diff --git a/U_001-ChangeTheData_lenParameterOf_XimAttributeToValueToCARD16.patch b/U_001-ChangeTheData_lenParameterOf_XimAttributeToValueToCARD16.patch new file mode 100644 index 0000000..ed63332 --- /dev/null +++ b/U_001-ChangeTheData_lenParameterOf_XimAttributeToValueToCARD16.patch @@ -0,0 +1,23 @@ +It's coming from a length in the protocol (unsigned) and passed +to functions that expect unsigned int parameters (_XCopyToArg() +and memcpy()). + +Signed-off-by: Matthieu Herrb +Reviewed-by: Todd Carson +--- + modules/im/ximcp/imRmAttr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: libX11-1.6.5/modules/im/ximcp/imRmAttr.c +=================================================================== +--- libX11-1.6.5.orig/modules/im/ximcp/imRmAttr.c ++++ libX11-1.6.5/modules/im/ximcp/imRmAttr.c +@@ -214,7 +214,7 @@ _XimAttributeToValue( + Xic ic, + XIMResourceList res, + CARD16 *data, +- INT16 data_len, ++ CARD16 data_len, + XPointer value, + BITMASK32 mode) + { diff --git a/U_002-FixIntegerOverflowsIn_XimAttributeToValue.patch b/U_002-FixIntegerOverflowsIn_XimAttributeToValue.patch new file mode 100644 index 0000000..fd5fdb9 --- /dev/null +++ b/U_002-FixIntegerOverflowsIn_XimAttributeToValue.patch @@ -0,0 +1,75 @@ +From: Todd Carson + +Signed-off-by: Matthieu Herrb +Reviewed-by: Matthieu Herrb +--- + modules/im/ximcp/imRmAttr.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c +index d5d1939e..db3639de 100644 +--- a/modules/im/ximcp/imRmAttr.c ++++ b/modules/im/ximcp/imRmAttr.c +@@ -29,6 +29,8 @@ PERFORMANCE OF THIS SOFTWARE. + #ifdef HAVE_CONFIG_H + #include + #endif ++#include ++ + #include "Xlibint.h" + #include "Xlcint.h" + #include "Ximint.h" +@@ -250,18 +252,24 @@ _XimAttributeToValue( + + case XimType_XIMStyles: + { +- INT16 num = data[0]; ++ CARD16 num = data[0]; + register CARD32 *style_list = (CARD32 *)&data[2]; + XIMStyle *style; + XIMStyles *rep; + register int i; + char *p; +- int alloc_len; ++ unsigned int alloc_len; + + if (!(value)) + return False; + ++ if (num > (USHRT_MAX / sizeof(XIMStyle))) ++ return False; ++ if ((sizeof(num) + (num * sizeof(XIMStyle))) > data_len) ++ return False; + alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num; ++ if (alloc_len < sizeof(XIMStyles)) ++ return False; + if (!(p = Xmalloc(alloc_len))) + return False; + +@@ -357,19 +365,25 @@ _XimAttributeToValue( + + case XimType_XIMHotKeyTriggers: + { +- INT32 num = *((CARD32 *)data); ++ CARD32 num = *((CARD32 *)data); + register CARD32 *key_list = (CARD32 *)&data[2]; + XIMHotKeyTrigger *key; + XIMHotKeyTriggers *rep; + register int i; + char *p; +- int alloc_len; ++ unsigned int alloc_len; + + if (!(value)) + return False; + ++ if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger))) ++ return False; ++ if ((sizeof(num) + (num * sizeof(XIMHotKeyTrigger))) > data_len) ++ return False; + alloc_len = sizeof(XIMHotKeyTriggers) + + sizeof(XIMHotKeyTrigger) * num; ++ if (alloc_len < sizeof(XIMHotKeyTriggers)) ++ return False; + if (!