Accepting request 630965 from home:tobijk:X11:XOrg
- Update to version 1.6.6: + Make Xkb{Get,Set}NamedIndicator spec & manpages match code + Clarify state parameter to XkbSetNamedDeviceIndicator + Improve table formatting in XkbChangeControls & XkbKeyNumGroups man pages + If XGetImage fails to create image, don't dereference it to bounds check + Use size_t for buffer sizes in SetHints.c + Change fall through comment in lcDB.c to match gcc's requirements + _XDefaultError: set XlibDisplayIOError flag before calling exit + Fix possible memory leak in cmsProp.c:140 + Don't rebuild ks_tables.h if nothing changed. + Remove statement with no effect. + Use flexible array member instead of fake size. + Valgrind fix for XStoreColor and XStoreColors. + XkbOpenDisplay.3: fix typo + Validation of server response in XListHosts. + Fixed off-by-one writes (CVE-2018-14599). + Fixed out of boundary write (CVE-2018-14600). + Fixed crash on invalid reply (CVE-2018-14598). + fix shadow warning + _XIOError(dpy); will never return so remore dead + remove argument check for free() adjust one inden + fix shadow char_size + fix more shadow warning + no need to check argument for _XkbFree() + remove stray extern + no need to check args for Xfree() + fix memleak in error path + fix memleak in error path + no need to check XFree arguments + mark _XDefaultIOError as no_return OBS-URL: https://build.opensuse.org/request/show/630965 OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=46
This commit is contained in:
parent
b3ab4adca7
commit
eac8ab91ba
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:4d3890db2ba225ba8c55ca63c6409c1ebb078a2806de59fb16342768ae63435d
|
||||
size 2361556
|
3
libX11-1.6.6.tar.bz2
Normal file
3
libX11-1.6.6.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:65fe181d40ec77f45417710c6a67431814ab252d21c2e85c75dd1ed568af414f
|
||||
size 2342730
|
@ -1,3 +1,46 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Aug 22 15:09:51 UTC 2018 - tobias.johannes.klausmann@mni.thm.de
|
||||
|
||||
- Update to version 1.6.6:
|
||||
+ Make Xkb{Get,Set}NamedIndicator spec & manpages match code
|
||||
+ Clarify state parameter to XkbSetNamedDeviceIndicator
|
||||
+ Improve table formatting in XkbChangeControls & XkbKeyNumGroups man pages
|
||||
+ If XGetImage fails to create image, don't dereference it to bounds check
|
||||
+ Use size_t for buffer sizes in SetHints.c
|
||||
+ Change fall through comment in lcDB.c to match gcc's requirements
|
||||
+ _XDefaultError: set XlibDisplayIOError flag before calling exit
|
||||
+ Fix possible memory leak in cmsProp.c:140
|
||||
+ Don't rebuild ks_tables.h if nothing changed.
|
||||
+ Remove statement with no effect.
|
||||
+ Use flexible array member instead of fake size.
|
||||
+ Valgrind fix for XStoreColor and XStoreColors.
|
||||
+ XkbOpenDisplay.3: fix typo
|
||||
+ Validation of server response in XListHosts.
|
||||
+ Fixed off-by-one writes (CVE-2018-14599).
|
||||
+ Fixed out of boundary write (CVE-2018-14600).
|
||||
+ Fixed crash on invalid reply (CVE-2018-14598).
