This release contains fixes for the issues reported in security
advisory here:
https://lists.x.org/archives/xorg-announce/2023-October/003424.html
* fixes CVE-2023-43785 libX11: out-of-bounds memory access in
_XkbReadKeySyms() (boo#1215683)
* fixes CVE-2023-43786 libX11: stack exhaustion from infinite recursion
in PutSubImage() (boo#1215684)
* fixes CVE-2023-43787 libX11: integer overflow in XCreateImage()
leading to a heap overflow (boo#1215685)
along with:
* Fail XOpenDisplay() if server-provided default visual is invalid (!233)
* Bring XKB docs in line with actual implementation (!231, !228)
* Xutil.h: declare XEmptyRegion() and XEqualRegion() as Bool (!225)
* Assorted updates to en_US.UTF-8 compose keys (!213, !214, !215, !216,
!217, !219, !220, !222, !223, !226, !227, !229)
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=106
- update to 1.8.6:
* InitExt.c: Add bounds checks for extension request,
event, & error codes
* Fixes CVE-2023-3138: X servers could return values from
XQueryExtension that would cause Xlib to write entries
out-of-bounds of the arrays to store them, though this
would only overwrite other parts of the Display
struct, not outside the bounds allocated for that
structure.
- drop U_InitExt.c-Add-bounds-checks-for-extension-request-ev.patch (upstream)
OBS-URL: https://build.opensuse.org/request/show/1098803
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=104
* gitlab CI: Add libtool to required packages
* configure: raise minimum autoconf requirement to 2.70
* configure: replace deprecated AC_HELP_STRING with AS_HELP_STRING
* configure: Use LT_INIT from libtool 2 instead of deprecated AC_PROG_LIBTOOL
* gitlab CI: add workflow rules
* nls: delete compose sequences that pointlessly mix upper and lower case
* nls: remove four hundred and sixty untypable Greek compose sequences
* nls: remove twenty two untypable Greek compose sequences
* XSetScreenSaver.man: restore the part that was accidentally snipped
* nls: make the Amharic compose sequences use the dead-vowel symbols
* nls: sort three sequences alphabetically in their group, like all others
* nls: delete six compose sequences that cannot be typed
* nls: use a slash instead of a combining solidus in compose sequences
* NLS: move long S compositions to respective blocks
* NLS: implement the expansion of the six Breton N-graph keysyms
* NLS: move dead-caron subscript compositions to the relevant Unicode block
* NLS: Remove strange dead_cedilla cedi sign sequences
* nls: add compose sequence for capital schwa, and delete a deviant one
- Users of the Amharic (am_ET.UTF-8) compose key sequences provided by libX11
will also want to upgrade to xkeyboard-config 2.39 (releasing soon), in order
to keep those sequeunces working with this release.
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=100
This release fixes the --enable-thread-safety-constructor option to the
configure script to work as intended. In the previous release, the changes
for this option may not have been enabled when the option was not specified
or when the --enable option was specified.
While we have enabled it by default, believing that doing so will reduce
the number of bugs users encounter running libX11 clients, in some cases
it may expose bugs in which clients had previously gotten away with calling
libX11 functions while a libX11 lock is already held, and thus now deadlock,
as discussed in https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/157
- let's hope this version doesn't suffer yet from the regressions
reported in boo#1205778, boo#1205818 (reported against 1.8.2);
we need libX11 thread safe for totem (GNOME 43) :-(
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=95
* This is primarily a bug fix release, including further work on
improving the thread-safety-constructor and making it work with
software which had incorrectly called libX11 functions from
inside X*IfEvent() calls.
- supersedes U_fix-a-memory-leak-in-XRegisterIMInstantiateCallback.patch
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=85
- Update to version 1.8.1
This release fixes the --enable-thread-safety-constructor option to the
configure script to work as intended. In the previous release, the changes
for this option may not have been enabled when the option was not specified
or when the --enable option was specified.
While we have enabled it by default, believing that doing so will reduce
the number of bugs users encounter running libX11 clients, in some cases
it may expose bugs in which clients had previously gotten away with calling
libX11 functions while a libX11 lock is already held, and thus now deadlock,
as discussed in https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/157 .
OBS-URL: https://build.opensuse.org/request/show/986957
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=81
This release fixes the --enable-thread-safety-constructor option to the
configure script to work as intended. In the previous release, the changes
for this option may not have been enabled when the option was not specified
or when the --enable option was specified.
While we have enabled it by default, believing that doing so will reduce
the number of bugs users encounter running libX11 clients, in some cases
it may expose bugs in which clients had previously gotten away with calling
libX11 functions while a libX11 lock is already held, and thus now deadlock,
as discussed in https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/157 .
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=79
* The highlight of this release is that we now try to initialize
thread safety ourselves, rather than hope the application does it.
This should resolve a number of long-standing bugs with the libxcb
integration, since the socket handoff mechanism essentially has to
be thread-safe.
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=77
* This release of libX11 corrects a packaging problem in 1.7.3
which caused the m4 files needed for autoreconf to not be
included in the tarballs.
* As a bonus, this release also includes one tiny typo fix in the
XIM specs.
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=73
* libX11 version 1.7.0 includes a new API, hence the change from
the 1.6 series to 1.7:
XSetIOErrorExitHandler which provides a mechanism for applications
to recover from I/O error conditions instead of being forced to
exit. Thanks to Carlos Garnacho for this.
