Accepting request 312322 from home:tobijk:X11:XOrg
- Update to version 1.17.2: Pick up a pile of fixes from master. Notable highlights: + Fix for CVE-2015-3164 in Xwayland + Fix int10 setup for vesa + Fix regression in server-interpreted auth + Fix fb setup on big-endian CPUs + Build fix for for gcc5 - Dropped patches: + Patch110: u_connection-avoid-crash-when-CloseWellKnownConnections-gets-called-twice.patch + Patch113: u_symbols-Fix-sdksyms.sh-to-cope-with-gcc5.patch + Patch116: U_os-XDMCP-options-like-query-etc-should-imply-listen.patch + Patch118: U_int10-Fix-error-check-for-pci_device_map_legacy.patch + Patch119: U_xwayland-enable-access-control-on-open-socket.patch + Patch120: U_os-support-new-implicit-local-user-access-mode.patch + Patch121: U_xwayland-default-to-local-user-if-no-xauth-file-given.patch + Patch2000: U_systemd-logind-filter-out-non-signal-messages-from.patch + Patch2001: U_systemd-logind-dont-second-guess-D-Bus-default-tim.patch - Changed patches to work with the new version: + Patch114: u_ad-hoc-fix-for-mmap-s-truncated-offset-parameter-on-.patch OBS-URL: https://build.opensuse.org/request/show/312322 OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=576
This commit is contained in:
parent
bc8b5dc1a8
commit
fbcb773284
@ -1,45 +0,0 @@
|
|||||||
From: Jürg Billeter <j@bitron.ch>
|
|
||||||
Date: Sat Feb 7 18:13:21 2015 +0100
|
|
||||||
Subject: [PATCH]int10: Fix error check for pci_device_map_legacy
|
|
||||||
Patch-mainline: Upstream
|
|
||||||
Git-commit: 0a78b599b34cc8b5fe6fe82f90e90234e8ab7a56
|
|
||||||
Git-repo: git://anongit.freedesktop.org/git/xorg/xserver
|
|
||||||
References: bsc#932319
|
|
||||||
Signed-off-by: Egbert Eich <eich@suse.com>
|
|
||||||
|
|
||||||
pci_device_map_legacy returns 0 on success.
|
|
||||||
|
|
||||||
Signed-off-by: Jürg Billeter <j@bitron.ch>
|
|
||||||
Reviewed-by: Adam Jackson <ajax@redhat.com>
|
|
||||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
||||||
---
|
|
||||||
hw/xfree86/int10/generic.c | 2 +-
|
|
||||||
hw/xfree86/os-support/linux/int10/linux.c | 2 +-
|
|
||||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/hw/xfree86/int10/generic.c b/hw/xfree86/int10/generic.c
|
|
||||||
index 012d194..8d5c4da 100644
|
|
||||||
--- a/hw/xfree86/int10/generic.c
|
|
||||||
+++ b/hw/xfree86/int10/generic.c
|
|
||||||
@@ -104,7 +104,7 @@ readIntVec(struct pci_device *dev, unsigned char *buf, int len)
|
|
||||||
{
|
|
||||||
void *map;
|
|
||||||
|
|
||||||
- if (!pci_device_map_legacy(dev, 0, len, 0, &map))
|
|
||||||
+ if (pci_device_map_legacy(dev, 0, len, 0, &map))
|
|
||||||
return FALSE;
|
|
||||||
|
|
||||||
memcpy(buf, map, len);
|
|
||||||
diff --git a/hw/xfree86/os-support/linux/int10/linux.c b/hw/xfree86/os-support/linux/int10/linux.c
|
|
||||||
index 79b9a88..6ca118f 100644
|
|
||||||
--- a/hw/xfree86/os-support/linux/int10/linux.c
|
|
||||||
+++ b/hw/xfree86/os-support/linux/int10/linux.c
|
|
||||||
@@ -75,7 +75,7 @@ readLegacy(struct pci_device *dev, unsigned char *buf, int base, int len)
|
|
||||||
{
|
|
||||||
void *map;
|
|
||||||
|
|
||||||
- if (!pci_device_map_legacy(dev, base, len, 0, &map))
|
|
||||||
+ if (pci_device_map_legacy(dev, base, len, 0, &map))
|
|
||||||
return FALSE;
|
|
||||||
|
|
||||||
memcpy(buf, map, len);
|
|
@ -1,82 +0,0 @@
|
|||||||
Git-commit: 491cf02e191e70c5ce24c19da880bb79bebfc03c
|
|
||||||
Author: Jon TURNEY <jon.turney@dronecode.org.uk>
|
|
||||||
Subject: os: XDMCP options like -query etc. should imply -listen tcp
|
|
||||||
Patch-Mainline: Upstream
|
|
||||||
Signed-off-by: Michal Srb <msrb@suse.com>
|
|
||||||
|
|
||||||
In X server 1.17, the default configuration is now -nolisten tcp. In this
|
|
||||||
configuration, XDMCP options don't work usefully, as the X server is not
|
|
||||||
listening on the port for the display that it tells the display manager to
|
|
||||||
connect to.