(p = Xmalloc(alloc_len))) + return False; diff --git a/U_003-FixMoreUncheckedLengths.patch b/U_003-FixMoreUncheckedLengths.patch new file mode 100644 index 0000000..098254e --- /dev/null +++ b/U_003-FixMoreUncheckedLengths.patch @@ -0,0 +1,36 @@ +From: Todd Carson + +Signed-off-by: Matthieu Herrb +Reviewed-by: Matthieu Herrb +--- + modules/im/ximcp/imRmAttr.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c +index db3639de..b7591a07 100644 +--- a/modules/im/ximcp/imRmAttr.c ++++ b/modules/im/ximcp/imRmAttr.c +@@ -321,7 +321,7 @@ _XimAttributeToValue( + + case XimType_XFontSet: + { +- INT16 len = data[0]; ++ CARD16 len = data[0]; + char *base_name; + XFontSet rep = (XFontSet)NULL; + char **missing_list = NULL; +@@ -332,11 +332,12 @@ _XimAttributeToValue( + return False; + if (!ic) + return False; +- ++ if (len > data_len) ++ return False; + if (!(base_name = Xmalloc(len + 1))) + return False; + +- (void)strncpy(base_name, (char *)&data[1], (int)len); ++ (void)strncpy(base_name, (char *)&data[1], (size_t)len); + base_name[len] = '\0'; + + if (mode & XIM_PREEDIT_ATTR) { diff --git a/U_004-FixSignedLengthValuesIn_XimGetAttributeID.patch b/U_004-FixSignedLengthValuesIn_XimGetAttributeID.patch new file mode 100644 index 0000000..9133df7 --- /dev/null +++ b/U_004-FixSignedLengthValuesIn_XimGetAttributeID.patch @@ -0,0 +1,65 @@ +From: Todd Carson + +The lengths are unsigned according to the specification. Passing +negative values can lead to data corruption. + +Signed-off-by: Matthieu Herrb +Reviewed-by: Matthieu Herrb +--- + modules/im/ximcp/imRmAttr.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +Index: libX11-1.6.5/modules/im/ximcp/imRmAttr.c +=================================================================== +--- libX11-1.6.5.orig/modules/im/ximcp/imRmAttr.c ++++ libX11-1.6.5/modules/im/ximcp/imRmAttr.c +@@ -1393,13 +1393,13 @@ _XimEncodeSavedICATTRIBUTE( + + static unsigned int + _XimCountNumberOfAttr( +- INT16 total, +- CARD16 *attr, +- int *names_len) ++ CARD16 total, ++ CARD16 *attr, ++ unsigned int *names_len) + { + unsigned int n; +- INT16 len; +- INT16 min_len = sizeof(CARD16) /* sizeof attribute ID */ ++ CARD16 len; ++ CARD16 min_len = sizeof(CARD16) /* sizeof attribute ID */ + + sizeof(CARD16) /* sizeof type of value */ + + sizeof(INT16); /* sizeof length of attribute */ + +@@ -1407,6 +1407,9 @@ _XimCountNumberOfAttr( + *names_len = 0; + while (total > min_len) { + len = attr[2]; ++ if (len >= (total - min_len)) { ++ return 0; ++ } + *names_len += (len + 1); + len += (min_len + XIM_PAD(len + 2)); + total -= len; +@@ -1421,17 +1424,15 @@ _XimGetAttributeID( + Xim im, + CARD16 *buf) + { +- unsigned int n; ++ unsigned int n, names_len, values_len; + XIMResourceList res; + char *names; +- int names_len; + XPointer tmp; + XIMValuesList *values_list; + char **values; +- int values_len; + register int i; +- INT16 len; +- INT16 min_len = sizeof(CARD16) /* sizeof attribute ID */ ++ CARD16 len; ++ CARD16 min_len = sizeof(CARD16) /* sizeof attribute ID */ + + sizeof(CARD16) /* sizeof type of value */ + + sizeof(INT16); /* sizeof length of attr */ + /* diff --git a/U_005-ZeroOutBuffersInFunctions.patch b/U_005-ZeroOutBuffersInFunctions.patch