* This release includes a bunch of bug fixes, some which have been
pending for over three years:
+ A bunch of nls cleanups to remove obsolete entries and clean up
formatting of the ist. Thanks to Benno Schulenberg for these.
+ Warning fixes and other cleanups across a huge swath of the
library. Thanks to Alan Coopersmith for these.
+ Memory allocation bugs, including leaks and use after free in the
locale code. Thanks to Krzesimir Nowak, Jacek Caban and Vittorio
Zecca for these.
+ Thread safety fixes in the locale code. Thanks to Jacek Caban for
these.
+ poll_for_response race condition fix. Thanks to Frediano Ziglio for
the bulk of this effort, and to Peter Hutterer for careful review
and improvements.
* Version 1.7.0 includes a couple of new locales:
ia and ie locales. Thanks to Carmina16 for these.
* There are also numerous compose entries added, including:
+ |^ or ^| for ↑, |v or v| for ↓, ~~ for ≈. Thanks to Antti
Savolainen for this.
+ Allowing use of 'v' for caron, in addition to 'c', so things like
vC for Č, vc for č. Thanks to Benno Schulenberg for this.
+ Compose sequences LT, lt for '<', and GT, gt for '>' for keyboards
where those are difficult to access. Thanks to Jonathan Belsewir
for this.
- refreshed patches en-locales.diff, p_khmer-compose.diff and
p_xlib_skip_ext_env.diff
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=62
- Update to version 1.6.11:
A collection of random and security fixes.
- Remove patches included in this release:
+ U_001-ChangeTheData_lenParameterOf_XimAttributeToValueToCARD16.patch
+ U_002-FixIntegerOverflowsIn_XimAttributeToValue.patch
+ U_003-FixMoreUncheckedLengths.patch
+ U_004-FixSignedLengthValuesIn_XimGetAttributeID.patch
+ U_005-ZeroOutBuffersInFunctions.patch
+ U_006-Fix-size-calculation-in-_XimAttributeToValue.patch
- Adapt patch p_xlib_skip_ext_env.diff to work with the new version
OBS-URL: https://build.opensuse.org/request/show/826868
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=59
- Update to version 1.6.6:
+ Make Xkb{Get,Set}NamedIndicator spec & manpages match code
+ Clarify state parameter to XkbSetNamedDeviceIndicator
+ Improve table formatting in XkbChangeControls & XkbKeyNumGroups man pages
+ If XGetImage fails to create image, don't dereference it to bounds check
+ Use size_t for buffer sizes in SetHints.c
+ Change fall through comment in lcDB.c to match gcc's requirements
+ _XDefaultError: set XlibDisplayIOError flag before calling exit
+ Fix possible memory leak in cmsProp.c:140
+ Don't rebuild ks_tables.h if nothing changed.
+ Remove statement with no effect.
+ Use flexible array member instead of fake size.
+ Valgrind fix for XStoreColor and XStoreColors.
+ XkbOpenDisplay.3: fix typo
+ Validation of server response in XListHosts.
+ Fixed off-by-one writes (CVE-2018-14599).
+ Fixed out of boundary write (CVE-2018-14600).
+ Fixed crash on invalid reply (CVE-2018-14598).
+ fix shadow warning
+ _XIOError(dpy); will never return so remore dead
+ remove argument check for free() adjust one inden
+ fix shadow char_size
+ fix more shadow warning
+ no need to check argument for _XkbFree()
+ remove stray extern
+ no need to check args for Xfree()
+ fix memleak in error path
+ fix memleak in error path
+ no need to check XFree arguments
+ mark _XDefaultIOError as no_return
OBS-URL: https://build.opensuse.org/request/show/630965
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=46
- Update to version 1.6.4:
+ Move Compose \ o / to be with other emoji compose sequences
+ Replace Xmalloc+memset pairs with Xcalloc calls
+ Remove unused definition of XCONN_CHECK_FREQ
+ Bug 93184: read_EncodingInfo invalid free
+ Bug 93183: _XDefaultOpenIM memory leaks in out-of-memory error paths
+ Use strdup instead of Xmalloc+strcpy in _XDefaultOpenIM
+ XDefaultOMIF: replace strlen+Xmalloc+strcpy with strdup, code simplification
+ XlcDL.c: replace strcpy+strcat sequences with snprintf
+ XlcDL.c: reduce code duplication
+ lcPubWrap: replace malloc(strlen) + strcpy with strdup
+ Stop checking XTRANS_SECURE_RPC_FLAGS since we no longer use them
+ Stop checking for preferred order of local transports
+ Don't need to link libX11-xcb against libX11
+ xcms: use size_t for strlen/sizeof values instead of converting to int & back
+ xcms: use unsigned indexes when looping through unsigned values
+ xcms: use size_t for pointer offsets passed to strncmp
+ omGeneric.c: Correct the parameter usage of sizeof
+ fix for Xlib 32-bit request number issues
+ Add Compose sequence for U+1F4A9.
+ Xlib.h: Fix macros imitating C functions.
+ Add compose file for pt_PT similar to pt_BR
+ Mark _XNextRequest as hidden
+ New compose keys for local languages in Togo
+ Fixup param specification for XChangeProperty()
- Package changes:
+ Remove upstream patch U_fix_for_Xlib_32-bit_request_number_issues.patch
OBS-URL: https://build.opensuse.org/request/show/437740
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=33