|
|
||||||
|
|
||||||
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
|
|
||||||
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
||||||
Reviewed-by: Colin Harrison <colin.harrison@virgin.net>
|
|
||||||
---
|
|
||||||
os/xdmcp.c | 17 +++++++++++++++++
|
|
||||||
1 file changed, 17 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/os/xdmcp.c b/os/xdmcp.c
|
|
||||||
index b6e97c9..bc5a707 100644
|
|
||||||
--- a/os/xdmcp.c
|
|
||||||
+++ b/os/xdmcp.c
|
|
||||||
@@ -48,6 +48,11 @@
|
|
||||||
#include <netdir.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#define XSERV_t
|
|
||||||
+#define TRANS_SERVER
|
|
||||||
+#define TRANS_REOPEN
|
|
||||||
+#include <X11/Xtrans/Xtrans.h>
|
|
||||||
+
|
|
||||||
#ifdef XDMCP
|
|
||||||
#undef REQUEST
|
|
||||||
|
|
||||||
@@ -242,6 +247,14 @@ XdmcpUseMsg(void)
|
|
||||||
ErrorF("-displayID display-id manufacturer display ID for request\n");
|
|
||||||
}
|
|
||||||
|
|
||||||
+static void
|
|
||||||
+XdmcpDefaultListen(void)
|
|
||||||
+{
|
|
||||||
+ /* Even when configured --disable-listen-tcp, we should listen on tcp in
|
|
||||||
+ XDMCP modes */
|
|
||||||
+ _XSERVTransListen("tcp");
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int
|
|
||||||
XdmcpOptions(int argc, char **argv, int i)
|
|
||||||
{
|
|
||||||
@@ -249,11 +262,13 @@ XdmcpOptions(int argc, char **argv, int i)
|
|
||||||
get_manager_by_name(argc, argv, i++);
|
|
||||||
XDM_INIT_STATE = XDM_QUERY;
|
|
||||||
AccessUsingXdmcp();
|
|
||||||
+ XdmcpDefaultListen();
|
|
||||||
return i + 1;
|
|
||||||
}
|
|
||||||
if (strcmp(argv[i], "-broadcast") == 0) {
|
|
||||||
XDM_INIT_STATE = XDM_BROADCAST;
|
|
||||||
AccessUsingXdmcp();
|
|
||||||
+ XdmcpDefaultListen();
|
|
||||||
return i + 1;
|
|
||||||
}
|
|
||||||
#if defined(IPv6) && defined(AF_INET6)
|
|
||||||
@@ -261,6 +276,7 @@ XdmcpOptions(int argc, char **argv, int i)
|
|
||||||
i = get_mcast_options(argc, argv, ++i);
|
|
||||||
XDM_INIT_STATE = XDM_MULTICAST;
|
|
||||||
AccessUsingXdmcp();
|
|
||||||
+ XdmcpDefaultListen();
|
|
||||||
return i + 1;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
@@ -268,6 +284,7 @@ XdmcpOptions(int argc, char **argv, int i)
|
|
||||||
get_manager_by_name(argc, argv, i++);
|
|
||||||
XDM_INIT_STATE = XDM_INDIRECT;
|
|
||||||
AccessUsingXdmcp();
|
|
||||||
+ XdmcpDefaultListen();
|
|
||||||
return i + 1;
|
|
||||||
}
|
|
||||||
if (strcmp(argv[i], "-port") == 0) {
|
|
||||||
--
|
|
||||||
2.3.3
|
|
||||||
|
|
@ -1,245 +0,0 @@
|
|||||||
Subject: os: support new implicit local user access mode
|
|
||||||
Author: Ray Strode <rstrode@redhat.com>
|
|
||||||
Path-mainline: Upstream
|
|
||||||
Git-commit: 4b4b9086d02b80549981d205fb1f495edc373538
|
|
||||||
References: bnc#934102 CVE-2015-3164
|
|
||||||
Signed-off-by: Michal Srb <msrb@suse.com>
|
|
||||||
|
|
||||||
If the X server is started without a '-auth' argument, then
|
|
||||||
it gets started wide open to all local users on the system.
|
|
||||||
|
|
||||||
This isn't a great default access model, but changing it in
|
|
||||||
Xorg at this point would break backward compatibility.
|
|
||||||
|
|
||||||
Xwayland, on the other hand is new, and much more targeted
|
|
||||||
in scope. It could, in theory, be changed to allow the much
|
|
||||||
more secure default of a "user who started X server can connect
|
|
||||||
clients to that server."
|
|
||||||
|
|
||||||
This commit paves the way for that change, by adding a mechanism
|
|
||||||
for DDXs to opt-in to that behavior. They merely need to call
|
|
||||||
|
|
||||||
LocalAccessScopeUser()
|
|
||||||
|
|
||||||
in their init functions.
|
|
||||||
|
|
||||||
A subsequent commit will add that call for Xwayland.
|
|
||||||
|
|
||||||
Signed-off-by: Ray Strode <rstrode@redhat.com>
|
|
||||||
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
|
||||||
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
||||||
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
||||||
|
|
||||||
diff --git a/include/os.h b/include/os.h
|
|
||||||
index 6638c84..b2b96c8 100644
|
|
||||||
--- a/include/os.h
|
|
||||||
+++ b/include/os.h
|
|
||||||
@@ -431,11 +431,28 @@ extern _X_EXPORT void
|
|
||||||
ResetHosts(const char *display);
|
|
||||||
|
|
||||||
extern _X_EXPORT void
|
|
||||||
+EnableLocalAccess(void);
|
|
||||||
+
|
|
||||||
+extern _X_EXPORT void
|
|
||||||
+DisableLocalAccess(void);
|
|
||||||
+
|
|
||||||
+extern _X_EXPORT void
|
|
||||||
EnableLocalHost(void);
|
|
||||||
|
|
||||||
extern _X_EXPORT void
|
|
||||||
DisableLocalHost(void);
|
|
||||||
|
|
||||||
+#ifndef NO_LOCAL_CLIENT_CRED
|
|
||||||
+extern _X_EXPORT void
|
|
||||||
+EnableLocalUser(void);
|
|
||||||
+
|
|
||||||
+extern _X_EXPORT void
|
|
||||||
+DisableLocalUser(void);
|
|
||||||
+
|
|
||||||
+extern _X_EXPORT void
|
|
||||||
+LocalAccessScopeUser(void);
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
extern _X_EXPORT void
|
|
||||||
AccessUsingXdmcp(void);
|
|
||||||
|
|
||||||
diff --git a/os/access.c b/os/access.c
|
|
||||||
index 8fa028e..75e7a69 100644
|
|
||||||
--- a/os/access.c
|
|
||||||
+++ b/os/access.c
|
|
||||||
@@ -102,6 +102,10 @@ SOFTWARE.
