Accepting request 312322 from home:tobijk:X11:XOrg
- Update to version 1.17.2: Pick up a pile of fixes from master. Notable highlights: + Fix for CVE-2015-3164 in Xwayland + Fix int10 setup for vesa + Fix regression in server-interpreted auth + Fix fb setup on big-endian CPUs + Build fix for for gcc5 - Dropped patches: + Patch110: u_connection-avoid-crash-when-CloseWellKnownConnections-gets-called-twice.patch + Patch113: u_symbols-Fix-sdksyms.sh-to-cope-with-gcc5.patch + Patch116: U_os-XDMCP-options-like-query-etc-should-imply-listen.patch + Patch118: U_int10-Fix-error-check-for-pci_device_map_legacy.patch + Patch119: U_xwayland-enable-access-control-on-open-socket.patch + Patch120: U_os-support-new-implicit-local-user-access-mode.patch + Patch121: U_xwayland-default-to-local-user-if-no-xauth-file-given.patch + Patch2000: U_systemd-logind-filter-out-non-signal-messages-from.patch + Patch2001: U_systemd-logind-dont-second-guess-D-Bus-default-tim.patch - Changed patches to work with the new version: + Patch114: u_ad-hoc-fix-for-mmap-s-truncated-offset-parameter-on-.patch OBS-URL: https://build.opensuse.org/request/show/312322 OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=576
This commit is contained in:
parent
bc8b5dc1a8
commit
fbcb773284
@ -1,45 +0,0 @@
|
||||
From: Jürg Billeter <j@bitron.ch>
|
||||
Date: Sat Feb 7 18:13:21 2015 +0100
|
||||
Subject: [PATCH]int10: Fix error check for pci_device_map_legacy
|
||||
Patch-mainline: Upstream
|
||||
Git-commit: 0a78b599b34cc8b5fe6fe82f90e90234e8ab7a56
|
||||
Git-repo: git://anongit.freedesktop.org/git/xorg/xserver
|
||||
References: bsc#932319
|
||||
Signed-off-by: Egbert Eich <eich@suse.com>
|
||||
|
||||
pci_device_map_legacy returns 0 on success.
|
||||
|
||||
Signed-off-by: Jürg Billeter <j@bitron.ch>
|
||||
Reviewed-by: Adam Jackson <ajax@redhat.com>
|
||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
hw/xfree86/int10/generic.c | 2 +-
|
||||
hw/xfree86/os-support/linux/int10/linux.c | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/xfree86/int10/generic.c b/hw/xfree86/int10/generic.c
|
||||
index 012d194..8d5c4da 100644
|
||||
--- a/hw/xfree86/int10/generic.c
|
||||
+++ b/hw/xfree86/int10/generic.c
|
||||
@@ -104,7 +104,7 @@ readIntVec(struct pci_device *dev, unsigned char *buf, int len)
|
||||
{
|
||||
void *map;
|
||||
|
||||
- if (!pci_device_map_legacy(dev, 0, len, 0, &map))
|
||||
+ if (pci_device_map_legacy(dev, 0, len, 0, &map))
|
||||
return FALSE;
|
||||
|
||||
memcpy(buf, map, len);
|
||||
diff --git a/hw/xfree86/os-support/linux/int10/linux.c b/hw/xfree86/os-support/linux/int10/linux.c
|
||||
index 79b9a88..6ca118f 100644
|
||||
--- a/hw/xfree86/os-support/linux/int10/linux.c
|
||||
+++ b/hw/xfree86/os-support/linux/int10/linux.c
|
||||
@@ -75,7 +75,7 @@ readLegacy(struct pci_device *dev, unsigned char *buf, int base, int len)
|
||||
{
|
||||
void *map;
|
||||
|
||||
- if (!pci_device_map_legacy(dev, base, len, 0, &map))
|
||||
+ if (pci_device_map_legacy(dev, base, len, 0, &map))
|
||||
return FALSE;
|
||||
|
||||
memcpy(buf, map, len);
|
@ -1,82 +0,0 @@
|
||||
Git-commit: 491cf02e191e70c5ce24c19da880bb79bebfc03c
|
||||
Author: Jon TURNEY <jon.turney@dronecode.org.uk>
|
||||
Subject: os: XDMCP options like -query etc. should imply -listen tcp
|
||||
Patch-Mainline: Upstream
|
||||
Signed-off-by: Michal Srb <msrb@suse.com>
|
||||
|
||||
In X server 1.17, the default configuration is now -nolisten tcp. In this
|
||||
configuration, XDMCP options don't work usefully, as the X server is not
|
||||
listening on the port for the display that it tells the display manager to
|
||||
connect to.
