Accepting request 113581 from home:dimstar:branches:X11:XOrg

Update to 1.0.9 OBS-URL: https://build.opensuse.org/request/show/113581 OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xrdb?expand=0&rev=2
2012-04-15 10:50:29 +00:00 · 2012-04-15 10:50:29 +00:00 · a3a05dc7bc
commit a3a05dc7bc
parent 224c23005e
6 changed files with 20 additions and 298 deletions
--- a/xrdb-1.0.7.tar.bz2
+++ b/xrdb-1.0.7.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:0c70a433f78c1dd3bf02e44e03a7534f3fe3ff45643ecbd7844d0ca3c74157b1
 size 118037
--- a/xrdb-1.0.9.tar.bz2
+++ b/xrdb-1.0.9.tar.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:642401e12996efe3e5e5307a245e24c282b94a44c1f147e177c8484b862aeab7
 size 118971
--- a/xrdb-Create-shell-escape-safe-cpp-options-in-the-non-path-bnc674733.patch
+++ b/xrdb-Create-shell-escape-safe-cpp-options-in-the-non-path-bnc674733.patch
@ -1,182 +0,0 @@
 From 3d0c8e2cacf69723e7e8faf7ce441b9802e2d9a0 Mon Sep 17 00:00:00 2001
 From: Matthias Hopf <mhopf@suse.de>
 Date: Tue, 1 Mar 2011 19:37:34 +0100
 Subject: [PATCH] Create shell-escape-safe cpp options in the non-pathetic-cpp case.
 Fixes CVE-2011-0465.
 Signed-off-by: Matthias Hopf <mhopf@suse.de>
 Reviewed-by: Adam Jackson <ajax@redhat.com>
 ---
 xrdb.c |   79 +++++++++++++++++++++++++++++++++++++++++++++++++++-------------
 1 files changed, 63 insertions(+), 16 deletions(-)
 diff --git a/xrdb.c b/xrdb.c
 index c3ef0fd..ea698b9 100644
 --- a/xrdb.c
 +++ b/xrdb.c
@@ -142,6 +142,8 @@ static Entries newDB;
 static void fatal(char *, ...);
 static void addstring ( String *arg, const char *s );
 +static void addescapedstring ( String *arg, const char *s );
 +static void addtokstring ( String *arg, const char *s );
 static void FormatEntries ( Buffer *buffer, Entries *entries );
 static void StoreProperty ( Display *dpy, Window root, Atom res_prop );
 static void Process ( int scrno, Bool doScreen, Bool execute );
@@ -433,14 +435,20 @@ AddDef(String *buff, char *title, char *value)
 	    addstring(buff, " -D");
     } else
 	addstring(buff, "-D");
 -    addstring(buff, title);
 +    addtokstring(buff, title);
     if (value && (value[0] != '\0')) {
 	addstring(buff, "=");
 -	addstring(buff, value);
 +	addescapedstring(buff, value);
     }
 }
 static void
 +AddSimpleDef(String *buff, char *title)
 +{
 +    AddDef(buff, title, (char *)NULL);
 +}
 +
 +static void
 AddDefQ(String *buff, char *title, char *value)
 {
 #ifdef PATHETICCPP
@@ -449,8 +457,9 @@ AddDefQ(String *buff, char *title, char *value)
     else
 #endif
     if (value && (value[0] != '\0')) {
 -	AddDef(buff, title, "\"");
 -	addstring(buff, value);
 +	AddSimpleDef(buff, title);
 +	addstring(buff, "=\"");
 +	addescapedstring(buff, value);
 	addstring(buff, "\"");
     } else
 	AddDef(buff, title, NULL);
@@ -465,24 +474,28 @@ AddNum(String *buff, char *title, int value)
 }
 static void
 -AddSimpleDef(String *buff, char *title)
 +AddDefTok(String *buff, char *prefix, char *title)
 {
 -    AddDef(buff, title, (char *)NULL);
 +    char name[512];