|
|
||||||
#include <sys/ioctl.h>
|
|
||||||
#include <ctype.h>
|
|
||||||
|
|
||||||
+#ifndef NO_LOCAL_CLIENT_CRED
|
|
||||||
+#include <pwd.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
#if defined(TCPCONN) || defined(STREAMSCONN)
|
|
||||||
#include <netinet/in.h>
|
|
||||||
#endif /* TCPCONN || STREAMSCONN */
|
|
||||||
@@ -225,6 +229,13 @@ static int LocalHostEnabled = FALSE;
|
|
||||||
static int LocalHostRequested = FALSE;
|
|
||||||
static int UsingXdmcp = FALSE;
|
|
||||||
|
|
||||||
+static enum {
|
|
||||||
+ LOCAL_ACCESS_SCOPE_HOST = 0,
|
|
||||||
+#ifndef NO_LOCAL_CLIENT_CRED
|
|
||||||
+ LOCAL_ACCESS_SCOPE_USER,
|
|
||||||
+#endif
|
|
||||||
+} LocalAccessScope;
|
|
||||||
+
|
|
||||||
/* FamilyServerInterpreted implementation */
|
|
||||||
static Bool siAddrMatch(int family, void *addr, int len, HOST * host,
|
|
||||||
ClientPtr client);
|
|
||||||
@@ -237,6 +248,21 @@ static void siTypesInitialize(void);
|
|
||||||
*/
|
|
||||||
|
|
||||||
void
|
|
||||||
+EnableLocalAccess(void)
|
|
||||||
+{
|
|
||||||
+ switch (LocalAccessScope) {
|
|
||||||
+ case LOCAL_ACCESS_SCOPE_HOST:
|
|
||||||
+ EnableLocalHost();
|
|
||||||
+ break;
|
|
||||||
+#ifndef NO_LOCAL_CLIENT_CRED
|
|
||||||
+ case LOCAL_ACCESS_SCOPE_USER:
|
|
||||||
+ EnableLocalUser();
|
|
||||||
+ break;
|
|
||||||
+#endif
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
EnableLocalHost(void)
|
|
||||||
{
|
|
||||||
if (!UsingXdmcp) {
|
|
||||||
@@ -249,6 +275,21 @@ EnableLocalHost(void)
|
|
||||||
* called when authorization is enabled to keep us secure
|
|
||||||
*/
|
|
||||||
void
|
|
||||||
+DisableLocalAccess(void)
|
|
||||||
+{
|
|
||||||
+ switch (LocalAccessScope) {
|
|
||||||
+ case LOCAL_ACCESS_SCOPE_HOST:
|
|
||||||
+ DisableLocalHost();
|
|
||||||
+ break;
|
|
||||||
+#ifndef NO_LOCAL_CLIENT_CRED
|
|
||||||
+ case LOCAL_ACCESS_SCOPE_USER:
|
|
||||||
+ DisableLocalUser();
|
|
||||||
+ break;
|
|
||||||
+#endif
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
DisableLocalHost(void)
|
|
||||||
{
|
|
||||||
HOST *self;
|
|
||||||
@@ -262,6 +303,74 @@ DisableLocalHost(void)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifndef NO_LOCAL_CLIENT_CRED
|
|
||||||
+static int GetLocalUserAddr(char **addr)
|
|
||||||
+{
|
|
||||||
+ static const char *type = "localuser";
|
|
||||||
+ static const char delimiter = '\0';
|
|
||||||
+ static const char *value;
|
|
||||||
+ struct passwd *pw;
|
|
||||||
+ int length = -1;
|
|
||||||
+
|
|
||||||
+ pw = getpwuid(getuid());
|
|
||||||
+
|
|
||||||
+ if (pw == NULL || pw->pw_name == NULL)
|
|
||||||
+ goto out;
|
|
||||||
+
|
|
||||||
+ value = pw->pw_name;
|
|
||||||
+
|
|
||||||
+ length = asprintf(addr, "%s%c%s", type, delimiter, value);
|
|
||||||
+
|
|
||||||
+ if (length == -1) {
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Trailing NUL */
|
|
||||||
+ length++;
|
|
||||||
+
|
|
||||||
+out:
|
|
||||||
+ return length;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
+EnableLocalUser(void)
|
|
||||||
+{
|
|
||||||
+ char *addr = NULL;
|
|
||||||
+ int length = -1;
|
|
||||||
+
|
|
||||||
+ length = GetLocalUserAddr(&addr);
|
|
||||||
+
|
|
||||||
+ if (length == -1)
|
|
||||||
+ return;
|
|
||||||
+
|
|
||||||
+ NewHost(FamilyServerInterpreted, addr, length, TRUE);
|
|
||||||
+
|
|
||||||
+ free(addr);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
+DisableLocalUser(void)
|
|
||||||
+{
|
|
||||||
+ char *addr = NULL;
|
|
||||||
+ int length = -1;
|
|
||||||
+
|
|
||||||
+ length = GetLocalUserAddr(&addr);
|
|
||||||
+
|
|
||||||
+ if (length == -1)
|
|
||||||
+ return;
|
|
||||||
+
|
|
||||||
+ RemoveHost(NULL, FamilyServerInterpreted, length, addr);
|
|
||||||
+
|
|
||||||
+ free(addr);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
+LocalAccessScopeUser(void)
|
|
||||||
+{
|
|
||||||
+ LocalAccessScope = LOCAL_ACCESS_SCOPE_USER;
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* called at init time when XDMCP will be used; xdmcp always
|
|
||||||
* adds local hosts manually when needed
|
|
||||||
diff --git a/os/auth.c b/os/auth.c
|
|
||||||
index 5fcb538..7da6fc6 100644
|
|
||||||
--- a/os/auth.c
|
|
||||||
+++ b/os/auth.c
|
|
||||||
@@ -181,11 +181,11 @@ CheckAuthorization(unsigned int name_length,
|
|
||||||
|
|
||||||
/*
|
|
||||||
* If the authorization file has at least one entry for this server,
|
|
||||||
- * disable local host access. (loadauth > 0)
|
|
||||||
+ * disable local access. (loadauth > 0)
|
|
||||||
*
|
|
||||||
* If there are zero entries (either initially or when the
|
|
||||||
* authorization file is later reloaded), or if a valid
|
|
||||||
- * authorization file was never loaded, enable local host access.
