From eac8ab91baaccb6085cbb231adffbeed496513ad78251217dc0a0bcb784927b2 Mon Sep 17 00:00:00 2001 From: Stefan Dirsch Date: Thu, 23 Aug 2018 09:57:49 +0000 Subject: [PATCH] Accepting request 630965 from home:tobijk:X11:XOrg - Update to version 1.6.6: + Make Xkb{Get,Set}NamedIndicator spec & manpages match code + Clarify state parameter to XkbSetNamedDeviceIndicator + Improve table formatting in XkbChangeControls & XkbKeyNumGroups man pages + If XGetImage fails to create image, don't dereference it to bounds check + Use size_t for buffer sizes in SetHints.c + Change fall through comment in lcDB.c to match gcc's requirements + _XDefaultError: set XlibDisplayIOError flag before calling exit + Fix possible memory leak in cmsProp.c:140 + Don't rebuild ks_tables.h if nothing changed. + Remove statement with no effect. + Use flexible array member instead of fake size. + Valgrind fix for XStoreColor and XStoreColors. + XkbOpenDisplay.3: fix typo + Validation of server response in XListHosts. + Fixed off-by-one writes (CVE-2018-14599). + Fixed out of boundary write (CVE-2018-14600). + Fixed crash on invalid reply (CVE-2018-14598). + fix shadow warning + _XIOError(dpy); will never return so remore dead + remove argument check for free() adjust one inden + fix shadow char_size + fix more shadow warning + no need to check argument for _XkbFree() + remove stray extern + no need to check args for Xfree() + fix memleak in error path + fix memleak in error path + no need to check XFree arguments + mark _XDefaultIOError as no_return OBS-URL: https://build.opensuse.org/request/show/630965 OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=46 --- libX11-1.6.5.tar.bz2 | 3 - libX11-1.6.6.tar.bz2 | 3 + libX11.changes | 43 ++++++++++++ libX11.spec | 14 +--- ...le-array-member-instead-of-fake-size.patch | 63 ----------------- ...-on-invalid-reply-in-XListExtensions.patch | 46 ------------- u_off-by-one-write-in-XListExtensions.patch | 67 ------------------- ...of-boundary-write-in-XListExtensions.patch | 41 ------------ 8 files changed, 47 insertions(+), 233 deletions(-) delete mode 100644 libX11-1.6.5.tar.bz2 create mode 100644 libX11-1.6.6.tar.bz2 delete mode 100644 u_Use-flexible-array-member-instead-of-fake-size.patch delete mode 100644 u_crash-on-invalid-reply-in-XListExtensions.patch delete mode 100644 u_off-by-one-write-in-XListExtensions.patch delete mode 100644 u_out-of-boundary-write-in-XListExtensions.patch diff --git a/libX11-1.6.5.tar.bz2 b/libX11-1.6.5.tar.bz2 deleted file mode 100644 index 57a662c..0000000 --- a/libX11-1.6.5.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4d3890db2ba225ba8c55ca63c6409c1ebb078a2806de59fb16342768ae63435d -size 2361556 diff --git a/libX11-1.6.6.tar.bz2 b/libX11-1.6.6.tar.bz2 new file mode 100644 index 0000000..efeb21d --- /dev/null +++ b/libX11-1.6.6.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:65fe181d40ec77f45417710c6a67431814ab252d21c2e85c75dd1ed568af414f +size 2342730 diff --git a/libX11.changes b/libX11.changes index 6e64cf8..bbdf1d6 100644 --- a/libX11.changes +++ b/libX11.changes @@ -1,3 +1,46 @@ +------------------------------------------------------------------- +Wed Aug 22 15:09:51 UTC 2018 - tobias.johannes.klausmann@mni.thm.de + +- Update to version 1.6.6: + + Make Xkb{Get,Set}NamedIndicator spec & manpages match code + + Clarify state parameter to XkbSetNamedDeviceIndicator + + Improve table formatting in XkbChangeControls & XkbKeyNumGroups man pages + + If XGetImage fails to create image, don't dereference it to bounds check + + Use size_t for buffer sizes in SetHints.c + + Change fall