 +
 +    snprintf(name, sizeof(name), "%s%s", prefix, title);
 +    AddSimpleDef(buff, name);
 }
 static void
 -AddDefTok(String *buff, char *prefix, char *title)
 +AddDefHostname(String *buff, char *title, char *value)
 {
     char *s;
     char name[512];
     char c;
 -    snprintf(name, sizeof(name), "%s%s", prefix, title);
 +    strncpy (name, value, sizeof(name)-1);
 +    name[sizeof(name)-1] = '\0';
     for (s = name; (c = *s); s++) {
 -	if (!isalpha(c) && !isdigit(c) && c != '_')
 +	if (!isalpha(c) && !isdigit(c) && c != '_' && c != '.' && c != ':' && c != '-')
 	    *s = '_';
     }
 -    AddSimpleDef(buff, name);
 +    AddDef(buff, title, name);
 }
 static void
@@ -502,7 +515,7 @@ AddUndef(String *buff, char *title)
 	    addstring(buff, " -U");
     } else
 	addstring(buff, "-U");
 -    addstring(buff, title);
 +    addtokstring(buff, title);
 }
 static void 
@@ -565,11 +578,11 @@ DoDisplayDefines(Display *display, String *defs, char *host)
     }
     if (!*server || !strcmp(server, "unix") || !strcmp(server, "localhost"))
 	strcpy(server, client);
 -    AddDef(defs, "HOST", server); /* R3 compatibility */
 -    AddDef(defs, "SERVERHOST", server);
 +    AddDefHostname(defs, "HOST", server); /* R3 compatibility */
 +    AddDefHostname(defs, "SERVERHOST", server);
     AddDefTok(defs, "SRVR_", server);
     AddNum(defs, "DISPLAY_NUM", n);
 -    AddDef(defs, "CLIENTHOST", client);
 +    AddDefHostname(defs, "CLIENTHOST", client);
     AddDefTok(defs, "CLNT_", client);
     AddNum(defs, "VERSION", ProtocolVersion(display));
     AddNum(defs, "REVISION", ProtocolRevision(display));
@@ -612,7 +625,7 @@ DoScreenDefines(Display *display, int scrno, String *defs)
     AddNum(defs, "Y_RESOLUTION", Resolution(screen->height,screen->mheight));
     AddNum(defs, "PLANES", DisplayPlanes(display, scrno));
     AddNum(defs, "BITS_PER_RGB", visual->bits_per_rgb);
 -    AddDef(defs, "CLASS", ClassNames[visual->class]);
 +    AddDefQ(defs, "CLASS", ClassNames[visual->class]);
     snprintf(name, sizeof(name), "CLASS_%s", ClassNames[visual->class]);
     AddNum(defs, name, (int)visual->visualid);
     switch(visual->class) {
@@ -780,6 +793,40 @@ addstring(String *arg, const char *s)
     arg->used += strlen(s);
 }   
 +static void
 +addescapedstring(String *arg, const char *s)
 +{
 +    char copy[512], *c;
 +
 +    for (c = copy; *s && c < &copy[sizeof(copy)-1]; s++) {
 +	switch (*s) {
 +	case '"':       case '\'':      case '`':
 +	case '$':       case '\\':
 +	    *c++ = '_';
 +	    break;
 +	default:
 +	    *c++ = *s;
 +	}
 +    }
 +    *c = 0;
 +    addstring (arg, copy);
 +}
 +
 +static void
 +addtokstring(String *arg, const char *s)
 +{
 +    char copy[512], *c;
 +
 +    for (c = copy; *s && c < &copy[sizeof(copy)-1]; s++) {
 +	if (!isalpha(*s) && !isdigit(*s) && *s != '_')
 +	    *c++ = '_';
 +	else
 +	    *c++ = *s;
 +    }
 +    *c = 0;
 +    addstring (arg, copy);
 +}
 +
 int
 main(int argc, char *argv[])
@@ -892,7 +939,7 @@ main(int argc, char *argv[])
 		continue;