|
||||
|
||||
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
|
||||
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Reviewed-by: Colin Harrison <colin.harrison@virgin.net>
|
||||
---
|
||||
os/xdmcp.c | 17 +++++++++++++++++
|
||||
1 file changed, 17 insertions(+)
|
||||
|
||||
diff --git a/os/xdmcp.c b/os/xdmcp.c
|
||||
index b6e97c9..bc5a707 100644
|
||||
--- a/os/xdmcp.c
|
||||
+++ b/os/xdmcp.c
|
||||
@@ -48,6 +48,11 @@
|
||||
#include <netdir.h>
|
||||
#endif
|
||||
|
||||
+#define XSERV_t
|
||||
+#define TRANS_SERVER
|
||||
+#define TRANS_REOPEN
|
||||
+#include <X11/Xtrans/Xtrans.h>
|
||||
+
|
||||
#ifdef XDMCP
|
||||
#undef REQUEST
|
||||
|
||||
@@ -242,6 +247,14 @@ XdmcpUseMsg(void)
|
||||
ErrorF("-displayID display-id manufacturer display ID for request\n");
|
||||
}
|
||||
|
||||
+static void
|
||||
+XdmcpDefaultListen(void)
|
||||
+{
|
||||
+ /* Even when configured --disable-listen-tcp, we should listen on tcp in
|
||||
+ XDMCP modes */
|
||||
+ _XSERVTransListen("tcp");
|
||||
+}
|
||||
+
|
||||
int
|
||||
XdmcpOptions(int argc, char **argv, int i)
|
||||
{
|
||||
@@ -249,11 +262,13 @@ XdmcpOptions(int argc, char **argv, int i)
|
||||
get_manager_by_name(argc, argv, i++);
|
||||
XDM_INIT_STATE = XDM_QUERY;
|
||||
AccessUsingXdmcp();
|
||||
+ XdmcpDefaultListen();
|
||||
return i + 1;
|
||||
}
|
||||
if (strcmp(argv[i], "-broadcast") == 0) {
|
||||
XDM_INIT_STATE = XDM_BROADCAST;
|
||||
AccessUsingXdmcp();
|
||||
+ XdmcpDefaultListen();
|
||||
return i + 1;
|
||||
}
|
||||
#if defined(IPv6) && defined(AF_INET6)
|
||||
@@ -261,6 +276,7 @@ XdmcpOptions(int argc, char **argv, int i)
|
||||
i = get_mcast_options(argc, argv, ++i);
|
||||
XDM_INIT_STATE = XDM_MULTICAST;
|
||||
AccessUsingXdmcp();
|
||||
+ XdmcpDefaultListen();
|
||||
return i + 1;
|
||||
}
|
||||
#endif
|
||||
@@ -268,6 +284,7 @@ XdmcpOptions(int argc, char **argv, int i)
|
||||
get_manager_by_name(argc, argv, i++);
|
||||
XDM_INIT_STATE = XDM_INDIRECT;
|
||||
AccessUsingXdmcp();
|
||||
+ XdmcpDefaultListen();
|
||||
return i + 1;
|
||||
}
|
||||
if (strcmp(argv[i], "-port") == 0) {
|
||||
--
|
||||
2.3.3
|
||||
|
@ -1,245 +0,0 @@
|
||||
Subject: os: support new implicit local user access mode
|
||||
Author: Ray Strode <rstrode@redhat.com>
|
||||
Path-mainline: Upstream
|
||||
Git-commit: 4b4b9086d02b80549981d205fb1f495edc373538
|
||||
References: bnc#934102 CVE-2015-3164
|
||||
Signed-off-by: Michal Srb <msrb@suse.com>
|
||||
|
||||
If the X server is started without a '-auth' argument, then
|
||||
it gets started wide open to all local users on the system.
|
||||
|
||||
This isn't a great default access model, but changing it in
|
||||
Xorg at this point would break backward compatibility.
|
||||
|
||||
Xwayland, on the other hand is new, and much more targeted
|
||||
in scope. It could, in theory, be changed to allow the much
|
||||
more secure default of a "user who started X server can connect
|
||||
clients to that server."
|
||||
|
||||
This commit paves the way for that change, by adding a mechanism
|
||||
for DDXs to opt-in to that behavior. They merely need to call
|
||||
|
||||
LocalAccessScopeUser()
|
||||
|
||||
in their init functions.
|
||||
|
||||
A subsequent commit will add that call for Xwayland.