|
|
||||||
+ * authorization file was never loaded, enable local access.
|
|
||||||
* (loadauth == 0 || !loaded)
|
|
||||||
*
|
|
||||||
* If the authorization file was loaded initially (with valid
|
|
||||||
@@ -194,11 +194,11 @@ CheckAuthorization(unsigned int name_length,
|
|
||||||
*/
|
|
||||||
|
|
||||||
if (loadauth > 0) {
|
|
||||||
- DisableLocalHost(); /* got at least one */
|
|
||||||
+ DisableLocalAccess(); /* got at least one */
|
|
||||||
loaded = TRUE;
|
|
||||||
}
|
|
||||||
else if (loadauth == 0 || !loaded)
|
|
||||||
- EnableLocalHost();
|
|
||||||
+ EnableLocalAccess();
|
|
||||||
}
|
|
||||||
if (name_length) {
|
|
||||||
for (i = 0; i < NUM_AUTHORIZATION; i++) {
|
|
@ -1,96 +0,0 @@
|
|||||||
From b1029716e41e252f149b82124a149da180607c96 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ray Strode <rstrode@redhat.com>
|
|
||||||
Date: Thu, 16 Apr 2015 11:28:16 -0400
|
|
||||||
Subject: systemd-logind: don't second guess D-Bus default timeout
|
|
||||||
|
|
||||||
At the moment, the X server uses a non-default timeout for D-Bus
|
|
||||||
messages to systemd-logind. The only timeouts normally used with
|
|
||||||
D-Bus are:
|
|
||||||
|
|
||||||
1) Infinite
|
|
||||||
2) Default
|
|
||||||
|
|
||||||
Anything else is just as arbitrary as Default, and so rarely makes
|
|
||||||
sense to use instead of Default.
|
|
||||||
|
|
||||||
Put another way, there's little reason to be fault tolerant against
|
|
||||||
a local root running daemon (logind), that in some configurations, the
|
|
||||||
X server already depends on for proper functionality.
|
|
||||||
|
|
||||||
This commit changes systemd-logind to just use the default timeouts.
|
|
||||||
|
|
||||||
Downstream-bug: https://bugzilla.redhat.com/show_bug.cgi?id=1209347
|
|
||||||
Signed-off-by: Ray Strode <rstrode@redhat.com>
|
|
||||||
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
|
|
||||||
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
||||||
|
|
||||||
diff --git a/hw/xfree86/os-support/linux/systemd-logind.c b/hw/xfree86/os-support/linux/systemd-logind.c
|
|
||||||
index 57c87c0..4ad41a3 100644
|
|
||||||
--- a/hw/xfree86/os-support/linux/systemd-logind.c
|
|
||||||
+++ b/hw/xfree86/os-support/linux/systemd-logind.c
|
|
||||||
@@ -40,8 +40,6 @@
|
|
||||||
|
|
||||||
#include "systemd-logind.h"
|
|
||||||
|
|
||||||
-#define DBUS_TIMEOUT 500 /* Wait max 0.5 seconds */
|
|
||||||
-
|
|
||||||
struct systemd_logind_info {
|
|
||||||
DBusConnection *conn;
|
|
||||||
char *session;
|
|
||||||
@@ -130,7 +128,7 @@ systemd_logind_take_fd(int _major, int _minor, const char *path,
|
|
||||||
}
|
|
||||||
|
|
||||||
reply = dbus_connection_send_with_reply_and_block(info->conn, msg,
|
|
||||||
- DBUS_TIMEOUT, &error);
|
|
||||||
+ DBUS_TIMEOUT_USE_DEFAULT, &error);
|
|
||||||
if (!reply) {
|
|
||||||
LogMessage(X_ERROR, "systemd-logind: failed to take device %s: %s\n",
|
|
||||||
path, error.message);
|
|
||||||
@@ -207,7 +205,7 @@ systemd_logind_release_fd(int _major, int _minor, int fd)
|
|
||||||
}
|
|
||||||
|
|
||||||
reply = dbus_connection_send_with_reply_and_block(info->conn, msg,
|
|
||||||
- DBUS_TIMEOUT, &error);
|
|
||||||
+ DBUS_TIMEOUT_USE_DEFAULT, &error);
|
|
||||||
if (!reply)
|
|
||||||
LogMessage(X_ERROR, "systemd-logind: failed to release device: %s\n",
|
|
||||||
error.message);
|
|
||||||
@@ -289,7 +287,7 @@ systemd_logind_ack_pause(struct systemd_logind_info *info,
|
|
||||||
}
|
|
||||||
|
|
||||||
reply = dbus_connection_send_with_reply_and_block(info->conn, msg,
|
|
||||||
- DBUS_TIMEOUT, &error);
|
|
||||||
+ DBUS_TIMEOUT_USE_DEFAULT, &error);
|
|
||||||
if (!reply)
|
|
||||||