 	    } else if (arg[1] == 'I') {
 		addstring(&includes, " ");
 -		addstring(&includes, arg);
 +		addescapedstring(&includes, arg);
 		continue;
 	    } else if (arg[1] == 'U' || arg[1] == 'D') {
 		if (num_cmd_defines < MAX_CMD_DEFINES) {
 -- 
 1.7.1
--- a/xrdb-traditional-cpp.diff
+++ b/xrdb-traditional-cpp.diff
@ -1,106 +0,0 @@
 --- xrdb.c.orig	2010-06-25 12:46:40.000000000 +0200
 +++ xrdb.c	2010-06-25 14:13:12.000000000 +0200
@@ -142,6 +142,7 @@
 static Display *dpy;
 static Buffer buffer;
 static Entries newDB;
 +static int cpp_option_in_use=0;
 static void fatal(char *, ...);
 static void addstring ( String *arg, const char *s );
@@ -807,6 +808,7 @@
 	    } else if (isabbreviation ("-cpp", arg, 2)) {
 		if (++i >= argc) Syntax ();
 		cpp_program = argv[i];
 +		cpp_option_in_use=1;
 		continue;
 	    } else if (!strcmp ("-n", arg)) {
 		dont_execute = True;
@@ -1166,12 +1168,17 @@
 	    fclose(input);
 	    (void) mktemp(tmpname3);
 	    if((cmd = (char *)
 -		malloc(strlen(cpp_program) + strlen(includes.val) +
 +		malloc(strlen(cpp_program) + strlen(includes.val) + strlen(" -traditional-cpp ") +
 		       1 + strlen(tmpname2) + 3 + strlen(tmpname3) + 1)) ==
 	       NULL)
 		fatal("%s: Out of memory\n", ProgramName);
 -	    sprintf(cmd, "%s%s %s > %s", cpp_program, includes.val,
 +	    if (cpp_option_in_use)) {
 +	        sprintf(cmd, "%s%s %s > %s", cpp_program, includes.val,
 		    tmpname2, tmpname3);
 +	    } else {
 +	        sprintf(cmd, "%s -traditional-cpp %s %s > %s", cpp_program, includes.val,
 +		    tmpname2, tmpname3);
 +	    }
 	    if (system(cmd) < 0)
 		fatal("%s: cannot run '%s'\n", ProgramName, cmd);
 	    free(cmd);
@@ -1185,10 +1192,14 @@
 	    fflush(stdin);
 	    fseek(stdin, 0, 0);
 	    if((cmd = (char *)
 -		malloc(strlen(cpp_program) + strlen(includes.val) + 1)) ==
 +		malloc(strlen(cpp_program) + strlen(" -traditional-cpp ") + strlen(includes.val) + 1)) ==
 	       NULL)
 		fatal("%s: Out of memory\n", ProgramName);
 -	    sprintf(cmd, "%s%s", cpp_program, includes.val);
 +	    if (cpp_option_in_use) {
 +	       sprintf(cmd, "%s%s", cpp_program, includes.val);
 +	    } else {
 +	       sprintf(cmd, "%s -traditional-cpp %s", cpp_program, includes.val);
 +	    }
 	    if (!(input = popen(cmd, "r")))
 		fatal("%s: cannot run '%s'\n", ProgramName, cmd);
 	    free(cmd);
@@ -1203,15 +1214,21 @@
 #ifdef WIN32
 	    (void) mktemp(tmpname3);
 	    if((cmd = (char *)
 -		malloc(strlen(cpp_program) + strlen(includes.val) +
 +		malloc(strlen(cpp_program) + strlen(" -traditional-cpp ") + strlen(includes.val) +
 		       1 + strlen(defines.val) + 1 +
 		       strlen(filename ? filename : "") + 3 +
 		       strlen(tmpname3) + 1)) ==
 	       NULL)
 		fatal("%s: Out of memory\n", ProgramName);
 -	    sprintf(cmd, "%s%s %s %s > %s", cpp_program,
 -		    includes.val, defines.val,
 -		    filename ? filename : "", tmpname3);
 +	    if (cpp_option_in_use) {
 +	       sprintf(cmd, "%s%s %s %s > %s", cpp_program,
 +		       includes.val, defines.val,