|
||||
+ fix shadow warning
|
||||
+ _XIOError(dpy); will never return so remore dead
|
||||
+ remove argument check for free() adjust one inden
|
||||
+ fix shadow char_size
|
||||
+ fix more shadow warning
|
||||
+ no need to check argument for _XkbFree()
|
||||
+ remove stray extern
|
||||
+ no need to check args for Xfree()
|
||||
+ fix memleak in error path
|
||||
+ fix memleak in error path
|
||||
+ no need to check XFree arguments
|
||||
+ mark _XDefaultIOError as no_return
|
||||
+ Fixes: warning: variable 'req' set but not,used
|
||||
+ add _X_UNUSED to avoid unused variable warnings
|
||||
+ remove empty line
|
||||
+ silence gcc warning assignment discards 'const' qualifier from pointer target type
|
||||
- Packaging changes:
|
||||
+ Remove upstreamed u_Use-flexible-array-member-instead-of-fake-size.patch
|
||||
+ Remove upstreamed u_off-by-one-write-in-XListExtensions.patch
|
||||
+ Remove upstreamed u_out-of-boundary-write-in-XListExtensions.patch
|
||||
+ Remove upstreamed u_crash-on-invalid-reply-in-XListExtensions.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Aug 20 12:15:47 UTC 2018 - sndirsch@suse.com
|
||||
|
||||
|
14
libX11.spec
14
libX11.spec
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
Name: libX11
|
||||
Version: 1.6.5
|
||||
Version: 1.6.6
|
||||
Release: 0
|
||||
Summary: Core X11 protocol client library
|
||||
License: MIT
|
||||
@ -34,14 +34,6 @@ Patch7: p_khmer-compose.diff
|
||||
Patch9: p_xlib_skip_ext_env.diff
|
||||
# PATCH-FIX-UPSTREAM en-locales.diff fdo#48596 bnc#388711 -- Add missing data for more en locales
|
||||
Patch15: en-locales.diff
|
||||
# PATCH-FIX-UPSTREAM u_Use-flexible-array-member-instead-of-fake-size.patch -- Fix build error with gcc8.
|
||||
Patch16: u_Use-flexible-array-member-instead-of-fake-size.patch
|
||||
# CVE-2018-14599
|
||||
Patch1102062: u_off-by-one-write-in-XListExtensions.patch
|
||||
# CVE-2018-14600
|
||||
Patch1102068: u_out-of-boundary-write-in-XListExtensions.patch
|
||||
# CVE-2018-14598
|
||||
Patch1102073: u_crash-on-invalid-reply-in-XListExtensions.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
BuildRequires: autoconf >= 2.60
|
||||
@ -150,10 +142,6 @@ test -f nls/ja.S90/XLC_LOCALE.pre && exit 1
|
||||
%patch7 -p0
|
||||
%patch9 -p0
|
||||
%patch15 -p0
|
||||
%patch16 -p1
|
||||
%patch1102062 -p1
|
||||
%patch1102068 -p1
|
||||
%patch1102073 -p1
|
||||
|
||||
%build
|
||||
# Got patches which change auto*files
|
||||
|
@ -1,63 +0,0 @@
|
||||
Author: Michal Srb <msrb@suse.com>
|
||||
Subject: Use flexible array member instead of fake size.
|
||||
Patch-mainline: To be upstreamed
|
||||
References: bnc#1084639
|
||||
|
||||
The _XimCacheStruct structure is followed in memory by two strings containing
|
||||
fname and encoding. The memory was accessed using the last member of the
|
||||
structure `char fname[1]`. That is a lie, prohibits us from using sizeof and
|
||||
confuses checkers. Lets declare it properly as a flexible array, so compilers
|
||||
don't complain about writing past that array. As bonus we can replace the
|
||||
XOffsetOf with regular sizeof.