LogMessage(X_ERROR, "systemd-logind: failed to ack pause: %s\n",
|
|
||||||
error.message);
|
|
||||||
@@ -457,7 +455,7 @@ connect_hook(DBusConnection *connection, void *data)
|
|
||||||
}
|
|
||||||
|
|
||||||
reply = dbus_connection_send_with_reply_and_block(connection, msg,
|
|
||||||
- DBUS_TIMEOUT, &error);
|
|
||||||
+ DBUS_TIMEOUT_USE_DEFAULT, &error);
|
|
||||||
if (!reply) {
|
|
||||||
LogMessage(X_ERROR, "systemd-logind: failed to get session: %s\n",
|
|
||||||
error.message);
|
|
||||||
@@ -492,7 +490,7 @@ connect_hook(DBusConnection *connection, void *data)
|
|
||||||
}
|
|
||||||
|
|
||||||
reply = dbus_connection_send_with_reply_and_block(connection, msg,
|
|
||||||
- DBUS_TIMEOUT, &error);
|
|
||||||
+ DBUS_TIMEOUT_USE_DEFAULT, &error);
|
|
||||||
if (!reply) {
|
|
||||||
LogMessage(X_ERROR, "systemd-logind: TakeControl failed: %s\n",
|
|
||||||
error.message);
|
|
||||||
@@ -564,7 +562,7 @@ systemd_logind_release_control(struct systemd_logind_info *info)
|
|
||||||
}
|
|
||||||
|
|
||||||
reply = dbus_connection_send_with_reply_and_block(info->conn, msg,
|
|
||||||
- DBUS_TIMEOUT, &error);
|
|
||||||
+ DBUS_TIMEOUT_USE_DEFAULT, &error);
|
|
||||||
if (!reply) {
|
|
||||||
LogMessage(X_ERROR, "systemd-logind: ReleaseControl failed: %s\n",
|
|
||||||
error.message);
|
|
||||||
--
|
|
||||||
cgit v0.10.2
|
|
||||||
|
|
@ -1,36 +0,0 @@
|
|||||||
From 792e9251670ce94210df5c6d354059bbb97f4478 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ray Strode <rstrode@redhat.com>
|
|
||||||
Date: Thu, 16 Apr 2015 11:28:15 -0400
|
|
||||||
Subject: systemd-logind: filter out non-signal messages from message filter
|
|
||||||
|
|
||||||
It's possible to receive a message reply in the message filter if a
|
|
||||||
previous message call timed out locally before the reply arrived.
|
|
||||||
|
|
||||||
The message_filter function only handles signals, at the moment, and
|
|
||||||
does not properly handle message replies.
|
|
||||||
|
|
||||||
This commit changes the message_filter function to filter out all
|
|
||||||
non-signal messages, including spurious message replies.
|
|
||||||
|
|
||||||
Downstream-bug: https://bugzilla.redhat.com/show_bug.cgi?id=1209347
|
|
||||||
Signed-off-by: Ray Strode <rstrode@redhat.com>
|
|
||||||
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
|
|
||||||
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
||||||
|
|
||||||
diff --git a/hw/xfree86/os-support/linux/systemd-logind.c b/hw/xfree86/os-support/linux/systemd-logind.c
|
|
||||||
index 49758f4..57c87c0 100644
|
|
||||||
--- a/hw/xfree86/os-support/linux/systemd-logind.c
|
|
||||||
+++ b/hw/xfree86/os-support/linux/systemd-logind.c
|
|
||||||
@@ -313,6 +313,9 @@ message_filter(DBusConnection * connection, DBusMessage * message, void *data)
|
|
||||||
dbus_int32_t major, minor;
|
|
||||||
char *pause_str;
|
|
||||||
|
|
||||||
+ if (dbus_message_get_type (message) != DBUS_MESSAGE_TYPE_SIGNAL)
|
|
||||||
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
|
|
||||||
+
|
|
||||||
dbus_error_init(&error);
|
|
||||||
|
|
||||||
if (dbus_message_is_signal(message,
|
|
||||||
--
|
|
||||||
cgit v0.10.2
|
|
||||||
|
|
@ -1,32 +0,0 @@
|
|||||||
Subject: xwayland: default to local user if no xauth file given.
|
|
||||||
Author: Ray Strode <rstrode@redhat.com>
|
|
||||||
Path-mainline: Upstream
|
|
||||||
Git-commit: 76636ac12f2d1dbdf7be08222f80e7505d53c451
|
|
||||||
References: bnc#934102 CVE-2015-3164
|
|
||||||
Signed-off-by: Michal Srb <msrb@suse.com>
|
|
||||||
|
|
||||||
Right now if "-auth" isn't passed on the command line, we let
|
|
||||||
any user on the system connect to the Xwayland server.