through comment in lcDB.c to match gcc's requirements + + _XDefaultError: set XlibDisplayIOError flag before calling exit + + Fix possible memory leak in cmsProp.c:140 + + Don't rebuild ks_tables.h if nothing changed. + + Remove statement with no effect. + + Use flexible array member instead of fake size. + + Valgrind fix for XStoreColor and XStoreColors. + + XkbOpenDisplay.3: fix typo + + Validation of server response in XListHosts. + + Fixed off-by-one writes (CVE-2018-14599). + + Fixed out of boundary write (CVE-2018-14600). + + Fixed crash on invalid reply (CVE-2018-14598). + + fix shadow warning + + _XIOError(dpy); will never return so remore dead + + remove argument check for free() adjust one inden + + fix shadow char_size + + fix more shadow warning + + no need to check argument for _XkbFree() + + remove stray extern + + no need to check args for Xfree() + + fix memleak in error path + + fix memleak in error path + + no need to check XFree arguments + + mark _XDefaultIOError as no_return + + Fixes: warning: variable 'req' set but not,used + + add _X_UNUSED to avoid unused variable warnings + + remove empty line + + silence gcc warning assignment discards 'const' qualifier from pointer target type +- Packaging changes: + + Remove upstreamed u_Use-flexible-array-member-instead-of-fake-size.patch + + Remove upstreamed u_off-by-one-write-in-XListExtensions.patch + + Remove upstreamed u_out-of-boundary-write-in-XListExtensions.patch + + Remove upstreamed u_crash-on-invalid-reply-in-XListExtensions.patch + ------------------------------------------------------------------- Mon Aug 20 12:15:47 UTC 2018 - sndirsch@suse.com diff --git a/libX11.spec b/libX11.spec index b1aea0a..2cd7d5b 100644 --- a/libX11.spec +++ b/libX11.spec @@ -17,7 +17,7 @@ Name: libX11 -Version: 1.6.5 +Version: 1.6.6 Release: 0 Summary: Core X11 protocol client library License: MIT @@ -34,14 +34,6 @@ Patch7: p_khmer-compose.diff Patch9: p_xlib_skip_ext_env.diff # PATCH-FIX-UPSTREAM en-locales.diff fdo#48596 bnc#388711 -- Add missing data for more en locales Patch15: en-locales.diff -# PATCH-FIX-UPSTREAM u_Use-flexible-array-member-instead-of-fake-size.patch -- Fix build error with gcc8. -Patch16: u_Use-flexible-array-member-instead-of-fake-size.patch -# CVE-2018-14599 -Patch1102062: u_off-by-one-write-in-XListExtensions.patch -# CVE-2018-14600 -Patch1102068: u_out-of-boundary-write-in-XListExtensions.patch -# CVE-2018-14598 -Patch1102073: u_crash-on-invalid-reply-in-XListExtensions.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf >= 2.60 @@ -150,10 +142,6 @@ test -f nls/ja.S90/XLC_LOCALE.pre && exit 1 %patch7 -p0 %patch9 -p0 %patch15 -p0 -%patch16 -p1 -%patch1102062 -p1 -%patch1102068 -p1 -%patch1102073 -p1 %build # Got patches which change auto*files diff --git a/u_Use-flexible-array-member-instead-of-fake-size.patch b/u_Use-flexible-array-member-instead-of-fake-size.patch deleted file mode 100644 index 028a038..0000000 --- a/u_Use-flexible-array-member-instead-of-fake-size.patch +++ /dev/null @@ -1,63 +0,0 @@ -Author: Michal Srb -Subject: Use flexible array member instead of fake size. -Patch-mainline: To be upstreamed -References: bnc#1084639 - -The _XimCacheStruct structure is followed in memory by two strings containing -fname and encoding. The memory was accessed using the last member of the -structure `char fname[1]`. That is a lie, prohibits us from using sizeof and -confuses checkers. Lets declare it properly as a flexible array, so compilers -don't complain about writing past that array. As bonus we can replace the -XOffsetOf with regular sizeof. - -Fixes