|
||||
|
||||
Signed-off-by: Ray Strode <rstrode@redhat.com>
|
||||
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
||||
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Signed-off-by: Keith Packard <keithp@keithp.com>
|
||||
|
||||
diff --git a/include/os.h b/include/os.h
|
||||
index 6638c84..b2b96c8 100644
|
||||
--- a/include/os.h
|
||||
+++ b/include/os.h
|
||||
@@ -431,11 +431,28 @@ extern _X_EXPORT void
|
||||
ResetHosts(const char *display);
|
||||
|
||||
extern _X_EXPORT void
|
||||
+EnableLocalAccess(void);
|
||||
+
|
||||
+extern _X_EXPORT void
|
||||
+DisableLocalAccess(void);
|
||||
+
|
||||
+extern _X_EXPORT void
|
||||
EnableLocalHost(void);
|
||||
|
||||
extern _X_EXPORT void
|
||||
DisableLocalHost(void);
|
||||
|
||||
+#ifndef NO_LOCAL_CLIENT_CRED
|
||||
+extern _X_EXPORT void
|
||||
+EnableLocalUser(void);
|
||||
+
|
||||
+extern _X_EXPORT void
|
||||
+DisableLocalUser(void);
|
||||
+
|
||||
+extern _X_EXPORT void
|
||||
+LocalAccessScopeUser(void);
|
||||
+#endif
|
||||
+
|
||||
extern _X_EXPORT void
|
||||
AccessUsingXdmcp(void);
|
||||
|
||||
diff --git a/os/access.c b/os/access.c
|
||||
index 8fa028e..75e7a69 100644
|
||||
--- a/os/access.c
|
||||
+++ b/os/access.c
|
||||
@@ -102,6 +102,10 @@ SOFTWARE.
|
||||
#include <sys/ioctl.h>
|
||||
#include <ctype.h>
|
||||
|
||||
+#ifndef NO_LOCAL_CLIENT_CRED
|
||||
+#include <pwd.h>
|
||||
+#endif
|
||||
+
|
||||
#if defined(TCPCONN) || defined(STREAMSCONN)
|
||||
#include <netinet/in.h>
|
||||
#endif /* TCPCONN || STREAMSCONN */
|
||||
@@ -225,6 +229,13 @@ static int LocalHostEnabled = FALSE;
|
||||
static int LocalHostRequested = FALSE;
|
||||
static int UsingXdmcp = FALSE;
|
||||
|
||||
+static enum {
|
||||
+ LOCAL_ACCESS_SCOPE_HOST = 0,
|
||||
+#ifndef NO_LOCAL_CLIENT_CRED
|
||||
+ LOCAL_ACCESS_SCOPE_USER,
|
||||
+#endif
|
||||
+} LocalAccessScope;
|
||||
+
|
||||
/* FamilyServerInterpreted implementation */
|
||||
static Bool siAddrMatch(int family, void *addr, int len, HOST * host,
|
||||
ClientPtr client);
|
||||
@@ -237,6 +248,21 @@ static void siTypesInitialize(void);
|
||||
*/
|
||||
|
||||
void
|
||||
+EnableLocalAccess(void)
|
||||
+{
|
||||
+ switch (LocalAccessScope) {
|
||||
+ case LOCAL_ACCESS_SCOPE_HOST:
|
||||
+ EnableLocalHost();
|
||||
+ break;
|
||||
+#ifndef NO_LOCAL_CLIENT_CRED
|
||||
+ case LOCAL_ACCESS_SCOPE_USER:
|
||||
+ EnableLocalUser();
|
||||
+ break;
|
||||
+#endif
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+void
|
||||
EnableLocalHost(void)
|
||||
{
|
||||
if (!UsingXdmcp) {
|
||||
@@ -249,6 +275,21 @@ EnableLocalHost(void)
|
||||
* called when authorization is enabled to keep us secure
|
||||
*/
|
||||
void
|
||||
+DisableLocalAccess(void)
|
||||
+{
|
||||
+ switch (LocalAccessScope) {
|
||||
+ case LOCAL_ACCESS_SCOPE_HOST:
|
||||
+ DisableLocalHost();
|
||||
+ break;
|
||||
+#ifndef NO_LOCAL_CLIENT_CRED
|
||||
+ case LOCAL_ACCESS_SCOPE_USER:
|
||||
+ DisableLocalUser();
|
||||
+ break;
|
||||
+#endif
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+void
|
||||
DisableLocalHost(void)
|
||||
{
|
||||
HOST *self;
|
||||
@@ -262,6 +303,74 @@ DisableLocalHost(void)
|
||||
}
|
||||
}
|
||||
|
||||
+#ifndef NO_LOCAL_CLIENT_CRED
|
||||
+static int GetLocalUserAddr(char **addr)
|
||||
+{
|
||||
+ static const char *type = "localuser";
|
||||
+ static const char delimiter = '\0';
|
||||
+ static const char *value;
|
||||
+ struct passwd *pw;
|
||||
+ int length = -1;
|
||||
+
|
||||
+ pw = getpwuid(getuid());
|
||||
