Accepting request 1098898 from X11:XOrg
OBS-URL: https://build.opensuse.org/request/show/1098898 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libX11?expand=0&rev=49
This commit is contained in:
commit
ae8e3938d3
@ -1,108 +0,0 @@
|
|||||||
From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
||||||
Date: Sat, 10 Jun 2023 16:30:07 -0700
|
|
||||||
Subject: [PATCH libX11] InitExt.c: Add bounds checks for extension request,
|
|
||||||
event, & error codes
|
|
||||||
|
|
||||||
Fixes CVE-2023-3138: X servers could return values from XQueryExtension
|
|
||||||
that would cause Xlib to write entries out-of-bounds of the arrays to
|
|
||||||
store them, though this would only overwrite other parts of the Display
|
|
||||||
struct, not outside the bounds allocated for that structure.
|
|
||||||
|
|
||||||
Reported-by: Gregory James DUCK <gjduck@gmail.com>
|
|
||||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
||||||
---
|
|
||||||
src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 42 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/InitExt.c b/src/InitExt.c
|
|
||||||
index 4de46f15..afc00a6b 100644
|
|
||||||
--- a/src/InitExt.c
|
|
||||||
+++ b/src/InitExt.c
|
|
||||||
@@ -33,6 +33,18 @@ from The Open Group.
|
|
||||||
#include <X11/Xos.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
|
|
||||||
+/* The X11 protocol spec reserves events 64 through 127 for extensions */
|
|
||||||
+#ifndef LastExtensionEvent
|
|
||||||
+#define LastExtensionEvent 127
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+/* The X11 protocol spec reserves requests 128 through 255 for extensions */
|
|
||||||
+#ifndef LastExtensionRequest
|
|
||||||
+#define FirstExtensionRequest 128
|
|
||||||
+#define LastExtensionRequest 255
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* This routine is used to link a extension in so it will be called
|
|
||||||
* at appropriate times.
|
|
||||||
@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent(
|
|
||||||
WireToEventType proc) /* routine to call when converting event */
|
|
||||||
{
|
|
||||||
register WireToEventType oldproc;
|
|
||||||
+ if (event_number < 0 ||
|
|
||||||
+ event_number > LastExtensionEvent) {
|
|
||||||
+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
|
|
||||||
+ event_number);
|
|
||||||
+ return (WireToEventType)_XUnknownWireEvent;
|
|
||||||
+ }
|
|
||||||
if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent;
|
|
||||||
LockDisplay (dpy);
|
|
||||||
oldproc = dpy->event_vec[event_number];
|
|
||||||
@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie(
|
|
||||||
)
|
|
||||||
{
|
|
||||||
WireToEventCookieType oldproc;
|
|
||||||
+ if (extension < FirstExtensionRequest ||
|
|
||||||
+ extension > LastExtensionRequest) {
|
|
||||||
+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
|
|
||||||
+ extension);
|
|
||||||
+ return (WireToEventCookieType)_XUnknownWireEventCookie;
|
|
||||||
+ }
|
|
||||||
if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie;
|
|
||||||
LockDisplay (dpy);
|
|
||||||
oldproc = dpy->generic_event_vec[extension & 0x7F];
|
|
||||||
@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie(
|
|
||||||
)
|
|
||||||
{
|
|
||||||
CopyEventCookieType oldproc;
|
|
||||||
+ if (extension < FirstExtensionRequest ||
|
|
||||||
+ extension > LastExtensionRequest) {
|
|
||||||
+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
|
|
||||||
+ extension);
|
|
||||||
+ return (CopyEventCookieType)_XUnknownCopyEventCookie;
|
|
||||||
+ }
|
|
||||||
if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie;
|
|
||||||
LockDisplay (dpy);
|
|
||||||
oldproc = dpy->generic_event_copy_vec[extension & 0x7F];
|
|
||||||
@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire(
|
