diff --git a/U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch b/U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch deleted file mode 100644 index cd73019..0000000 --- a/U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 6d1aee0310001eca8f6ded9814a2a70b3a774896 Mon Sep 17 00:00:00 2001 -From: Benjamin Tissoires -Date: Thu, 4 May 2017 11:12:13 +0200 -Subject: [PATCH 2/2] Fix compilation error when arc4random_buf is not - available - -Not sure how I missed that, but I did. - -Also rename emulate_getrandom_buf() into insecure_getrandom_buf() as -requested in the previous patch reviews. - -Last, getbits() expects an unsigned char, so remove the warning. - -Signed-off-by: Benjamin Tissoires -Reviewed-by: Peter Hutterer -Signed-off-by: Peter Hutterer ---- - Key.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/Key.c b/Key.c -index 70607d0..d61ad0e 100644 ---- a/Key.c -+++ b/Key.c -@@ -65,15 +65,15 @@ getbits (long data, unsigned char *dst) - #ifndef HAVE_ARC4RANDOM_BUF - - static void --emulate_getrandom_buf (char *auth, int len) -+insecure_getrandom_buf (unsigned char *auth, int len) - { - long lowbits, highbits; - - srandom ((int)getpid() ^ time((Time_t *)0)); - lowbits = random (); - highbits = random (); -- getbits (lowbits, key->data); -- getbits (highbits, key->data + 4); -+ getbits (lowbits, auth); -+ getbits (highbits, auth + 4); - } - - static void -@@ -88,7 +88,7 @@ arc4random_buf (void *auth, int len) - return; - #endif /* HAVE_GETENTROPY */ - -- emulate_getrandom_buf (auth, len); -+ insecure_getrandom_buf (auth, len); - } - - #endif /* !defined(HAVE_ARC4RANDOM_BUF) */ --- -2.12.3 - diff --git a/U_Use-getentropy-if-arc4random_buf-is-not-available.patch b/U_Use-getentropy-if-arc4random_buf-is-not-available.patch deleted file mode 100644 index 81bcae1..0000000 --- a/U_Use-getentropy-if-arc4random_buf-is-not-available.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 0554324ec6bbc2071f5d1f8ad211a1643e29eb1f Mon Sep 17 00:00:00 2001 -From: Benjamin Tissoires -Date: Tue, 4 Apr 2017 19:13:38 +0200 -Subject: [PATCH 1/2] Use getentropy() if arc4random_buf() is not available - -This allows to fix CVE-2017-2625 on Linux platforms without pulling in -libbsd. -The libc getentropy() is available since glibc 2.25 but also on OpenBSD. -For Linux, we need at least a v3.17 kernel. If the recommended -arc4random_buf() function is not available, emulate it by first trying -to use getentropy() on a supported glibc and kernel. If the call fails, -fall back to the current (vulnerable) code. - -Signed-off-by: Benjamin Tissoires -Reviewed-by: Mark Kettenis -Reviewed-by: Alan Coopersmith -Signed-off-by: Peter Hutterer ---- - Key.c | 31 ++++++++++++++++++++++++++----- - configure.ac | 2 +- - 2 files changed, 27 insertions(+), 6 deletions(-) - -diff --git a/Key.c b/Key.c -index a09b316..70607d0 100644 ---- a/Key.c -+++ b/Key.c -@@ -62,10 +62,11 @@ getbits (long data, unsigned char *dst) - #define getpid(x) _getpid(x) - #endif - --void --XdmcpGenerateKey (XdmAuthKeyPtr key) --{ - #ifndef HAVE_ARC4RANDOM_BUF -+ -+static void -+emulate_getrandom_buf (char *auth, int len) -+{ - long lowbits, highbits; - - srandom ((int)getpid() ^ time((Time_t *)0)); -@@ -73,9 +74,29 @@ XdmcpGenerateKey (XdmAuthKeyPtr key) - highbits = random (); - getbits (lowbits, key->data); - getbits (highbits, key->data + 4); --#else -+} -+ -+static void -+arc4random_buf (void *auth, int len) -+{ -+ int ret; -+ -+#if HAVE_GETENTROPY -+ /* weak emulation of arc4random through the getentropy libc call */ -+ ret = getentropy (auth, len); -+ if (ret == 0) -+ return; -+#endif /* HAVE_GETENTROPY */ -+ -+ emulate_getrandom_buf (auth, len); -+} -+ -+#endif /* !defined(HAVE_ARC4RANDOM_BUF) */ -+ -+void -+XdmcpGenerateKey (XdmAuthKeyPtr key) -+{ - arc4random_buf(key->data, 8); --#endif - } - - int -diff --git a/configure.ac b/configure.ac -index 2288502..d2b045d 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -65,7 +65,7 @@ esac - - # Checks for library functions. - AC_CHECK_LIB([bsd], [arc4random_buf]) --AC_CHECK_FUNCS([srand48 lrand48 arc4random_buf]) -+AC_CHECK_FUNCS([srand48 lrand48 arc4random_buf getentropy]) - - # Obtain compiler/linker options for depedencies - PKG_CHECK_MODULES(XDMCP, xproto) --- -2.12.3 - diff --git a/libXdmcp-1.1.2.tar.bz2 b/libXdmcp-1.1.2.tar.bz2 deleted file mode 100644 index 980341f..0000000 --- a/libXdmcp-1.1.2.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:81fe09867918fff258296e1e1e159f0dc639cb30d201c53519f25ab73af4e4e2 -size 331518 diff --git a/libXdmcp-1.1.3.tar.bz2 b/libXdmcp-1.1.3.tar.bz2 new file mode 100644 index 0000000..89df051 --- /dev/null +++ b/libXdmcp-1.1.3.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:20523b44aaa513e17c009e873ad7bbc301507a3224c232610ce2e099011c6529 +size 332795 diff --git a/libXdmcp.changes b/libXdmcp.changes index 02f02b1..b7a9132 100644 --- a/libXdmcp.changes +++ b/libXdmcp.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Thu Mar 21 15:09:26 UTC 2019 - Stefan Dirsch + +- Update to version 1.1.3 + * This release provides a fix for CVE-2017-2625 for platforms which don't have + arc4random_buf() in their default libraries but do have getentropy(), such + as Linux platforms with a kernel version of 3.17 or newer and a glibc version + of 2.25 or newer. (libXdmcp 1.1.2 already ensured that arc4random_buf() + is used on platforms that have it to provide sufficient entropy in XDMCP + key generation, but left other platforms with the weaker methods. Linux + platforms could also have linked against libbsd to use arc4random_buf() + with libXdmcp 1.1.2 for stronger keys.) +- supersedes U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch, + U_Use-getentropy-if-arc4random_buf-is-not-available.patch + ------------------------------------------------------------------- Sun Jun 11 20:28:03 UTC 2017 - sndirsch@suse.com diff --git a/libXdmcp.spec b/libXdmcp.spec index 319c754..f059081 100644 --- a/libXdmcp.spec +++ b/libXdmcp.spec @@ -1,7 +1,7 @@ # # spec file for package libXdmcp # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ Name: libXdmcp %define lname libXdmcp6 -Version: 1.1.2 +Version: 1.1.3 Release: 0 Summary: X Display Manager Control Protocol library License: MIT @@ -29,8 +29,6 @@ Url: http://xorg.freedesktop.org/ #Git-Web: http://cgit.freedesktop.org/xorg/lib/libXdmcp/ Source: http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.bz2 Source1: baselibs.conf -Patch0: U_Use-getentropy-if-arc4random_buf-is-not-available.patch -Patch1: U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf >= 2.60 BuildRequires: automake @@ -86,8 +84,6 @@ in %lname. %prep %setup -q -%patch0 -p1 -%patch1 -p1 %build autoreconf -fi