+
|
||||
+ if (pw == NULL || pw->pw_name == NULL)
|
||||
+ goto out;
|
||||
+
|
||||
+ value = pw->pw_name;
|
||||
+
|
||||
+ length = asprintf(addr, "%s%c%s", type, delimiter, value);
|
||||
+
|
||||
+ if (length == -1) {
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ /* Trailing NUL */
|
||||
+ length++;
|
||||
+
|
||||
+out:
|
||||
+ return length;
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+EnableLocalUser(void)
|
||||
+{
|
||||
+ char *addr = NULL;
|
||||
+ int length = -1;
|
||||
+
|
||||
+ length = GetLocalUserAddr(&addr);
|
||||
+
|
||||
+ if (length == -1)
|
||||
+ return;
|
||||
+
|
||||
+ NewHost(FamilyServerInterpreted, addr, length, TRUE);
|
||||
+
|
||||
+ free(addr);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+DisableLocalUser(void)
|
||||
+{
|
||||
+ char *addr = NULL;
|
||||
+ int length = -1;
|
||||
+
|
||||
+ length = GetLocalUserAddr(&addr);
|
||||
+
|
||||
+ if (length == -1)
|
||||
+ return;
|
||||
+
|
||||
+ RemoveHost(NULL, FamilyServerInterpreted, length, addr);
|
||||
+
|
||||
+ free(addr);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+LocalAccessScopeUser(void)
|
||||
+{
|
||||
+ LocalAccessScope = LOCAL_ACCESS_SCOPE_USER;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
/*
|
||||
* called at init time when XDMCP will be used; xdmcp always
|
||||
* adds local hosts manually when needed
|
||||
diff --git a/os/auth.c b/os/auth.c
|
||||
index 5fcb538..7da6fc6 100644
|
||||
--- a/os/auth.c
|
||||
+++ b/os/auth.c
|
||||
@@ -181,11 +181,11 @@ CheckAuthorization(unsigned int name_length,
|
||||
|
||||
/*
|
||||
* If the authorization file has at least one entry for this server,
|
||||
- * disable local host access. (loadauth > 0)
|
||||
+ * disable local access. (loadauth > 0)
|
||||
*
|
||||
* If there are zero entries (either initially or when the
|
||||
* authorization file is later reloaded), or if a valid
|
||||
- * authorization file was never loaded, enable local host access.
|
||||
+ * authorization file was never loaded, enable local access.
|
||||
* (loadauth == 0 || !loaded)
|
||||
*
|
||||
* If the authorization file was loaded initially (with valid
|
||||
@@ -194,11 +194,11 @@ CheckAuthorization(unsigned int name_length,
|
||||
*/
|
||||
|
||||
if (loadauth > 0) {
|
||||
- DisableLocalHost(); /* got at least one */
|
||||
+ DisableLocalAccess(); /* got at least one */
|
||||
loaded = TRUE;
|
||||
}
|
||||
else if (loadauth == 0 || !loaded)
|
||||
- EnableLocalHost();
|
||||
+ EnableLocalAccess();
|
||||
}
|
||||
if (name_length) {
|
||||
for (i = 0; i < NUM_AUTHORIZATION; i++) {
|
@ -1,96 +0,0 @@
|
||||
From b1029716e41e252f149b82124a149da180607c96 Mon Sep 17 00:00:00 2001
|
||||
From: Ray Strode <rstrode@redhat.com>
|
||||
Date: Thu, 16 Apr 2015 11:28:16 -0400
|
||||
Subject: systemd-logind: don't second guess D-Bus default timeout
|
||||
|
||||
At the moment, the X server uses a non-default timeout for D-Bus
|
||||
messages to systemd-logind. The only timeouts normally used with
|
||||
D-Bus are:
|
||||
|
||||
1) Infinite
|
||||
2) Default
|
||||
|
||||
Anything else is just as arbitrary as Default, and so rarely makes
|
||||
sense to use instead of Default.
|
||||
|
||||
Put another way, there's little reason to be fault tolerant against
|
||||
a local root running daemon (logind), that in some configurations, the
|
||||
X server already depends on for proper functionality.
|
||||
|
||||
This commit changes systemd-logind to just use the default timeouts.
