Accepting request 687380 from X11:XOrg

- Update to version 1.1.3
  * This release provides a fix for CVE-2017-2625 for platforms which don't have
    arc4random_buf() in their default libraries but do have getentropy(), such
    as Linux platforms with a kernel version of 3.17 or newer and a glibc version
    of 2.25 or newer.   (libXdmcp 1.1.2 already ensured that arc4random_buf()
    is used on platforms that have it to provide sufficient entropy in XDMCP
    key generation, but left other platforms with the weaker methods.  Linux
    platforms could also have linked against libbsd to use arc4random_buf()
    with libXdmcp 1.1.2 for stronger keys.)
- supersedes U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch,
  U_Use-getentropy-if-arc4random_buf-is-not-available.patch

OBS-URL: https://build.opensuse.org/request/show/687380
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libXdmcp?expand=0&rev=10

U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch

@@ -1,55 +0,0 @@
-From 6d1aee0310001eca8f6ded9814a2a70b3a774896 Mon Sep 17 00:00:00 2001
-From: Benjamin Tissoires <benjamin.tissoires@gmail.com>
-Date: Thu, 4 May 2017 11:12:13 +0200
-Subject: [PATCH 2/2] Fix compilation error when arc4random_buf is not
- available
-
-Not sure how I missed that, but I did.
-
-Also rename emulate_getrandom_buf() into insecure_getrandom_buf() as
-requested in the previous patch reviews.
-
-Last, getbits() expects an unsigned char, so remove the warning.
-
-Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
----
- Key.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/Key.c b/Key.c
-index 70607d0..d61ad0e 100644
---- a/Key.c
-+++ b/Key.c
-@@ -65,15 +65,15 @@ getbits (long data, unsigned char *dst)
- #ifndef HAVE_ARC4RANDOM_BUF
- 
- static void
--emulate_getrandom_buf (char *auth, int len)
-+insecure_getrandom_buf (unsigned char *auth, int len)
- {
-     long    lowbits, highbits;
- 
-     srandom ((int)getpid() ^ time((Time_t *)0));
-     lowbits = random ();
-     highbits = random ();
--    getbits (lowbits, key->data);
--    getbits (highbits, key->data + 4);
-+    getbits (lowbits, auth);
-+    getbits (highbits, auth + 4);
- }
- 
- static void
-@@ -88,7 +88,7 @@ arc4random_buf (void *auth, int len)
- 	return;
- #endif /* HAVE_GETENTROPY */
- 
--    emulate_getrandom_buf (auth, len);
-+    insecure_getrandom_buf (auth, len);
- }
- 
- #endif /* !defined(HAVE_ARC4RANDOM_BUF) */
--- 
-2.12.3
-