|
||||||
EventToWireType proc) /* routine to call when converting event */
|
|
||||||
{
|
|
||||||
register EventToWireType oldproc;
|
|
||||||
+ if (event_number < 0 ||
|
|
||||||
+ event_number > LastExtensionEvent) {
|
|
||||||
+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
|
|
||||||
+ event_number);
|
|
||||||
+ return (EventToWireType)_XUnknownNativeEvent;
|
|
||||||
+ }
|
|
||||||
if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent;
|
|
||||||
LockDisplay (dpy);
|
|
||||||
oldproc = dpy->wire_vec[event_number];
|
|
||||||
@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError(
|
|
||||||
WireToErrorType proc) /* routine to call when converting error */
|
|
||||||
{
|
|
||||||
register WireToErrorType oldproc = NULL;
|
|
||||||
+ if (error_number < 0 ||
|
|
||||||
+ error_number > LastExtensionError) {
|
|
||||||
+ fprintf(stderr, "Xlib: ignoring invalid extension error %d\n",
|
|
||||||
+ error_number);
|
|
||||||
+ return (WireToErrorType)_XDefaultWireError;
|
|
||||||
+ }
|
|
||||||
if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError;
|
|
||||||
LockDisplay (dpy);
|
|
||||||
if (!dpy->error_vec) {
|
|
||||||
--
|
|
||||||
2.15.2
|
|
||||||
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:e362c6f03c793171becd1ce2078c64789504c7d7ff48ee40a76ff76b59f6b561
|
|
||||||
size 1811288
|
|
3
libX11-1.8.6.tar.xz
Normal file
3
libX11-1.8.6.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:59535b7cc6989ba806a022f7e8533b28c4397b9d86e9d07b6df0c0703fa25cc9
|
||||||
|
size 1859460
|
@ -1,3 +1,17 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Sat Jul 15 14:44:18 UTC 2023 - Dirk Müller <dmueller@suse.com>
|
||||||
|
|
||||||
|
- update to 1.8.6:
|
||||||
|
* InitExt.c: Add bounds checks for extension request,
|
||||||
|
event, & error codes
|
||||||
|
* Fixes CVE-2023-3138: X servers could return values from
|
||||||
|
XQueryExtension that would cause Xlib to write entries
|
||||||
|
out-of-bounds of the arrays to store them, though this
|
||||||
|
would only overwrite other parts of the Display
|
||||||
|
struct, not outside the bounds allocated for that
|
||||||
|
structure.
|
||||||
|
- drop U_InitExt.c-Add-bounds-checks-for-extension-request-ev.patch (upstream)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Jun 12 13:14:03 UTC 2023 - Stefan Dirsch <sndirsch@suse.com>
|
Mon Jun 12 13:14:03 UTC 2023 - Stefan Dirsch <sndirsch@suse.com>
|
||||||
|
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
|
|
||||||
|
|
||||||
Name: libX11
|
Name: libX11
|
||||||
Version: 1.8.5
|
Version: 1.8.6
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Core X11 protocol client library
|
Summary: Core X11 protocol client library
|
||||||
License: MIT
|
License: MIT
|
||||||
@ -32,7 +32,6 @@ Patch1: p_xlib_skip_ext_env.diff
|
|||||||
# PATCH-FIX-UPSTREAM en-locales.diff fdo#48596 bnc#388711 -- Add missing data for more en locales
|
# PATCH-FIX-UPSTREAM en-locales.diff fdo#48596 bnc#388711 -- Add missing data for more en locales
|
||||||
Patch2: en-locales.diff
|
Patch2: en-locales.diff
|
||||||
Patch3: u_no-longer-crash-in-XVisualIDFromVisual.patch
|
Patch3: u_no-longer-crash-in-XVisualIDFromVisual.patch
|
||||||
Patch1212102: U_InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
|
|
||||||
BuildRequires: fdupes
|
BuildRequires: fdupes
|
||||||
BuildRequires: libtool
|
BuildRequires: libtool
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
@ -136,7 +135,6 @@ test -f nls/ja.S90/XLC_LOCALE.pre && exit 1
|
|||||||
%patch1
|
%patch1
|
||||||
%patch2
|
%patch2
|
||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
%patch1212102 -p1
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure \
|
%configure \
|
||||||
|
Loading…
Reference in New Issue
Block a user