|
||||
|
||||
Downstream-bug: https://bugzilla.redhat.com/show_bug.cgi?id=1209347
|
||||
Signed-off-by: Ray Strode <rstrode@redhat.com>
|
||||
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
|
||||
Signed-off-by: Keith Packard <keithp@keithp.com>
|
||||
|
||||
diff --git a/hw/xfree86/os-support/linux/systemd-logind.c b/hw/xfree86/os-support/linux/systemd-logind.c
|
||||
index 57c87c0..4ad41a3 100644
|
||||
--- a/hw/xfree86/os-support/linux/systemd-logind.c
|
||||
+++ b/hw/xfree86/os-support/linux/systemd-logind.c
|
||||
@@ -40,8 +40,6 @@
|
||||
|
||||
#include "systemd-logind.h"
|
||||
|
||||
-#define DBUS_TIMEOUT 500 /* Wait max 0.5 seconds */
|
||||
-
|
||||
struct systemd_logind_info {
|
||||
DBusConnection *conn;
|
||||
char *session;
|
||||
@@ -130,7 +128,7 @@ systemd_logind_take_fd(int _major, int _minor, const char *path,
|
||||
}
|
||||
|
||||
reply = dbus_connection_send_with_reply_and_block(info->conn, msg,
|
||||
- DBUS_TIMEOUT, &error);
|
||||
+ DBUS_TIMEOUT_USE_DEFAULT, &error);
|
||||
if (!reply) {
|
||||
LogMessage(X_ERROR, "systemd-logind: failed to take device %s: %s\n",
|
||||
path, error.message);
|
||||
@@ -207,7 +205,7 @@ systemd_logind_release_fd(int _major, int _minor, int fd)
|
||||
}
|
||||
|
||||
reply = dbus_connection_send_with_reply_and_block(info->conn, msg,
|
||||
- DBUS_TIMEOUT, &error);
|
||||
+ DBUS_TIMEOUT_USE_DEFAULT, &error);
|
||||
if (!reply)
|
||||
LogMessage(X_ERROR, "systemd-logind: failed to release device: %s\n",
|
||||
error.message);
|
||||
@@ -289,7 +287,7 @@ systemd_logind_ack_pause(struct systemd_logind_info *info,
|
||||
}
|
||||
|
||||
reply = dbus_connection_send_with_reply_and_block(info->conn, msg,
|
||||
- DBUS_TIMEOUT, &error);
|
||||
+ DBUS_TIMEOUT_USE_DEFAULT, &error);
|
||||
if (!reply)
|
||||
LogMessage(X_ERROR, "systemd-logind: failed to ack pause: %s\n",
|
||||
error.message);
|
||||
@@ -457,7 +455,7 @@ connect_hook(DBusConnection *connection, void *data)
|
||||
}
|
||||
|
||||
reply = dbus_connection_send_with_reply_and_block(connection, msg,
|
||||
- DBUS_TIMEOUT, &error);
|
||||
+ DBUS_TIMEOUT_USE_DEFAULT, &error);
|
||||
if (!reply) {
|
||||
LogMessage(X_ERROR, "systemd-logind: failed to get session: %s\n",
|
||||
error.message);
|
||||
@@ -492,7 +490,7 @@ connect_hook(DBusConnection *connection, void *data)
|
||||
}
|
||||
|
||||
reply = dbus_connection_send_with_reply_and_block(connection, msg,
|
||||
- DBUS_TIMEOUT, &error);
|
||||
+ DBUS_TIMEOUT_USE_DEFAULT, &error);
|
||||
if (!reply) {
|
||||
LogMessage(X_ERROR, "systemd-logind: TakeControl failed: %s\n",
|
||||
error.message);
|
||||
@@ -564,7 +562,7 @@ systemd_logind_release_control(struct systemd_logind_info *info)
|
||||
}
|
||||
|
||||
reply = dbus_connection_send_with_reply_and_block(info->conn, msg,
|
||||
- DBUS_TIMEOUT, &error);
|
||||
+ DBUS_TIMEOUT_USE_DEFAULT, &error);
|
||||
if (!reply) {
|
||||
LogMessage(X_ERROR, "systemd-logind: ReleaseControl failed: %s\n",
|
||||
error.message);
|
||||
--
|
||||
cgit v0.10.2
|
||||
|
@ -1,36 +0,0 @@
|
||||
From 792e9251670ce94210df5c6d354059bbb97f4478 Mon Sep 17 00:00:00 2001
|
||||
From: Ray Strode <rstrode@redhat.com>
|
||||
Date: Thu, 16 Apr 2015 11:28:15 -0400
|
||||
Subject: systemd-logind: filter out non-signal messages from message filter
|
||||
|
||||
It's possible to receive a message reply in the message filter if a
|
||||
previous message call timed out locally before the reply arrived.
|
||||
|
||||
The message_filter function only handles signals, at the moment, and
|
||||
does not properly handle message replies.
|
||||
|
||||
This commit changes the message_filter function to filter out all
|
||||
non-signal messages, including spurious message replies.
|
||||
|
||||
Downstream-bug: https://bugzilla.redhat.com/show_bug.cgi?id=1209347
|
||||
Signed-off-by: Ray Strode <rstrode@redhat.com>
|
||||
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
|
||||
Signed-off-by: Keith Packard <keithp@keithp.com>
|
||||
|
||||
diff --git a/hw/xfree86/os-support/linux/systemd-logind.c b/hw/xfree86/os-support/linux/systemd-logind.c
|
||||
index 49758f4..57c87c0 100644
|
||||
--- a/hw/xfree86/os-support/linux/systemd-logind.c
|
||||
+++ b/hw/xfree86/os-support/linux/systemd-logind.c
|
||||
@@ -313,6 +313,9 @@ message_filter(DBusConnection * connection, DBusMessage * message, void *data)
|
||||
dbus_int32_t major, minor;
|
||||
char *pause_str;
|
||||
|
||||
+ if (dbus_message_get_type (message) != DBUS_MESSAGE_TYPE_SIGNAL)
|
||||
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
|
||||
+
|
||||
dbus_error_init(&error);
|
||||
|
||||
if (dbus_message_is_signal(message,
|
||||
--
|
||||
cgit v0.10.2
|
||||
|
@ -1,32 +0,0 @@
|
||||
Subject: xwayland: default to local user if no xauth file given.