|
|
||||||
|
|
||||||
That's clearly suboptimal, given Xwayland is generally designed
|
|
||||||
to be used by one user at a time.
|
|
||||||
|
|
||||||
This commit changes the behavior, so only the user who started the
|
|
||||||
X server can connect clients to it.
|
|
||||||
|
|
||||||
Signed-off-by: Ray Strode <rstrode@redhat.com>
|
|
||||||
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
|
||||||
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
||||||
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
||||||
|
|
||||||
diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
|
|
||||||
index c5bee77..bc92beb 100644
|
|
||||||
--- a/hw/xwayland/xwayland.c
|
|
||||||
+++ b/hw/xwayland/xwayland.c
|
|
||||||
@@ -702,4 +702,6 @@ InitOutput(ScreenInfo * screen_info, int argc, char **argv)
|
|
||||||
if (AddScreen(xwl_screen_init, argc, argv) == -1) {
|
|
||||||
FatalError("Couldn't add screen\n");
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ LocalAccessScopeUser();
|
|
||||||
}
|
|
@ -1,32 +0,0 @@
|
|||||||
Subject: xwayland: Enable access control on open sockets
|
|
||||||
Author: Ray Strode <rstrode@redhat.com>
|
|
||||||
Path-mainline: Upstream
|
|
||||||
Git-commit: c4534a38b68aa07fb82318040dc8154fb48a9588
|
|
||||||
References: bnc#934102 CVE-2015-3164
|
|
||||||
Signed-off-by: Michal Srb <msrb@suse.com>
|
|
||||||
|
|
||||||
Xwayland currently allows wide-open access to the X sockets
|
|
||||||
it listens on, ignoring Xauth access control.
|
|
||||||
|
|
||||||
This commit makes sure to enable access control on the sockets,
|
|
||||||
so one user can't snoop on another user's X-over-wayland
|
|
||||||
applications.
|
|
||||||
|
|
||||||
Signed-off-by: Ray Strode <rstrode@redhat.com>
|
|
||||||
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
|
||||||
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
||||||
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
||||||
|
|
||||||
diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
|
|
||||||
index 7e8d667..c5bee77 100644
|
|
||||||
--- a/hw/xwayland/xwayland.c
|
|
||||||
+++ b/hw/xwayland/xwayland.c
|
|
||||||
@@ -483,7 +483,7 @@ listen_on_fds(struct xwl_screen *xwl_screen)
|
|
||||||
int i;
|
|
||||||
|
|
||||||
for (i = 0; i < xwl_screen->listen_fd_count; i++)
|
|
||||||
- ListenOnOpenFD(xwl_screen->listen_fds[i], TRUE);
|
|
||||||
+ ListenOnOpenFD(xwl_screen->listen_fds[i], FALSE);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
@ -14,8 +14,8 @@ index 58d420e..95b34a2 100644
|
|||||||
--- a/hw/xfree86/drivers/modesetting/dumb_bo.c
|
--- a/hw/xfree86/drivers/modesetting/dumb_bo.c
|
||||||
+++ b/hw/xfree86/drivers/modesetting/dumb_bo.c
|
+++ b/hw/xfree86/drivers/modesetting/dumb_bo.c
|
||||||
@@ -25,6 +25,12 @@
|
@@ -25,6 +25,12 @@
|
||||||
*
|
#include "dix-config.h"
|
||||||
*/
|
#endif
|
||||||
|
|
||||||
+/*
|
+/*
|
||||||
+ * ad hoc fix for mmap's truncated offset parameter on 32bit
|
+ * ad hoc fix for mmap's truncated offset parameter on 32bit
|
||||||
|
@ -1,33 +0,0 @@
|
|||||||
From: Egbert Eich <eich@suse.de>
|
|
||||||
Date: Fri May 23 20:08:29 2014 +0200
|
|
||||||
Subject: [PATCH]connection: avoid crash when CloseWellKnownConnections() gets called twice
|
|
||||||
Patch-mainline: to be upstreamed
|
|
||||||
Git-commit: 74472c4e8e4c873014554f321ec2086066126297
|
|
||||||
Git-repo:
|
|
||||||
References: bnc#879666, bnc#879489
|
|
||||||
Signed-off-by: Egbert Eich <eich@suse.com>
|
|
||||||
|
|
||||||
CloseWellKnownConnections() closes all connections and deallocates
|
|
||||||
their data. Thus all entries in ListenTransConns are invalid.
|
|
||||||
To avoid access to those entries set ListenTransCount to 0.
|
|
||||||
This avoids crashes when CloseWellKnownConnections() is called twice
|
|
||||||
for instance when FatalError() is called on Xserver shutdown.
|
|
||||||
|
|
||||||
Signed-off-by: Egbert Eich <eich@suse.de>
|
|
||||||
---
|
|
||||||
os/connection.c | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/os/connection.c b/os/connection.c
|
|
||||||
index 162e1d9..3c0b62a 100644
|
|
||||||
--- a/os/connection.c
|
|
||||||
+++ b/os/connection.c
|
|
||||||
@@ -513,6 +513,8 @@ CloseWellKnownConnections(void)
|
|
||||||
|
|
||||||
for (i = 0; i < ListenTransCount; i++)
|
|
||||||
_XSERVTransClose(ListenTransConns[i]);
|
|
||||||
+
|
|
||||||
+ ListenTransCount = 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
@ -1,47 +0,0 @@
|
|||||||
From: Egbert Eich <eich@suse.de>
|
|
||||||
Date: Fri Feb 6 14:56:57 2015 +0100
|
|
||||||
Subject: [PATCH]symbols: Fix sdksyms.sh to cope with gcc5
|
|
||||||
Patch-mainline: to be upstreamed
|
|
||||||
|
|
||||||
References: bnc#916580
|
|
||||||
Signed-off-by: Egbert Eich <eich@suse.com>
|
|
||||||
|
|
||||||
Gcc5 adds additional lines stating line numbers before and
|
|
||||||
after __attribute__() which need to be skipped.