GCC8 error: - In function 'strcpy', - inlined from '_XimWriteCachedDefaultTree' at imLcIm.c:479:5, - inlined from '_XimCreateDefaultTree' at imLcIm.c:616:2, - inlined from '_XimLocalOpenIM' at imLcIm.c:700:5: - /usr/include/bits/string_fortified.h:90:10: error: '__builtin_strcpy' - forming offset 2 is out of the bounds [0, 1] [-Werror=array-bounds] - return __builtin___strcpy_chk (__dest, __src, __bos (__dest)); - -Caused by this line seemingly writing past the fname[1] array: - imLcIm.c:479: strcpy (m->fname+strlen(name)+1, encoding); ---- - modules/im/ximcp/imLcIm.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/modules/im/ximcp/imLcIm.c b/modules/im/ximcp/imLcIm.c -index c19695df..743df77b 100644 ---- a/modules/im/ximcp/imLcIm.c -+++ b/modules/im/ximcp/imLcIm.c -@@ -82,8 +82,8 @@ struct _XimCacheStruct { - DTCharIndex mbused; - DTCharIndex wcused; - DTCharIndex utf8used; -- char fname[1]; -- /* char encoding[1] */ -+ char fname[]; -+ /* char encoding[] */ - }; - - static struct _XimCacheStruct* _XimCache_mmap = NULL; -@@ -281,7 +281,7 @@ _XimReadCachedDefaultTree( - assert (m->id == XIM_CACHE_MAGIC); - assert (m->version == XIM_CACHE_VERSION); - if (size != m->size || -- size < XOffsetOf (struct _XimCacheStruct, fname) + namelen + encodinglen) { -+ size < sizeof (struct _XimCacheStruct) + namelen + encodinglen) { - fprintf (stderr, "Ignoring broken XimCache %s [%s]\n", name, encoding); - munmap (m, size); - return False; -@@ -442,7 +442,7 @@ _XimWriteCachedDefaultTree( - int fd; - FILE *fp; - struct _XimCacheStruct *m; -- int msize = (XOffsetOf(struct _XimCacheStruct, fname) -+ int msize = (sizeof(struct _XimCacheStruct) - + strlen(name) + strlen(encoding) + 2 - + XIM_CACHE_TREE_ALIGNMENT-1) & -XIM_CACHE_TREE_ALIGNMENT; - DefTreeBase *b = &im->private.local.base; --- -2.13.6 - diff --git a/u_crash-on-invalid-reply-in-XListExtensions.patch b/u_crash-on-invalid-reply-in-XListExtensions.patch deleted file mode 100644 index 0ae9185..0000000 --- a/u_crash-on-invalid-reply-in-XListExtensions.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 060fc58795737e13639f381a7ea55675fd5339c2 Mon Sep 17 00:00:00 2001 -From: Stefan Dirsch -Date: Tue, 14 Aug 2018 11:46:40 +0200 -Subject: [PATCH] crash on invalid reply in XListExtensions -References: bsc#1102073 CVE-2018-14598 - -If the server sends a reply in which even the first string would -overflow the transmitted bytes, list[0] will be set to NULL and -a count of 0 is returned. - -If the resulting list is freed with XFreeExtensionList later on, -the first Xfree call: - - Xfree (list[0]-1) - turns into - Xfree (NULL-1) - -which will most likely trigger a segmentation fault. - -I have modified the code to return NULL if the first string would -overflow, thus protecting XFreeExtensionList later on. - -Signed-off-by: Tobias Stoeckmann ---- - src/ListExt.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/ListExt.c b/src/ListExt.c -index 6537c4dc..ece9ba31 100644 ---- a/src/ListExt.c -+++ b/src/ListExt.c -@@ -83,6 +83,11 @@ char **XListExtensions( - length = (unsigned char) *ch; - *ch = '\0'; /* and replace with null-termination */ - count++; -+ } else if (i == 0) { -+ Xfree(list); -+ Xfree(ch); -+ list = NULL; -+ break; - } else - list[i] = NULL; - } --- -2.16.4 - diff --git a/u_off-by-one-write-in-XListExtensions.patch b/u_off-by-one-write-in-XListExtensions.patch deleted file mode 100644 index 00ded64..0000000 --- a/u_off-by-one-write-in-XListExtensions.patch +++ /dev/null @@ -1,67 +0,0 @@ -From b4692168dfd66cdcd91d970ff255ded144d6ef95 Mon Sep 17 00:00:00 2001 -From: Stefan Dirsch -Date: Mon, 