|
||||
Author: Ray Strode <rstrode@redhat.com>
|
||||
Path-mainline: Upstream
|
||||
Git-commit: 76636ac12f2d1dbdf7be08222f80e7505d53c451
|
||||
References: bnc#934102 CVE-2015-3164
|
||||
Signed-off-by: Michal Srb <msrb@suse.com>
|
||||
|
||||
Right now if "-auth" isn't passed on the command line, we let
|
||||
any user on the system connect to the Xwayland server.
|
||||
|
||||
That's clearly suboptimal, given Xwayland is generally designed
|
||||
to be used by one user at a time.
|
||||
|
||||
This commit changes the behavior, so only the user who started the
|
||||
X server can connect clients to it.
|
||||
|
||||
Signed-off-by: Ray Strode <rstrode@redhat.com>
|
||||
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
||||
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Signed-off-by: Keith Packard <keithp@keithp.com>
|
||||
|
||||
diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
|
||||
index c5bee77..bc92beb 100644
|
||||
--- a/hw/xwayland/xwayland.c
|
||||
+++ b/hw/xwayland/xwayland.c
|
||||
@@ -702,4 +702,6 @@ InitOutput(ScreenInfo * screen_info, int argc, char **argv)
|
||||
if (AddScreen(xwl_screen_init, argc, argv) == -1) {
|
||||
FatalError("Couldn't add screen\n");
|
||||
}
|
||||
+
|
||||
+ LocalAccessScopeUser();
|
||||
}
|
@ -1,32 +0,0 @@
|
||||
Subject: xwayland: Enable access control on open sockets
|
||||
Author: Ray Strode <rstrode@redhat.com>
|
||||
Path-mainline: Upstream
|
||||
Git-commit: c4534a38b68aa07fb82318040dc8154fb48a9588
|
||||
References: bnc#934102 CVE-2015-3164
|
||||
Signed-off-by: Michal Srb <msrb@suse.com>
|
||||
|
||||
Xwayland currently allows wide-open access to the X sockets
|
||||
it listens on, ignoring Xauth access control.
|
||||
|
||||
This commit makes sure to enable access control on the sockets,
|
||||
so one user can't snoop on another user's X-over-wayland
|
||||
applications.
|
||||
|
||||
Signed-off-by: Ray Strode <rstrode@redhat.com>
|
||||
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
||||
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Signed-off-by: Keith Packard <keithp@keithp.com>
|
||||
|
||||
diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
|
||||
index 7e8d667..c5bee77 100644
|
||||
--- a/hw/xwayland/xwayland.c
|
||||
+++ b/hw/xwayland/xwayland.c
|
||||
@@ -483,7 +483,7 @@ listen_on_fds(struct xwl_screen *xwl_screen)
|
||||
int i;
|
||||
|
||||
for (i = 0; i < xwl_screen->listen_fd_count; i++)
|
||||
- ListenOnOpenFD(xwl_screen->listen_fds[i], TRUE);
|
||||
+ ListenOnOpenFD(xwl_screen->listen_fds[i], FALSE);
|
||||
}
|
||||
|
||||
static void
|
@ -14,8 +14,8 @@ index 58d420e..95b34a2 100644
|
||||
--- a/hw/xfree86/drivers/modesetting/dumb_bo.c
|
||||
+++ b/hw/xfree86/drivers/modesetting/dumb_bo.c
|
||||
@@ -25,6 +25,12 @@
|
||||
*
|
||||
*/
|
||||
#include "dix-config.h"
|
||||
#endif
|
||||
|
||||
+/*
|
||||
+ * ad hoc fix for mmap's truncated offset parameter on 32bit
|
||||
|
@ -1,33 +0,0 @@
|
||||
From: Egbert Eich <eich@suse.de>
|
||||
Date: Fri May 23 20:08:29 2014 +0200
|
||||
Subject: [PATCH]connection: avoid crash when CloseWellKnownConnections() gets called twice
|
||||
Patch-mainline: to be upstreamed
|
||||
Git-commit: 74472c4e8e4c873014554f321ec2086066126297
|
||||
Git-repo:
|
||||
References: bnc#879666, bnc#879489
|
||||
Signed-off-by: Egbert Eich <eich@suse.com>
|
||||
|
||||
CloseWellKnownConnections() closes all connections and deallocates
|
||||
their data. Thus all entries in ListenTransConns are invalid.
|
||||
To avoid access to those entries set ListenTransCount to 0.