|
||||
|
||||
Fixes GCC8 error:
|
||||
In function 'strcpy',
|
||||
inlined from '_XimWriteCachedDefaultTree' at imLcIm.c:479:5,
|
||||
inlined from '_XimCreateDefaultTree' at imLcIm.c:616:2,
|
||||
inlined from '_XimLocalOpenIM' at imLcIm.c:700:5:
|
||||
/usr/include/bits/string_fortified.h:90:10: error: '__builtin_strcpy'
|
||||
forming offset 2 is out of the bounds [0, 1] [-Werror=array-bounds]
|
||||
return __builtin___strcpy_chk (__dest, __src, __bos (__dest));
|
||||
|
||||
Caused by this line seemingly writing past the fname[1] array:
|
||||
imLcIm.c:479: strcpy (m->fname+strlen(name)+1, encoding);
|
||||
---
|
||||
modules/im/ximcp/imLcIm.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/modules/im/ximcp/imLcIm.c b/modules/im/ximcp/imLcIm.c
|
||||
index c19695df..743df77b 100644
|
||||
--- a/modules/im/ximcp/imLcIm.c
|
||||
+++ b/modules/im/ximcp/imLcIm.c
|
||||
@@ -82,8 +82,8 @@ struct _XimCacheStruct {
|
||||
DTCharIndex mbused;
|
||||
DTCharIndex wcused;
|
||||
DTCharIndex utf8used;
|
||||
- char fname[1];
|
||||
- /* char encoding[1] */
|
||||
+ char fname[];
|
||||
+ /* char encoding[] */
|
||||
};
|
||||
|
||||
static struct _XimCacheStruct* _XimCache_mmap = NULL;
|
||||
@@ -281,7 +281,7 @@ _XimReadCachedDefaultTree(
|
||||
assert (m->id == XIM_CACHE_MAGIC);
|
||||
assert (m->version == XIM_CACHE_VERSION);
|
||||
if (size != m->size ||
|
||||
- size < XOffsetOf (struct _XimCacheStruct, fname) + namelen + encodinglen) {
|
||||
+ size < sizeof (struct _XimCacheStruct) + namelen + encodinglen) {
|
||||
fprintf (stderr, "Ignoring broken XimCache %s [%s]\n", name, encoding);
|
||||
munmap (m, size);
|
||||
return False;
|
||||
@@ -442,7 +442,7 @@ _XimWriteCachedDefaultTree(
|
||||
int fd;
|
||||
FILE *fp;
|
||||
struct _XimCacheStruct *m;
|
||||
- int msize = (XOffsetOf(struct _XimCacheStruct, fname)
|
||||
+ int msize = (sizeof(struct _XimCacheStruct)
|
||||
+ strlen(name) + strlen(encoding) + 2
|
||||
+ XIM_CACHE_TREE_ALIGNMENT-1) & -XIM_CACHE_TREE_ALIGNMENT;
|
||||
DefTreeBase *b = &im->private.local.base;
|
||||
--
|
||||
2.13.6
|
||||
|
@ -1,46 +0,0 @@
|
||||
From 060fc58795737e13639f381a7ea55675fd5339c2 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Dirsch <sndirsch@suse.de>
|
||||
Date: Tue, 14 Aug 2018 11:46:40 +0200
|
||||
Subject: [PATCH] crash on invalid reply in XListExtensions
|
||||
References: bsc#1102073 CVE-2018-14598
|
||||
|
||||
If the server sends a reply in which even the first string would
|
||||
overflow the transmitted bytes, list[0] will be set to NULL and
|
||||
a count of 0 is returned.
|
||||
|
||||
If the resulting list is freed with XFreeExtensionList later on,
|
||||
the first Xfree call:
|
||||
|
||||
Xfree (list[0]-1)
|
||||
turns into
|
||||
Xfree (NULL-1)
|
||||
|
||||
which will most likely trigger a segmentation fault.
|
||||
|
||||
I have modified the code to return NULL if the first string would
|
||||
overflow, thus protecting XFreeExtensionList later on.
|
||||
|
||||
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
---
|
||||
src/ListExt.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/src/ListExt.c b/src/ListExt.c
|
||||
index 6537c4dc..ece9ba31 100644
|
||||
--- a/src/ListExt.c
|
||||
+++ b/src/ListExt.c
|
||||
@@ -83,6 +83,11 @@ char **XListExtensions(
|
||||
length = (unsigned char) *ch;
|
||||
*ch = '\0'; /* and replace with null-termination */
|
||||
count++;
|
||||
+ } else if (i == 0) {
|
||||
+ Xfree(list);
|
||||
+ Xfree(ch);
|
||||
+ list = NULL;
|
||||
+ break;
|
||||
} else
|
||||
list[i] = NULL;
|
||||
}
|
||||
--
|
||||
2.16.4
|
||||
|
@ -1,67 +0,0 @@
|
||||
From b4692168dfd66cdcd91d970ff255ded144d6ef95 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Dirsch <sndirsch@suse.de>
|
||||
Date: Mon, 23 Jul 2018 14:26:05 +0200
|
||||
Subject: [PATCH] off-by-one write in XListExtensions
|
||||
References: bsc#1102062 CVE-2018-14599
|
||||
|
||||
The function XListExtensions is vulnerable to an off-by-one override on
|
||||
malicious server responses.
|
||||
|
||||
The server reply consists of extension names consisting of a length byte
|
||||
followed by actual string, which is not NUL-terminated.