|
|
||||||
|
|
||||||
Signed-off-by: Egbert Eich <eich@suse.de>
|
|
||||||
---
|
|
||||||
hw/xfree86/sdksyms.sh | 14 +++++++++++++-
|
|
||||||
1 file changed, 13 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/hw/xfree86/sdksyms.sh b/hw/xfree86/sdksyms.sh
|
|
||||||
index d9a4478..2936669 100755
|
|
||||||
--- a/hw/xfree86/sdksyms.sh
|
|
||||||
+++ b/hw/xfree86/sdksyms.sh
|
|
||||||
@@ -353,13 +353,25 @@ BEGIN {
|
|
||||||
if (sdk) {
|
|
||||||
n = 3;
|
|
||||||
|
|
||||||
+ # skip line numbers GCC 5 adds before __attribute__
|
|
||||||
+ while ($n == "" || $0 ~ /^# [0-9]+ "/) {
|
|
||||||
+ getline;
|
|
||||||
+ n = 1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
# skip attribute, if any
|
|
||||||
while ($n ~ /^(__attribute__|__global)/ ||
|
|
||||||
# skip modifiers, if any
|
|
||||||
$n ~ /^\*?(unsigned|const|volatile|struct|_X_EXPORT)$/ ||
|
|
||||||
# skip pointer
|
|
||||||
- $n ~ /^[a-zA-Z0-9_]*\*$/)
|
|
||||||
+ $n ~ /^[a-zA-Z0-9_]*\*$/) {
|
|
||||||
n++;
|
|
||||||
+ # skip line numbers GCC 5 adds after __attribute__
|
|
||||||
+ while ($n == "" || $0 ~ /^# [0-9]+ "/) {
|
|
||||||
+ getline;
|
|
||||||
+ n = 1;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
|
|
||||||
# type specifier may not be set, as in
|
|
||||||
# extern _X_EXPORT unsigned name(...)
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:2bf8e9f6f0a710dec1d2472467bff1f4e247cb6dcd76eb469aafdc8a2d7db2ab
|
|
||||||
size 5852385
|
|
3
xorg-server-1.17.2.tar.bz2
Normal file
3
xorg-server-1.17.2.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:f61120612728f2c5034671d0ca3e2273438c60aba93b3dda4a8aa40e6a257993
|
||||||
|
size 5767983
|
@ -1,3 +1,26 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jun 16 21:07:03 UTC 2015 - tobias.johannes.klausmann@mni.thm.de
|
||||||
|
|
||||||
|
- Update to version 1.17.2:
|
||||||
|
Pick up a pile of fixes from master. Notable highlights:
|
||||||
|
+ Fix for CVE-2015-3164 in Xwayland
|
||||||
|
+ Fix int10 setup for vesa
|
||||||
|
+ Fix regression in server-interpreted auth
|
||||||
|
+ Fix fb setup on big-endian CPUs
|
||||||
|
+ Build fix for for gcc5
|
||||||
|
- Dropped patches:
|
||||||
|
+ Patch110: u_connection-avoid-crash-when-CloseWellKnownConnections-gets-called-twice.patch
|
||||||
|
+ Patch113: u_symbols-Fix-sdksyms.sh-to-cope-with-gcc5.patch
|
||||||
|
+ Patch116: U_os-XDMCP-options-like-query-etc-should-imply-listen.patch
|
||||||
|
+ Patch118: U_int10-Fix-error-check-for-pci_device_map_legacy.patch
|
||||||
|
+ Patch119: U_xwayland-enable-access-control-on-open-socket.patch
|
||||||
|
+ Patch120: U_os-support-new-implicit-local-user-access-mode.patch
|
||||||
|
+ Patch121: U_xwayland-default-to-local-user-if-no-xauth-file-given.patch
|
||||||
|
+ Patch2000: U_systemd-logind-filter-out-non-signal-messages-from.patch
|
||||||
|
+ Patch2001: U_systemd-logind-dont-second-guess-D-Bus-default-tim.patch
|
||||||
|
- Changed patches to work with the new version:
|
||||||
|
+ Patch114: u_ad-hoc-fix-for-mmap-s-truncated-offset-parameter-on-.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Jun 12 11:58:43 UTC 2015 - msrb@suse.com
|
Fri Jun 12 11:58:43 UTC 2015 - msrb@suse.com
|
||||||
|
|
||||||
|
@ -18,7 +18,7 @@
|
|||||||
|
|
||||||
Name: xorg-x11-server
|
Name: xorg-x11-server
|
||||||
|
|
||||||
%define dirsuffix 1.17.1
|
%define dirsuffix 1.17.2
|
||||||
|
|
||||||
Summary: X
|
Summary: X
|
||||||
License: MIT
|
License: MIT
|
||||||
@ -159,21 +159,13 @@ Patch104: u_xorg-server-xdmcp.patch
|
|||||||
Patch105: ux_xserver_xvfb-randr.patch
|
Patch105: ux_xserver_xvfb-randr.patch
|
||||||
# PATCH-FIX-UPSTREAM u_exa-only-draw-valid-trapezoids.patch bnc#853846 msrb@suse.com -- Fixes possible crash of server using invalid trapezoids. 2013-12-12 patch is waiting in mailing list to be upstreamed.