|
||||
This avoids crashes when CloseWellKnownConnections() is called twice
|
||||
for instance when FatalError() is called on Xserver shutdown.
|
||||
|
||||
Signed-off-by: Egbert Eich <eich@suse.de>
|
||||
---
|
||||
os/connection.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/os/connection.c b/os/connection.c
|
||||
index 162e1d9..3c0b62a 100644
|
||||
--- a/os/connection.c
|
||||
+++ b/os/connection.c
|
||||
@@ -513,6 +513,8 @@ CloseWellKnownConnections(void)
|
||||
|
||||
for (i = 0; i < ListenTransCount; i++)
|
||||
_XSERVTransClose(ListenTransConns[i]);
|
||||
+
|
||||
+ ListenTransCount = 0;
|
||||
}
|
||||
|
||||
static void
|
@ -1,47 +0,0 @@
|
||||
From: Egbert Eich <eich@suse.de>
|
||||
Date: Fri Feb 6 14:56:57 2015 +0100
|
||||
Subject: [PATCH]symbols: Fix sdksyms.sh to cope with gcc5
|
||||
Patch-mainline: to be upstreamed
|
||||
|
||||
References: bnc#916580
|
||||
Signed-off-by: Egbert Eich <eich@suse.com>
|
||||
|
||||
Gcc5 adds additional lines stating line numbers before and
|
||||
after __attribute__() which need to be skipped.
|
||||
|
||||
Signed-off-by: Egbert Eich <eich@suse.de>
|
||||
---
|
||||
hw/xfree86/sdksyms.sh | 14 +++++++++++++-
|
||||
1 file changed, 13 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/xfree86/sdksyms.sh b/hw/xfree86/sdksyms.sh
|
||||
index d9a4478..2936669 100755
|
||||
--- a/hw/xfree86/sdksyms.sh
|
||||
+++ b/hw/xfree86/sdksyms.sh
|
||||
@@ -353,13 +353,25 @@ BEGIN {
|
||||
if (sdk) {
|
||||
n = 3;
|
||||
|
||||
+ # skip line numbers GCC 5 adds before __attribute__
|
||||
+ while ($n == "" || $0 ~ /^# [0-9]+ "/) {
|
||||
+ getline;
|
||||
+ n = 1;
|
||||
+ }
|
||||
+
|
||||
# skip attribute, if any
|
||||
while ($n ~ /^(__attribute__|__global)/ ||
|
||||
# skip modifiers, if any
|
||||
$n ~ /^\*?(unsigned|const|volatile|struct|_X_EXPORT)$/ ||
|
||||
# skip pointer
|
||||
- $n ~ /^[a-zA-Z0-9_]*\*$/)
|
||||
+ $n ~ /^[a-zA-Z0-9_]*\*$/) {
|
||||
n++;
|
||||
+ # skip line numbers GCC 5 adds after __attribute__
|
||||
+ while ($n == "" || $0 ~ /^# [0-9]+ "/) {
|
||||
+ getline;
|
||||
+ n = 1;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
# type specifier may not be set, as in
|
||||
# extern _X_EXPORT unsigned name(...)
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:2bf8e9f6f0a710dec1d2472467bff1f4e247cb6dcd76eb469aafdc8a2d7db2ab
|
||||
size 5852385
|
3
xorg-server-1.17.2.tar.bz2
Normal file
3
xorg-server-1.17.2.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:f61120612728f2c5034671d0ca3e2273438c60aba93b3dda4a8aa40e6a257993
|
||||
size 5767983
|
@ -1,3 +1,26 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Jun 16 21:07:03 UTC 2015 - tobias.johannes.klausmann@mni.thm.de
|
||||
|
||||
- Update to version 1.17.2:
|
||||
Pick up a pile of fixes from master. Notable highlights:
|
||||
+ Fix for CVE-2015-3164 in Xwayland
|
||||
+ Fix int10 setup for vesa
|
||||
+ Fix regression in server-interpreted auth
|
||||
+ Fix fb setup on big-endian CPUs
|
||||
+ Build fix for for gcc5
|
||||
- Dropped patches:
|
||||
+ Patch110: u_connection-avoid-crash-when-CloseWellKnownConnections-gets-called-twice.patch
|
||||
+ Patch113: u_symbols-Fix-sdksyms.sh-to-cope-with-gcc5.patch
|
||||
+ Patch116: U_os-XDMCP-options-like-query-etc-should-imply-listen.patch
|
||||
+ Patch118: U_int10-Fix-error-check-for-pci_device_map_legacy.patch
|
||||
+ Patch119: U_xwayland-enable-access-control-on-open-socket.patch
|
||||
+ Patch120: U_os-support-new-implicit-local-user-access-mode.patch
|
||||
+ Patch121: U_xwayland-default-to-local-user-if-no-xauth-file-given.patch
|
||||
+ Patch2000: U_systemd-logind-filter-out-non-signal-messages-from.patch
|
||||
+ Patch2001: U_systemd-logind-dont-second-guess-D-Bus-default-tim.patch
|
||||
- Changed patches to work with the new version:
|
||||
+ Patch114: u_ad-hoc-fix-for-mmap-s-truncated-offset-parameter-on-.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jun 12 11:58:43 UTC 2015 - msrb@suse.com
|
||||
|
||||
|
@ -18,7 +18,7 @@
|
||||
|
||||
Name: xorg-x11-server
|
||||
|
||||
%define dirsuffix 1.17.1
|
||||
%define dirsuffix 1.17.2
|
||||
|
||||
Summary: X
|
||||
License: MIT
|
||||
@ -159,21 +159,13 @@ Patch104: u_xorg-server-xdmcp.patch
|
||||
Patch105: ux_xserver_xvfb-randr.patch
|
||||
# PATCH-FIX-UPSTREAM u_exa-only-draw-valid-trapezoids.patch bnc#853846 msrb@suse.com -- Fixes possible crash of server using invalid trapezoids. 2013-12-12 patch is waiting in mailing list to be upstreamed.