new file mode 100644 index 0000000..16fd340 --- /dev/null +++ b/U_005-ZeroOutBuffersInFunctions.patch @@ -0,0 +1,151 @@ +From: Todd Carson + +It looks like uninitialized stack or heap memory can leak +out via padding bytes. + +Signed-off-by: Matthieu Herrb +Reviewed-by: Matthieu Herrb +--- + modules/im/ximcp/imDefIc.c | 6 ++++-- + modules/im/ximcp/imDefIm.c | 25 +++++++++++++++++-------- + 2 files changed, 21 insertions(+), 10 deletions(-) + +Index: libX11-1.6.5/modules/im/ximcp/imDefIc.c +=================================================================== +--- libX11-1.6.5.orig/modules/im/ximcp/imDefIc.c ++++ libX11-1.6.5/modules/im/ximcp/imDefIc.c +@@ -351,7 +351,7 @@ _XimProtoGetICValues( + + sizeof(INT16) + + XIM_PAD(2 + buf_size); + +- if (!(buf = Xmalloc(buf_size))) ++ if (!(buf = Xcalloc(buf_size, 1))) + return arg->name; + buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE]; + +@@ -709,6 +709,7 @@ _XimProtoSetICValues( + #endif /* XIM_CONNECTABLE */ + + _XimGetCurrentICValues(ic, &ic_values); ++ memset(tmp_buf, 0, sizeof(tmp_buf32)); + buf = tmp_buf; + buf_size = XIM_HEADER_SIZE + + sizeof(CARD16) + sizeof(CARD16) + sizeof(INT16) + sizeof(CARD16); +@@ -731,7 +732,7 @@ _XimProtoSetICValues( + + buf_size += ret_len; + if (buf == tmp_buf) { +- if (!(tmp = Xmalloc(buf_size + data_len))) { ++ if (!(tmp = Xcalloc(buf_size + data_len, 1))) { + return tmp_name; + } + memcpy(tmp, buf, buf_size); +@@ -741,6 +742,7 @@ _XimProtoSetICValues( + Xfree(buf); + return tmp_name; + } ++ memset(&tmp[buf_size], 0, data_len); + buf = tmp; + } + } +Index: libX11-1.6.5/modules/im/ximcp/imDefIm.c +=================================================================== +--- libX11-1.6.5.orig/modules/im/ximcp/imDefIm.c ++++ libX11-1.6.5/modules/im/ximcp/imDefIm.c +@@ -62,6 +62,7 @@ PERFORMANCE OF THIS SOFTWARE. + #include "XimTrInt.h" + #include "Ximint.h" + ++#include + + int + _XimCheckDataSize( +@@ -809,12 +810,16 @@ _XimOpen( + int buf_size; + int ret_code; + char *locale_name; ++ size_t locale_len; + + locale_name = im->private.proto.locale_name; +- len = strlen(locale_name); +- buf_b[0] = (BYTE)len; /* length of locale name */ +- (void)strcpy((char *)&buf_b[1], locale_name); /* locale name */ +- len += sizeof(BYTE); /* sizeof length */ ++ locale_len = strlen(locale_name); ++ if (locale_len > UCHAR_MAX) ++ return False; ++ memset(buf32, 0, sizeof(buf32)); ++ buf_b[0] = (BYTE)locale_len; /* length of locale name */ ++ memcpy(&buf_b[1], locale_name, locale_len); /* locale name */ ++ len = (INT16)(locale_len + sizeof(BYTE)); /* sizeof length */ + XIM_SET_PAD(buf_b, len); /* pad */ + + _XimSetHeader((XPointer)buf, XIM_OPEN, 0, &len); +@@ -1289,6 +1294,7 @@ _XimProtoSetIMValues( + #endif /* XIM_CONNECTABLE */ + + _XimGetCurrentIMValues(im, &im_values); ++ memset(tmp_buf, 0, sizeof(tmp_buf32)); + buf = tmp_buf; + buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16); + data_len = BUFSIZE - buf_size; +@@ -1311,7 +1317,7 @@ _XimProtoSetIMValues( + + buf_size += ret_len; + if (buf == tmp_buf) { +- if (!(tmp = Xmalloc(buf_size + data_len))) { ++ if (!