23 Jul 2018 14:26:05 +0200 -Subject: [PATCH] off-by-one write in XListExtensions -References: bsc#1102062 CVE-2018-14599 - -The function XListExtensions is vulnerable to an off-by-one override on -malicious server responses. - -The server reply consists of extension names consisting of a length byte -followed by actual string, which is not NUL-terminated. - -While parsing the response, the length byte is overridden with '\0', -thus the memory area can be used as storage of C strings later on. To -be able to NUL-terminate the last string, the buffer is reserved with -an additional byte of space. - -For a boundary check, the variable chend (end of ch) was introduced, -pointing at the end of the buffer which ch initially points to. -Unfortunately there is a difference in handling "the end of ch". - -While chend points at the first byte that must not be written to, -the for-loop uses chend as the last byte that can be written to. - -Therefore, an off-by-one can occur. - -I have refactored the code so chend actually points to the last byte -that can be written to without an out of boundary access. As it is not -possible to achieve "ch + length < chend" and "ch + length + 1 > chend" -with the corrected chend meaning, I removed the inner if-check. - -Signed-off-by: Tobias Stoeckmann ---- - src/ListExt.c | 12 ++++-------- - 1 file changed, 4 insertions(+), 8 deletions(-) - -diff --git a/src/ListExt.c b/src/ListExt.c -index 7fdf9932..8f344ac0 100644 ---- a/src/ListExt.c -+++ b/src/ListExt.c -@@ -74,19 +74,15 @@ char **XListExtensions( - /* - * unpack into null terminated strings. - */ -- chend = ch + (rlen + 1); -+ chend = ch + rlen; - length = *ch; - for (i = 0; i < rep.nExtensions; i++) { - if (ch + length < chend) { - list[i] = ch+1; /* skip over length */ - ch += length + 1; /* find next length ... */ -- if (ch <= chend) { -- length = *ch; -- *ch = '\0'; /* and replace with null-termination */ -- count++; -- } else { -- list[i] = NULL; -- } -+ length = *ch; -+ *ch = '\0'; /* and replace with null-termination */ -+ count++; - } else - list[i] = NULL; - } --- -2.16.4 - diff --git a/u_out-of-boundary-write-in-XListExtensions.patch b/u_out-of-boundary-write-in-XListExtensions.patch deleted file mode 100644 index fe0a5ba..0000000 --- a/u_out-of-boundary-write-in-XListExtensions.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 7ca52a28d0423642b6640b15fb150cac3eef7177 Mon Sep 17 00:00:00 2001 -From: Stefan Dirsch -Date: Mon, 23 Jul 2018 14:30:54 +0200 -Subject: [PATCH] out of boundary write in XListExtensions -References: bsc#1102068 CVE-2018-14600 - -The length value is interpreted as signed char on many systems -(depending on default signedness of char), which can lead to an out of -boundary write up to 128 bytes in front of the allocated storage, but -limited to NUL byte(s). - -Casting the length value to unsigned char fixes the problem and allows -string values with up to 255 characters. - -Signed-off-by: Tobias Stoeckmann ---- - src/ListExt.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/ListExt.c b/src/ListExt.c -index 8f344ac0..6537c4dc 100644 ---- a/src/ListExt.c -+++ b/src/ListExt.c -@@ -75,12 +75,12 @@ char **XListExtensions( - * unpack into null terminated strings. - */ - chend = ch + rlen; -- length = *ch; -+ length = (unsigned char) *ch; - for (i = 0; i < rep.nExtensions; i++) { - if (ch + length < chend) { - list[i] = ch+1; /* skip over length */ - ch += length + 1; /* find next length ... */ -- length = *ch; -+ length = (unsigned char) *ch; - *ch = '\0'; /* and replace with null-termination */ - count++; - } else --- -2.16.4 -