|
||||
Patch106: u_exa-only-draw-valid-trapezoids.patch
|
||||
Patch110: u_connection-avoid-crash-when-CloseWellKnownConnections-gets-called-twice.patch
|
||||
Patch111: u_CloseConsole-Don-t-report-FatalError-when-shutting-down.patch
|
||||
Patch112: u_render-Cast-color-masks-to-unsigned-long-before-shifting-them.patch
|
||||
Patch113: u_symbols-Fix-sdksyms.sh-to-cope-with-gcc5.patch
|
||||
|
||||
Patch114: u_ad-hoc-fix-for-mmap-s-truncated-offset-parameter-on-.patch
|
||||
Patch115: N_Force-swcursor-for-KMS-drivers-without-hw-cursor-sup.patch
|
||||
Patch116: U_os-XDMCP-options-like-query-etc-should-imply-listen.patch
|
||||
|
||||
Patch117: xorg-x11-server-byte-order.patch
|
||||
Patch118: U_int10-Fix-error-check-for-pci_device_map_legacy.patch
|
||||
# PATCH-FIX-UPSTREAM U_xwayland-enable-access-control-on-open-socket.patch bnc#934102 msrb@suse.com -- Fix CVE-2015-3164
|
||||
Patch119: U_xwayland-enable-access-control-on-open-socket.patch
|
||||
# PATCH-FIX-UPSTREAM U_os-support-new-implicit-local-user-access-mode.patch bnc#934102 msrb@suse.com -- Fix CVE-2015-3164
|
||||
Patch120: U_os-support-new-implicit-local-user-access-mode.patch
|
||||
# PATCH-FIX-UPSTREAM U_xwayland-default-to-local-user-if-no-xauth-file-given.patch bnc#934102 msrb@suse.com -- Fix CVE-2015-3164
|
||||
Patch121: U_xwayland-default-to-local-user-if-no-xauth-file-given.patch
|
||||
|
||||
Patch1000: n_xserver-optimus-autoconfig-hack.patch
|
||||
|
||||
@ -181,10 +173,6 @@ Patch1162: b_cache-xkbcomp-output-for-fast-start-up.patch
|
||||
Patch1211: b_0001-Prevent-XSync-Alarms-from-senslessly-calling-CheckTr.patch
|
||||
Patch1222: b_sync-fix.patch
|
||||
|
||||
# PATCH-FIX-UPSTREAM U_systemd-logind-* rh#1209347 antoine.belvire@laposte.net -- Fix Gnome X session for some hybrid graphics
|
||||
Patch2000: U_systemd-logind-filter-out-non-signal-messages-from.patch
|
||||
Patch2001: U_systemd-logind-dont-second-guess-D-Bus-default-tim.patch
|
||||
|
||||
%description
|
||||
This package contains the X.Org Server.
|
||||
|
||||
@ -262,24 +250,17 @@ cp %{SOURCE90} .
|
||||
%patch104 -p1
|
||||
%patch105 -p1
|
||||
%patch106 -p1
|
||||
%patch110 -p1
|
||||
|
||||
%patch111 -p1
|
||||
%patch112 -p1
|
||||
%patch113 -p1
|
||||
|
||||
%patch114 -p1
|
||||
%patch115 -p1
|
||||
%patch116 -p1
|
||||
|
||||
%patch117 -p1
|
||||
%patch118 -p1
|
||||
%patch119 -p1
|
||||
%patch120 -p1
|
||||
%patch121 -p1
|
||||
|
||||
%patch1000 -p1
|
||||
|
||||
%patch2000 -p1
|
||||
%patch2001 -p1
|
||||
|
||||
### disabled for now
|
||||
#%patch1162 -p1
|
||||
### disabled for now
|
||||
|
Loading…
Reference in New Issue
Block a user