRmAttr.c -+++ b/modules/im/ximcp/imRmAttr.c -@@ -265,7 +265,7 @@ _XimAttributeToValue( - - if (num > (USHRT_MAX / sizeof(XIMStyle))) - return False; -- if ((sizeof(num) + (num * sizeof(XIMStyle))) > data_len) -+ if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len) - return False; - alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num; - if (alloc_len < sizeof(XIMStyles)) -@@ -379,7 +379,7 @@ _XimAttributeToValue( - - if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger))) - return False; -- if ((sizeof(num) + (num * sizeof(XIMHotKeyTrigger))) > data_len) -+ if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len) - return False; - alloc_len = sizeof(XIMHotKeyTriggers) - + sizeof(XIMHotKeyTrigger) * num; --- -2.16.4 - diff --git a/libX11-1.6.12.tar.bz2 b/libX11-1.6.12.tar.bz2 new file mode 100644 index 0000000..c10fa31 --- /dev/null +++ b/libX11-1.6.12.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f108227469419ac04d196df0f3b80ce1f7f65059bb54c0de811f4d8e03fd6ec7 +size 2376498 diff --git a/libX11-1.6.9.tar.bz2 b/libX11-1.6.9.tar.bz2 deleted file mode 100644 index 73166bd..0000000 --- a/libX11-1.6.9.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9cc7e8d000d6193fa5af580d50d689380b8287052270f5bb26a5fb6b58b2bed1 -size 2283814 diff --git a/libX11.changes b/libX11.changes index fef1920..f9f1524 100644 --- a/libX11.changes +++ b/libX11.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Tue Aug 25 21:24:32 UTC 2020 - Stefan Dirsch + +- Update to version 1.6.12 + * Fix an integer overflow in init_om() [CVE-2020-14363, boo#1175239] + +------------------------------------------------------------------- +Sat Aug 15 17:30:24 UTC 2020 - Tobias Klausmann + +- Update to version 1.6.11: + A collection of random and security fixes. +- Remove patches included in this release: + + U_001-ChangeTheData_lenParameterOf_XimAttributeToValueToCARD16.patch + + U_002-FixIntegerOverflowsIn_XimAttributeToValue.patch + + U_003-FixMoreUncheckedLengths.patch + + U_004-FixSignedLengthValuesIn_XimGetAttributeID.patch + + U_005-ZeroOutBuffersInFunctions.patch + + U_006-Fix-size-calculation-in-_XimAttributeToValue.patch +- Adapt patch p_xlib_skip_ext_env.diff to work with the new version + ------------------------------------------------------------------- Tue Aug 4 16:33:45 CEST 2020 - tiwai@suse.de diff --git a/libX11.spec b/libX11.spec index 3314863..6436caa 100644 --- a/libX11.spec +++ b/libX11.spec @@ -17,7 +17,7 @@ Name: libX11 -Version: 1.6.9 +Version: 1.6.12 Release: 0 Summary: Core X11 protocol client library License: MIT @@ -33,12 +33,7 @@ Patch0: p_khmer-compose.diff Patch1: p_xlib_skip_ext_env.diff # PATCH-FIX-UPSTREAM en-locales.diff fdo#48596 bnc#388711 -- Add missing data for more en locales Patch2: en-locales.diff -Patch21: U_001-ChangeTheData_lenParameterOf_XimAttributeToValueToCARD16.patch -Patch22: U_002-FixIntegerOverflowsIn_XimAttributeToValue.patch -Patch23: U_003-FixMoreUncheckedLengths.patch -Patch24: U_004-FixSignedLengthValuesIn_XimGetAttributeID.patch -Patch25: U_005-ZeroOutBuffersInFunctions.patch -Patch26: U_006-Fix-size-calculation-in-_XimAttributeToValue.patch + BuildRequires: fdupes BuildRequires: libtool BuildRequires: pkgconfig @@ -142,12 +137,6 @@ test -f nls/ja.S90/XLC_LOCALE.pre && exit 1 %patch0 %patch1 %patch2 -%patch21 -p1 -%patch22 -p1 -%patch23 -p1 -%patch24 -p1 -%patch25 -p1 -%patch26 -p1 %build %configure \ diff --git a/p_xlib_skip_ext_env.diff b/p_xlib_skip_ext_env.diff index 4214ae3..e1aa3be 100644 --- a/p_xlib_skip_ext_env.diff +++ b/p_xlib_skip_ext_env.diff @@ -20,4 +20,4 @@ + LockDisplay(dpy); GetReq(QueryExtension, req); - req->nbytes = name ? strlen(name) : 0; + req->nbytes = name ? (CARD16) strlen(name) : 0;