 +		       filename ? filename : "", tmpname3);
 +	    } else {
 +	       sprintf(cmd, "%s -traditional-cpp %s %s %s > %s", cpp_program,
 +		       includes.val, defines.val,
 +		       filename ? filename : "", tmpname3);
 +	    }
 	    if (system(cmd) < 0)
 		fatal("%s: cannot run '%s'\n", ProgramName, cmd);
 	    free(cmd);
@@ -1219,14 +1236,20 @@
 		fatal("%s: can't open file '%s'\n", ProgramName, tmpname3);
 #else
 	    if((cmd = (char *)
 -		malloc(strlen(cpp_program) + strlen(includes.val) + 1 +
 +		malloc(strlen(cpp_program) + strlen(" -traditional-cpp ") + strlen(includes.val) + 1 +
 		       strlen(defines.val) + 1 +
 		       strlen(filename ? filename : "") + 1)) ==
 	       NULL)
 		fatal("%s: Out of memory\n", ProgramName);
 -	    sprintf(cmd, "%s%s %s %s", cpp_program,
 -		    includes.val, defines.val,
 -		    filename ? filename : "");
 +	    if (cpp_option_in_use) {
 +	       sprintf(cmd, "%s%s %s %s", cpp_program,
 +		       includes.val, defines.val,
 +		       filename ? filename : "");
 +	    } else {
 +	       sprintf(cmd, "%s -traditional-cpp %s %s %s", cpp_program,
 +		       includes.val, defines.val,
 +		       filename ? filename : "");
 +	    }
 	    if (!(input = popen(cmd, "r")))
 		fatal("%s: cannot run '%s'\n", ProgramName, cmd);
 	    free(cmd);
--- a/xrdb.changes
+++ b/xrdb.changes
@ -1,3 +1,18 @@
 -------------------------------------------------------------------
 Sat Apr 14 15:55:03 UTC 2012 - dimstar@opensuse.org
 - Update to version 1.0.9:
  + Create shell-escape-safe cpp options in the non-pathetic-cpp
    case (CVE-2011-0465).
 - Changes from version 1.0.8:
  + Merge usage() printf() strings/calls into a single string/call.
  + Replace complex malloc calculations with asprintf().
  + Man page fixes.
  + Build system fixes.
 - Drop xrdb-Create-shell-escape-safe-cpp-options-in-the-non-path-bnc674733.patch:
  fixed upstream.
 - Drop xrdb-traditional-cpp.diff: obsoleted.
 -------------------------------------------------------------------
 Fri Apr 13 08:46:08 UTC 2012 - vuntz@opensuse.org
--- a/xrdb.spec
+++ b/xrdb.spec
@ -16,16 +16,13 @@
 #
 Name:           xrdb
-Version:        1.0.7
+Version:        1.0.9
-Release:        0
+Release:        1
 License:        MIT
 Summary:        X server resource database utility
 Url:            http://xorg.freedesktop.org/
 Group:          System/X11/Utilities
 Source0:        http://xorg.freedesktop.org/releases/individual/app/%{name}-%{version}.tar.bz2
 Patch0:         xrdb-traditional-cpp.diff
 # PATCH-FIX-UPSTREAM xrdb-Create-shell-escape-safe-cpp-options-in-the-non-path-bnc674733.patch -- Create shell-escape-safe cpp options in the non-pathetic-cpp case, already upstream
 Patch1:         xrdb-Create-shell-escape-safe-cpp-options-in-the-non-path-bnc674733.patch
 BuildRequires:  pkg-config
 BuildRequires:  pkgconfig(x11)
 BuildRequires:  pkgconfig(xmuu)
@ -42,8 +39,6 @@ root window of any or all screens, or everything combined.
 %prep
 %setup -q
 %patch0 -p0
 %patch1 -p1
 %build
 %configure --with-cpp=%{_bindir}/cpp