U_Use-getentropy-if-arc4random_buf-is-not-available.patch

@@ -1,89 +0,0 @@
-From 0554324ec6bbc2071f5d1f8ad211a1643e29eb1f Mon Sep 17 00:00:00 2001
-From: Benjamin Tissoires <benjamin.tissoires@gmail.com>
-Date: Tue, 4 Apr 2017 19:13:38 +0200
-Subject: [PATCH 1/2] Use getentropy() if arc4random_buf() is not available
-
-This allows to fix CVE-2017-2625 on Linux platforms without pulling in
-libbsd.
-The libc getentropy() is available since glibc 2.25 but also on OpenBSD.
-For Linux, we need at least a v3.17 kernel. If the recommended
-arc4random_buf() function is not available, emulate it by first trying
-to use getentropy() on a supported glibc and kernel. If the call fails,
-fall back to the current (vulnerable) code.
-
-Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
-Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
-Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
----
- Key.c        | 31 ++++++++++++++++++++++++++-----
- configure.ac |  2 +-
- 2 files changed, 27 insertions(+), 6 deletions(-)
-
-diff --git a/Key.c b/Key.c
-index a09b316..70607d0 100644
---- a/Key.c
-+++ b/Key.c
-@@ -62,10 +62,11 @@ getbits (long data, unsigned char *dst)
- #define getpid(x) _getpid(x)
- #endif
- 
--void
--XdmcpGenerateKey (XdmAuthKeyPtr key)
--{
- #ifndef HAVE_ARC4RANDOM_BUF
-+
-+static void
-+emulate_getrandom_buf (char *auth, int len)
-+{
-     long    lowbits, highbits;
- 
-     srandom ((int)getpid() ^ time((Time_t *)0));
-@@ -73,9 +74,29 @@ XdmcpGenerateKey (XdmAuthKeyPtr key)
-     highbits = random ();
-     getbits (lowbits, key->data);
-     getbits (highbits, key->data + 4);
--#else
-+}
-+
-+static void
-+arc4random_buf (void *auth, int len)
-+{
-+    int	    ret;
-+
-+#if HAVE_GETENTROPY
-+    /* weak emulation of arc4random through the getentropy libc call */
-+    ret = getentropy (auth, len);
-+    if (ret == 0)
-+	return;
-+#endif /* HAVE_GETENTROPY */
-+
-+    emulate_getrandom_buf (auth, len);
-+}
-+
-+#endif /* !defined(HAVE_ARC4RANDOM_BUF) */
-+
-+void
-+XdmcpGenerateKey (XdmAuthKeyPtr key)
-+{
-     arc4random_buf(key->data, 8);
--#endif
- }
- 
- int
-diff --git a/configure.ac b/configure.ac
-index 2288502..d2b045d 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -65,7 +65,7 @@ esac
- 
- # Checks for library functions.
- AC_CHECK_LIB([bsd], [arc4random_buf])
--AC_CHECK_FUNCS([srand48 lrand48 arc4random_buf])
-+AC_CHECK_FUNCS([srand48 lrand48 arc4random_buf getentropy])
- 
- # Obtain compiler/linker options for depedencies
- PKG_CHECK_MODULES(XDMCP, xproto)
--- 
-2.12.3
-

libXdmcp-1.1.2.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:81fe09867918fff258296e1e1e159f0dc639cb30d201c53519f25ab73af4e4e2
-size 331518

libXdmcp-1.1.3.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:20523b44aaa513e17c009e873ad7bbc301507a3224c232610ce2e099011c6529
+size 332795

libXdmcp.changes

@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Thu Mar 21 15:09:26 UTC 2019 - Stefan Dirsch <sndirsch@suse.com>
+
+- Update to version 1.1.3
+  * This release provides a fix for CVE-2017-2625 for platforms which don't have
+    arc4random_buf() in their default libraries but do have getentropy(), such
+    as Linux platforms with a kernel version of 3.17 or newer and a glibc version
+    of 2.25 or newer.   (libXdmcp 1.1.2 already ensured that arc4random_buf()
+    is used on platforms that have it to provide sufficient entropy in XDMCP
+    key generation, but left other platforms with the weaker methods.  Linux
+    platforms could also have linked against libbsd to use arc4random_buf()
+    with libXdmcp 1.1.2 for stronger keys.)
+- supersedes U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch,
+  U_Use-getentropy-if-arc4random_buf-is-not-available.patch
+
 -------------------------------------------------------------------
 Sun Jun 11 20:28:03 UTC 2017 - sndirsch@suse.com
 

libXdmcp.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libXdmcp
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
 
 Name:           libXdmcp
 %define lname	libXdmcp6
-Version:        1.1.2
+Version:        1.1.3
 Release:        0
 Summary:        X Display Manager Control Protocol library
 License:        MIT
@@ -29,8 +29,6 @@ Url:            http://xorg.freedesktop.org/
 #Git-Web:	http://cgit.freedesktop.org/xorg/lib/libXdmcp/
 Source:         http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.bz2
 Source1:        baselibs.conf
-Patch0:         U_Use-getentropy-if-arc4random_buf-is-not-available.patch
-Patch1:         U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  autoconf >= 2.60
 BuildRequires:  automake
@@ -86,8 +84,6 @@ in %lname.
 
 %prep
 %setup -q
-%patch0 -p1
-%patch1 -p1
 
 %build
 autoreconf -fi