|
||||
|
||||
While parsing the response, the length byte is overridden with '\0',
|
||||
thus the memory area can be used as storage of C strings later on. To
|
||||
be able to NUL-terminate the last string, the buffer is reserved with
|
||||
an additional byte of space.
|
||||
|
||||
For a boundary check, the variable chend (end of ch) was introduced,
|
||||
pointing at the end of the buffer which ch initially points to.
|
||||
Unfortunately there is a difference in handling "the end of ch".
|
||||
|
||||
While chend points at the first byte that must not be written to,
|
||||
the for-loop uses chend as the last byte that can be written to.
|
||||
|
||||
Therefore, an off-by-one can occur.
|
||||
|
||||
I have refactored the code so chend actually points to the last byte
|
||||
that can be written to without an out of boundary access. As it is not
|
||||
possible to achieve "ch + length < chend" and "ch + length + 1 > chend"
|
||||
with the corrected chend meaning, I removed the inner if-check.
|
||||
|
||||
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
---
|
||||
src/ListExt.c | 12 ++++--------
|
||||
1 file changed, 4 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/ListExt.c b/src/ListExt.c
|
||||
index 7fdf9932..8f344ac0 100644
|
||||
--- a/src/ListExt.c
|
||||
+++ b/src/ListExt.c
|
||||
@@ -74,19 +74,15 @@ char **XListExtensions(
|
||||
/*
|
||||
* unpack into null terminated strings.
|
||||
*/
|
||||
- chend = ch + (rlen + 1);
|
||||
+ chend = ch + rlen;
|
||||
length = *ch;
|
||||
for (i = 0; i < rep.nExtensions; i++) {
|
||||
if (ch + length < chend) {
|
||||
list[i] = ch+1; /* skip over length */
|
||||
ch += length + 1; /* find next length ... */
|
||||
- if (ch <= chend) {
|
||||
- length = *ch;
|
||||
- *ch = '\0'; /* and replace with null-termination */
|
||||
- count++;
|
||||
- } else {
|
||||
- list[i] = NULL;
|
||||
- }
|
||||
+ length = *ch;
|
||||
+ *ch = '\0'; /* and replace with null-termination */
|
||||
+ count++;
|
||||
} else
|
||||
list[i] = NULL;
|
||||
}
|
||||
--
|
||||
2.16.4
|
||||
|
@ -1,41 +0,0 @@
|
||||
From 7ca52a28d0423642b6640b15fb150cac3eef7177 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Dirsch <sndirsch@suse.de>
|
||||
Date: Mon, 23 Jul 2018 14:30:54 +0200
|
||||
Subject: [PATCH] out of boundary write in XListExtensions
|
||||
References: bsc#1102068 CVE-2018-14600
|
||||
|
||||
The length value is interpreted as signed char on many systems
|
||||
(depending on default signedness of char), which can lead to an out of
|
||||
boundary write up to 128 bytes in front of the allocated storage, but
|
||||
limited to NUL byte(s).
|
||||
|
||||
Casting the length value to unsigned char fixes the problem and allows
|
||||
string values with up to 255 characters.
|
||||
|
||||
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
---
|
||||
src/ListExt.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/ListExt.c b/src/ListExt.c
|
||||
index 8f344ac0..6537c4dc 100644
|
||||
--- a/src/ListExt.c
|
||||
+++ b/src/ListExt.c
|
||||
@@ -75,12 +75,12 @@ char **XListExtensions(
|
||||
* unpack into null terminated strings.
|
||||
*/
|
||||
chend = ch + rlen;
|
||||
- length = *ch;
|
||||
+ length = (unsigned char) *ch;
|
||||
for (i = 0; i < rep.nExtensions; i++) {
|
||||
if (ch + length < chend) {
|
||||
list[i] = ch+1; /* skip over length */
|
||||
ch += length + 1; /* find next length ... */
|
||||
- length = *ch;
|
||||
+ length = (unsigned char) *ch;
|
||||
*ch = '\0'; /* and replace with null-termination */
|
||||
count++;
|
||||
} else
|
||||
--
|
||||
2.16.4
|
||||
|
Loading…
Reference in New Issue
Block a user