Accepting request 502911 from X11:XOrg

- U_Use-getentropy-if-arc4random_buf-is-not-available.patch * Use getentropy() if arc4random_buf() is not available (bsc#1025046, CVE-2017-2625) - U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch * Fix compilation error when arc4random_buf is not available OBS-URL: https://build.opensuse.org/request/show/502911 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libXdmcp?expand=0&rev=9
2017-06-16 08:53:43 +00:00 · 2017-06-16 08:53:43 +00:00 · e53257487a
commit e53257487a
parent b23e6f16f6 d68abb9458
4 changed files with 163 additions and 3 deletions
--- a/U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch
+++ b/U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch
@ -0,0 +1,55 @@
+From 6d1aee0310001eca8f6ded9814a2a70b3a774896 Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@gmail.com>
+Date: Thu, 4 May 2017 11:12:13 +0200
+Subject: [PATCH 2/2] Fix compilation error when arc4random_buf is not
+ available
+
+Not sure how I missed that, but I did.
+
+Also rename emulate_getrandom_buf() into insecure_getrandom_buf() as
+requested in the previous patch reviews.
+
+Last, getbits() expects an unsigned char, so remove the warning.
+
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Key.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Key.c b/Key.c
+index 70607d0..d61ad0e 100644
+--- a/Key.c
+++ b/Key.c
+@@ -65,15 +65,15 @@ getbits (long data, unsigned char *dst)
+ #ifndef HAVE_ARC4RANDOM_BUF
+ 
+ static void
+-emulate_getrandom_buf (char *auth, int len)
+insecure_getrandom_buf (unsigned char *auth, int len)
+ {
+     long    lowbits, highbits;
+ 
+     srandom ((int)getpid() ^ time((Time_t *)0));
+     lowbits = random ();
+     highbits = random ();
+-    getbits (lowbits, key->data);
+-    getbits (highbits, key->data + 4);
+    getbits (lowbits, auth);
+    getbits (highbits, auth + 4);
+ }
+ 
+ static void
+@@ -88,7 +88,7 @@ arc4random_buf (void *auth, int len)
+ 	return;
+ #endif /* HAVE_GETENTROPY */
+ 
+-    emulate_getrandom_buf (auth, len);
+    insecure_getrandom_buf (auth, len);
+ }
+ 
+ #endif /* !defined(HAVE_ARC4RANDOM_BUF) */
+-- 
+2.12.3
+
--- a/U_Use-getentropy-if-arc4random_buf-is-not-available.patch
+++ b/U_Use-getentropy-if-arc4random_buf-is-not-available.patch
@ -0,0 +1,89 @@
+From 0554324ec6bbc2071f5d1f8ad211a1643e29eb1f Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@gmail.com>
+Date: Tue, 4 Apr 2017 19:13:38 +0200
+Subject: [PATCH 1/2] Use getentropy() if arc4random_buf() is not available
+
+This allows to fix CVE-2017-2625 on Linux platforms without pulling in
+libbsd.
+The libc getentropy() is available since glibc 2.25 but also on OpenBSD.
+For Linux, we need at least a v3.17 kernel. If the recommended
+arc4random_buf() function is not available, emulate it by first trying
+to use getentropy() on a supported glibc and kernel. If the call fails,
+fall back to the current (vulnerable) code.
+
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
+Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Key.c        | 31 ++++++++++++++++++++++++++-----
+ configure.ac |  2 +-
+ 2 files changed, 27 insertions(+), 6 deletions(-)
+
+diff --git a/Key.c b/Key.c
+index a09b316..70607d0 100644
+--- a/Key.c
+++ b/Key.c
+@@ -62,10 +62,11 @@ getbits (long data, unsigned char *dst)
+ #define getpid(x) _getpid(x)
+ #endif
+ 
+-void
+-XdmcpGenerateKey (XdmAuthKeyPtr key)
+-{
+ #ifndef HAVE_ARC4RANDOM_BUF
+
+static void
+emulate_getrandom_buf (char *auth, int len)
+{
+     long    lowbits, highbits;
+ 
+     srandom ((int)getpid() ^ time((Time_t *)0));
+@@ -73,9 +74,29 @@ XdmcpGenerateKey (XdmAuthKeyPtr key)
+     highbits = random ();
+     getbits (lowbits, key->data);
+     getbits (highbits, key->data + 4);
+-#else
+}
+
+static void
+arc4random_buf (void *auth, int len)
+{
+    int	    ret;
+
+#if HAVE_GETENTROPY
+    /* weak emulation of arc4random through the getentropy libc call */
+    ret = getentropy (auth, len);
+    if (ret == 0)
+	return;
+#endif /* HAVE_GETENTROPY */
+
+    emulate_getrandom_buf (auth, len);
+}
+
+#endif /* !defined(HAVE_ARC4RANDOM_BUF) */
+
+void
+XdmcpGenerateKey (XdmAuthKeyPtr key)
+{
+     arc4random_buf(key->data, 8);
+-#endif
+ }
+ 
+ int
+diff --git a/configure.ac b/configure.ac
+index 2288502..d2b045d 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -65,7 +65,7 @@ esac
+ 
+ # Checks for library functions.
+ AC_CHECK_LIB([bsd], [arc4random_buf])
+-AC_CHECK_FUNCS([srand48 lrand48 arc4random_buf])
+AC_CHECK_FUNCS([srand48 lrand48 arc4random_buf getentropy])
+ 
+ # Obtain compiler/linker options for depedencies
+ PKG_CHECK_MODULES(XDMCP, xproto)
+-- 
+2.12.3
+
--- a/libXdmcp.changes
+++ b/libXdmcp.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Sun Jun 11 20:28:03 UTC 2017 - sndirsch@suse.com
+
+- U_Use-getentropy-if-arc4random_buf-is-not-available.patch
+  * Use getentropy() if arc4random_buf() is not available
+    (bsc#1025046, CVE-2017-2625)
+- U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch 
+  * Fix compilation error when arc4random_buf is not available
+
 -------------------------------------------------------------------
 Mon Mar 23 08:43:36 UTC 2015 - sndirsch@suse.com

--- a/libXdmcp.spec
+++ b/libXdmcp.spec
@ -1,7 +1,7 @@
 #
 # spec file for package libXdmcp
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -29,8 +29,12 @@ Url:            http://xorg.freedesktop.org/
 #Git-Web:	http://cgit.freedesktop.org/xorg/lib/libXdmcp/
 Source:         http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.bz2
 Source1:        baselibs.conf
+Patch0:         U_Use-getentropy-if-arc4random_buf-is-not-available.patch
+Patch1:         U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-#git#BuildRequires:	autoconf >= 2.60, automake, libtool
+BuildRequires:  autoconf >= 2.60
+BuildRequires:  automake
+BuildRequires:  libtool
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(xorg-macros) >= 1.12
 BuildRequires:  pkgconfig(xproto)
@ -46,8 +50,8 @@ display.

 %package -n %lname
 Summary:        X Display Manager Control Protocol library
-Group:          System/Libraries
 # O/P added for 12.2
+Group:          System/Libraries
 Provides:       xorg-x11-libXdmcp = 7.6_%version-%release
 Obsoletes:      xorg-x11-libXdmcp < 7.6_%version-%release

@ -82,8 +86,11 @@ in %lname.

 %prep
 %setup -q
+%patch0 -p1
+%patch1 -p1

 %build
+autoreconf -fi
 %configure --docdir=%_docdir/%name --disable-static
 make %{?_smp_mflags}