(tmp = Xcalloc(buf_size + data_len, 1))) { + return arg->name; + } + memcpy(tmp, buf, buf_size); +@@ -1321,6 +1327,7 @@ _XimProtoSetIMValues( + Xfree(buf); + return arg->name; + } ++ memset(&tmp[buf_size], 0, data_len); + buf = tmp; + } + } +@@ -1462,7 +1469,7 @@ _XimProtoGetIMValues( + + sizeof(INT16) + + XIM_PAD(buf_size); + +- if (!(buf = Xmalloc(buf_size))) ++ if (!(buf = Xcalloc(buf_size, 1))) + return arg->name; + buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE]; + +@@ -1724,7 +1731,7 @@ _XimEncodingNegotiation( + + sizeof(CARD16) + + detail_len; + +- if (!(buf = Xmalloc(XIM_HEADER_SIZE + len))) ++ if (!(buf = Xcalloc(XIM_HEADER_SIZE + len, 1))) + goto free_detail_ptr; + + buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE]; +@@ -1820,6 +1827,7 @@ _XimSendSavedIMValues( + int ret_code; + + _XimGetCurrentIMValues(im, &im_values); ++ memset(tmp_buf, 0, sizeof(tmp_buf32)); + buf = tmp_buf; + buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16); + data_len = BUFSIZE - buf_size; +@@ -1842,7 +1850,7 @@ _XimSendSavedIMValues( + + buf_size += ret_len; + if (buf == tmp_buf) { +- if (!(tmp = Xmalloc(buf_size + data_len))) { ++ if (!(tmp = Xcalloc(buf_size + data_len, 1))) { + return False; + } + memcpy(tmp, buf, buf_size); +@@ -1852,6 +1860,7 @@ _XimSendSavedIMValues( + Xfree(buf); + return False; + } ++ memset(&tmp[buf_size], 0, data_len); + buf = tmp; + } + } diff --git a/libX11.changes b/libX11.changes index 35e08e5..8bbd47e 100644 --- a/libX11.changes +++ b/libX11.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Fri Jul 31 20:23:05 UTC 2020 - Stefan Dirsch + +- U_001-ChangeTheData_lenParameterOf_XimAttributeToValueToCARD16.patch, + U_002-FixIntegerOverflowsIn_XimAttributeToValue.patch, + U_003-FixMoreUncheckedLengths.patch, + U_004-FixSignedLengthValuesIn_XimGetAttributeID.patch, + U_005-ZeroOutBuffersInFunctions.patch, + * XIM client heap overflows (CVE-2020-14344, bsc#1174628) + ------------------------------------------------------------------- Sun Oct 20 18:27:32 UTC 2019 - Stefan BrĂ¼ns diff --git a/libX11.spec b/libX11.spec index 54c5f32..ce23142 100644 --- a/libX11.spec +++ b/libX11.spec @@ -1,7 +1,7 @@ # # spec file for package libX11 # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -33,6 +33,11 @@ Patch0: p_khmer-compose.diff Patch1: p_xlib_skip_ext_env.diff # PATCH-FIX-UPSTREAM en-locales.diff fdo#48596 bnc#388711 -- Add missing data for more en locales Patch2: en-locales.diff +Patch21: U_001-ChangeTheData_lenParameterOf_XimAttributeToValueToCARD16.patch +Patch22: U_002-FixIntegerOverflowsIn_XimAttributeToValue.patch +Patch23: U_003-FixMoreUncheckedLengths.patch +Patch24: U_004-FixSignedLengthValuesIn_XimGetAttributeID.patch +Patch25: U_005-ZeroOutBuffersInFunctions.patch BuildRequires: fdupes BuildRequires: libtool BuildRequires: pkgconfig @@ -133,7 +138,14 @@ in libX11-6 and libX11-xcb1. test -f nls/ja.U90/XLC_LOCALE.pre && exit 1 test -f nls/ja.S90/XLC_LOCALE.pre && exit 1 -%autopatch -p0 +%patch0 +%patch1 +%patch2 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 %build %configure \