|
# PATCH-FIX-UPSTREAM u_exa-only-draw-valid-trapezoids.patch bnc#853846 msrb@suse.com -- Fixes possible crash of server using invalid trapezoids. 2013-12-12 patch is waiting in mailing list to be upstreamed.
|
||||||
Patch106: u_exa-only-draw-valid-trapezoids.patch
|
Patch106: u_exa-only-draw-valid-trapezoids.patch
|
||||||
Patch110: u_connection-avoid-crash-when-CloseWellKnownConnections-gets-called-twice.patch
|
|
||||||
Patch111: u_CloseConsole-Don-t-report-FatalError-when-shutting-down.patch
|
Patch111: u_CloseConsole-Don-t-report-FatalError-when-shutting-down.patch
|
||||||
Patch112: u_render-Cast-color-masks-to-unsigned-long-before-shifting-them.patch
|
Patch112: u_render-Cast-color-masks-to-unsigned-long-before-shifting-them.patch
|
||||||
Patch113: u_symbols-Fix-sdksyms.sh-to-cope-with-gcc5.patch
|
|
||||||
Patch114: u_ad-hoc-fix-for-mmap-s-truncated-offset-parameter-on-.patch
|
Patch114: u_ad-hoc-fix-for-mmap-s-truncated-offset-parameter-on-.patch
|
||||||
Patch115: N_Force-swcursor-for-KMS-drivers-without-hw-cursor-sup.patch
|
Patch115: N_Force-swcursor-for-KMS-drivers-without-hw-cursor-sup.patch
|
||||||
Patch116: U_os-XDMCP-options-like-query-etc-should-imply-listen.patch
|
|
||||||
Patch117: xorg-x11-server-byte-order.patch
|
Patch117: xorg-x11-server-byte-order.patch
|
||||||
Patch118: U_int10-Fix-error-check-for-pci_device_map_legacy.patch
|
|
||||||
# PATCH-FIX-UPSTREAM U_xwayland-enable-access-control-on-open-socket.patch bnc#934102 msrb@suse.com -- Fix CVE-2015-3164
|
|
||||||
Patch119: U_xwayland-enable-access-control-on-open-socket.patch
|
|
||||||
# PATCH-FIX-UPSTREAM U_os-support-new-implicit-local-user-access-mode.patch bnc#934102 msrb@suse.com -- Fix CVE-2015-3164
|
|
||||||
Patch120: U_os-support-new-implicit-local-user-access-mode.patch
|
|
||||||
# PATCH-FIX-UPSTREAM U_xwayland-default-to-local-user-if-no-xauth-file-given.patch bnc#934102 msrb@suse.com -- Fix CVE-2015-3164
|
|
||||||
Patch121: U_xwayland-default-to-local-user-if-no-xauth-file-given.patch
|
|
||||||
|
|
||||||
Patch1000: n_xserver-optimus-autoconfig-hack.patch
|
Patch1000: n_xserver-optimus-autoconfig-hack.patch
|
||||||
|
|
||||||
@ -181,10 +173,6 @@ Patch1162: b_cache-xkbcomp-output-for-fast-start-up.patch
|
|||||||
Patch1211: b_0001-Prevent-XSync-Alarms-from-senslessly-calling-CheckTr.patch
|
Patch1211: b_0001-Prevent-XSync-Alarms-from-senslessly-calling-CheckTr.patch
|
||||||
Patch1222: b_sync-fix.patch
|
Patch1222: b_sync-fix.patch
|
||||||
|
|
||||||
# PATCH-FIX-UPSTREAM U_systemd-logind-* rh#1209347 antoine.belvire@laposte.net -- Fix Gnome X session for some hybrid graphics
|
|
||||||
Patch2000: U_systemd-logind-filter-out-non-signal-messages-from.patch
|
|
||||||
Patch2001: U_systemd-logind-dont-second-guess-D-Bus-default-tim.patch
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
This package contains the X.Org Server.
|
This package contains the X.Org Server.
|
||||||
|
|
||||||
@ -262,24 +250,17 @@ cp %{SOURCE90} .
|
|||||||
%patch104 -p1
|
%patch104 -p1
|
||||||
%patch105 -p1
|
%patch105 -p1
|
||||||
%patch106 -p1
|
%patch106 -p1
|
||||||
%patch110 -p1
|
|
||||||
%patch111 -p1
|
%patch111 -p1
|
||||||
%patch112 -p1
|
%patch112 -p1
|
||||||
%patch113 -p1
|
|
||||||
%patch114 -p1
|
%patch114 -p1
|
||||||
%patch115 -p1
|
%patch115 -p1
|
||||||
%patch116 -p1
|
|
||||||
%patch117 -p1
|
%patch117 -p1
|
||||||
%patch118 -p1
|
|
||||||
%patch119 -p1
|
|
||||||
%patch120 -p1
|
|
||||||
%patch121 -p1
|
|
||||||
|
|
||||||
%patch1000 -p1
|
%patch1000 -p1
|
||||||
|
|
||||||
%patch2000 -p1
|
|
||||||
%patch2001 -p1
|
|
||||||
|
|
||||||
### disabled for now
|
### disabled for now
|
||||||
#%patch1162 -p1
|
#%patch1162 -p1
|
||||||
### disabled for now
|
### disabled for now
|
||||||
|
Loading…
Reference in New Issue
Block a user