From d68abb9458884078855a3213ea90f8bec879c423b1b8957a4753a117a9bba4ae Mon Sep 17 00:00:00 2001 From: Stefan Dirsch Date: Sun, 11 Jun 2017 20:31:23 +0000 Subject: [PATCH] - U_Use-getentropy-if-arc4random_buf-is-not-available.patch * Use getentropy() if arc4random_buf() is not available (bsc#1025046, CVE-2017-2625) - U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch * Fix compilation error when arc4random_buf is not available OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libXdmcp?expand=0&rev=12 --- ...error-when-arc4random_buf-is-not-ava.patch | 55 ++++++++++++ ...y-if-arc4random_buf-is-not-available.patch | 89 +++++++++++++++++++ libXdmcp.changes | 9 ++ libXdmcp.spec | 13 ++- 4 files changed, 163 insertions(+), 3 deletions(-) create mode 100644 U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch create mode 100644 U_Use-getentropy-if-arc4random_buf-is-not-available.patch diff --git a/U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch b/U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch new file mode 100644 index 0000000..cd73019 --- /dev/null +++ b/U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch @@ -0,0 +1,55 @@ +From 6d1aee0310001eca8f6ded9814a2a70b3a774896 Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Thu, 4 May 2017 11:12:13 +0200 +Subject: [PATCH 2/2] Fix compilation error when arc4random_buf is not + available + +Not sure how I missed that, but I did. + +Also rename emulate_getrandom_buf() into insecure_getrandom_buf() as +requested in the previous patch reviews. + +Last, getbits() expects an unsigned char, so remove the warning. + +Signed-off-by: Benjamin Tissoires +Reviewed-by: Peter Hutterer +Signed-off-by: Peter Hutterer +--- + Key.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Key.c b/Key.c +index 70607d0..d61ad0e 100644 +--- a/Key.c ++++ b/Key.c +@@ -65,15 +65,15 @@ getbits (long data, unsigned char *dst) + #ifndef HAVE_ARC4RANDOM_BUF + + static void +-emulate_getrandom_buf (char *auth, int len) ++insecure_getrandom_buf (unsigned char *auth, int len) + { + long lowbits, highbits; + + srandom ((int)getpid() ^ time((Time_t *)0)); + lowbits = random (); + highbits = random (); +- getbits (lowbits, key->data); +- getbits (highbits, key->data + 4); ++ getbits (lowbits, auth); ++ getbits (highbits, auth + 4); + } + + static void +@@ -88,7 +88,7 @@ arc4random_buf (void *auth, int len) + return; + #endif /* HAVE_GETENTROPY */ + +- emulate_getrandom_buf (auth, len); ++ insecure_getrandom_buf (auth, len); + } + + #endif /* !defined(HAVE_ARC4RANDOM_BUF) */ +-- +2.12.3 + diff --git a/U_Use-getentropy-if-arc4random_buf-is-not-available.patch b/U_Use-getentropy-if-arc4random_buf-is-not-available.patch new file mode 100644 index 0000000..81bcae1 --- /dev/null +++ b/U_Use-getentropy-if-arc4random_buf-is-not-available.patch @@ -0,0 +1,89 @@ +From 0554324ec6bbc2071f5d1f8ad211a1643e29eb1f Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Tue, 4 Apr 2017 19:13:38 +0200 +Subject: [PATCH 1/2] Use getentropy() if arc4random_buf() is not available + +This allows to fix CVE-2017-2625 on Linux platforms without pulling in +libbsd. +The libc getentropy() is available since glibc 2.25 but also on OpenBSD. +For Linux, we need at least a v3.17 kernel. If the recommended +arc4random_buf() function is not available, emulate it by first trying +to use getentropy() on a supported glibc and kernel. If the call fails, +fall back to the current (vulnerable) code. + +Signed-off-by: Benjamin Tissoires +Reviewed-by: Mark Kettenis +Reviewed-by: Alan Coopersmith +Signed-off-by: Peter Hutterer +--- + Key.c | 31 ++++++++++++++++++++++++++----- + configure.ac | 2 +- + 2 files changed, 27 insertions(+), 6 deletions(-) + +diff --git a/Key.c b/Key.c +index a09b316..70607d0 100644 +--- a/Key.c ++++ b/Key.c +@@ -62,10 +62,11 @@ getbits (long data, unsigned char *dst) + #define getpid(x) _getpid(x) + #endif + +-void +-XdmcpGenerateKey (XdmAuthKeyPtr key) +-{ + #ifndef HAVE_ARC4RANDOM_BUF ++ ++static void ++emulate_getrandom_buf (char *auth, int len) ++{ + long lowbits, highbits; + + srandom ((int)getpid() ^ time((Time_t *)0)); +@@ -73,9 +74,29 @@ XdmcpGenerateKey (XdmAuthKeyPtr key) + highbits = random (); + getbits (lowbits, key->data); + getbits (highbits, key->data + 4); +-#else ++} ++ ++static void ++arc4random_buf (void *auth, int len) ++{ ++ int ret; ++ ++#if HAVE_GETENTROPY ++ /* weak emulation of arc4random through the getentropy libc call */ ++ ret = getentropy (auth, len); ++ if (ret == 0) ++ return; ++#endif /* HAVE_GETENTROPY */ ++ ++ emulate_getrandom_buf (auth, len); ++} ++ ++#endif /* !defined(HAVE_ARC4RANDOM_BUF) */ ++ ++void ++XdmcpGenerateKey (XdmAuthKeyPtr key) ++{ + arc4random_buf(key->data, 8); +-#endif + } + + int +diff --git a/configure.ac b/configure.ac +index 2288502..d2b045d 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -65,7 +65,7 @@ esac + + # Checks for library functions. + AC_CHECK_LIB([bsd], [arc4random_buf]) +-AC_CHECK_FUNCS([srand48 lrand48 arc4random_buf]) ++AC_CHECK_FUNCS([srand48 lrand48 arc4random_buf getentropy]) + + # Obtain compiler/linker options for depedencies + PKG_CHECK_MODULES(XDMCP, xproto) +-- +2.12.3 + diff --git a/libXdmcp.changes b/libXdmcp.changes index 4cc9692..02f02b1 100644 --- a/libXdmcp.changes +++ b/libXdmcp.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Sun Jun 11 20:28:03 UTC 2017 - sndirsch@suse.com + +- U_Use-getentropy-if-arc4random_buf-is-not-available.patch + * Use getentropy() if arc4random_buf() is not available + (bsc#1025046, CVE-2017-2625) +- U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch + * Fix compilation error when arc4random_buf is not available + ------------------------------------------------------------------- Mon Mar 23 08:43:36 UTC 2015 - sndirsch@suse.com diff --git a/libXdmcp.spec b/libXdmcp.spec index e0e0f59..319c754 100644 --- a/libXdmcp.spec +++ b/libXdmcp.spec @@ -1,7 +1,7 @@ # # spec file for package libXdmcp # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,8 +29,12 @@ Url: http://xorg.freedesktop.org/ #Git-Web: http://cgit.freedesktop.org/xorg/lib/libXdmcp/ Source: http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.bz2 Source1: baselibs.conf +Patch0: U_Use-getentropy-if-arc4random_buf-is-not-available.patch +Patch1: U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build -#git#BuildRequires: autoconf >= 2.60, automake, libtool +BuildRequires: autoconf >= 2.60 +BuildRequires: automake +BuildRequires: libtool BuildRequires: pkgconfig BuildRequires: pkgconfig(xorg-macros) >= 1.12 BuildRequires: pkgconfig(xproto) @@ -46,8 +50,8 @@ display. %package -n %lname Summary: X Display Manager Control Protocol library -Group: System/Libraries # O/P added for 12.2 +Group: System/Libraries Provides: xorg-x11-libXdmcp = 7.6_%version-%release Obsoletes: xorg-x11-libXdmcp < 7.6_%version-%release @@ -82,8 +86,11 @@ in %lname. %prep %setup -q +%patch0 -p1 +%patch1 -p1 %build +autoreconf -fi %configure --docdir=%_docdir/%name --disable-static make %{?_smp_mflags}