Accepting request 630965 from home:tobijk:X11:XOrg

- Update to version 1.6.6: + Make Xkb{Get,Set}NamedIndicator spec & manpages match code + Clarify state parameter to XkbSetNamedDeviceIndicator + Improve table formatting in XkbChangeControls & XkbKeyNumGroups man pages + If XGetImage fails to create image, don't dereference it to bounds check + Use size_t for buffer sizes in SetHints.c + Change fall through comment in lcDB.c to match gcc's requirements + _XDefaultError: set XlibDisplayIOError flag before calling exit + Fix possible memory leak in cmsProp.c:140 + Don't rebuild ks_tables.h if nothing changed. + Remove statement with no effect. + Use flexible array member instead of fake size. + Valgrind fix for XStoreColor and XStoreColors. + XkbOpenDisplay.3: fix typo + Validation of server response in XListHosts. + Fixed off-by-one writes (CVE-2018-14599). + Fixed out of boundary write (CVE-2018-14600). + Fixed crash on invalid reply (CVE-2018-14598). + fix shadow warning + _XIOError(dpy); will never return so remore dead + remove argument check for free() adjust one inden + fix shadow char_size + fix more shadow warning + no need to check argument for _XkbFree() + remove stray extern + no need to check args for Xfree() + fix memleak in error path + fix memleak in error path + no need to check XFree arguments + mark _XDefaultIOError as no_return OBS-URL: https://build.opensuse.org/request/show/630965 OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=46
2018-08-23 09:57:49 +00:00 · 2018-08-23 09:57:49 +00:00 · eac8ab91ba
commit eac8ab91ba
parent b3ab4adca7
8 changed files with 47 additions and 233 deletions
--- a/libX11-1.6.5.tar.bz2
+++ b/libX11-1.6.5.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:4d3890db2ba225ba8c55ca63c6409c1ebb078a2806de59fb16342768ae63435d
 size 2361556
--- a/libX11-1.6.6.tar.bz2
+++ b/libX11-1.6.6.tar.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:65fe181d40ec77f45417710c6a67431814ab252d21c2e85c75dd1ed568af414f
 size 2342730
--- a/libX11.changes
+++ b/libX11.changes
@ -1,3 +1,46 @@
 -------------------------------------------------------------------
 Wed Aug 22 15:09:51 UTC 2018 - tobias.johannes.klausmann@mni.thm.de
 - Update to version 1.6.6:
  + Make Xkb{Get,Set}NamedIndicator spec & manpages match code
  + Clarify state parameter to XkbSetNamedDeviceIndicator
  + Improve table formatting in XkbChangeControls & XkbKeyNumGroups man pages
  + If XGetImage fails to create image, don't dereference it to bounds check
  + Use size_t for buffer sizes in SetHints.c
  + Change fall through comment in lcDB.c to match gcc's requirements
  + _XDefaultError: set XlibDisplayIOError flag before calling exit
  + Fix possible memory leak in cmsProp.c:140
  + Don't rebuild ks_tables.h if nothing changed.
  + Remove statement with no effect.
  + Use flexible array member instead of fake size.
  + Valgrind fix for XStoreColor and XStoreColors.
  + XkbOpenDisplay.3: fix typo
  + Validation of server response in XListHosts.
  + Fixed off-by-one writes (CVE-2018-14599).
  + Fixed out of boundary write (CVE-2018-14600).
  + Fixed crash on invalid reply (CVE-2018-14598).
  + fix shadow warning
  + _XIOError(dpy); will never return so remore dead
  + remove argument check for free() adjust one inden
  + fix shadow char_size
  + fix more shadow warning
  + no need to check argument for _XkbFree()
  + remove stray extern
  + no need to check args for Xfree()
  + fix memleak in error path
  + fix memleak in error path
  + no need to check XFree arguments
  + mark _XDefaultIOError as no_return
  + Fixes: warning: variable 'req' set but not,used
  + add _X_UNUSED to avoid unused variable warnings
  + remove empty line
  + silence gcc warning assignment discards 'const' qualifier from pointer target type
 - Packaging changes:
  + Remove upstreamed u_Use-flexible-array-member-instead-of-fake-size.patch
  + Remove upstreamed u_off-by-one-write-in-XListExtensions.patch
  + Remove upstreamed u_out-of-boundary-write-in-XListExtensions.patch
  + Remove upstreamed u_crash-on-invalid-reply-in-XListExtensions.patch
 -------------------------------------------------------------------
 Mon Aug 20 12:15:47 UTC 2018 - sndirsch@suse.com
--- a/libX11.spec
+++ b/libX11.spec
@ -17,7 +17,7 @@
 Name:           libX11
-Version:        1.6.5
+Version:        1.6.6
 Release:        0
 Summary:        Core X11 protocol client library
 License:        MIT
@ -34,14 +34,6 @@ Patch7:         p_khmer-compose.diff
 Patch9:         p_xlib_skip_ext_env.diff
 # PATCH-FIX-UPSTREAM en-locales.diff fdo#48596 bnc#388711 -- Add missing data for more en locales
 Patch15:        en-locales.diff
 # PATCH-FIX-UPSTREAM u_Use-flexible-array-member-instead-of-fake-size.patch -- Fix build error with gcc8.
 Patch16:        u_Use-flexible-array-member-instead-of-fake-size.patch
 # CVE-2018-14599
 Patch1102062:   u_off-by-one-write-in-XListExtensions.patch
 # CVE-2018-14600
 Patch1102068:   u_out-of-boundary-write-in-XListExtensions.patch
 # CVE-2018-14598
 Patch1102073:   u_crash-on-invalid-reply-in-XListExtensions.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  autoconf >= 2.60
@ -150,10 +142,6 @@ test -f nls/ja.S90/XLC_LOCALE.pre && exit 1
 %patch7 -p0
 %patch9 -p0
 %patch15 -p0
 %patch16 -p1
 %patch1102062 -p1
 %patch1102068 -p1
 %patch1102073 -p1
 %build
 # Got patches which change auto*files
--- a/u_Use-flexible-array-member-instead-of-fake-size.patch
+++ b/u_Use-flexible-array-member-instead-of-fake-size.patch
@ -1,63 +0,0 @@
 Author: Michal Srb <msrb@suse.com>
 Subject: Use flexible array member instead of fake size.
 Patch-mainline: To be upstreamed
 References: bnc#1084639
 The _XimCacheStruct structure is followed in memory by two strings containing
 fname and encoding. The memory was accessed using the last member of the
 structure `char fname[1]`. That is a lie, prohibits us from using sizeof and
 confuses checkers. Lets declare it properly as a flexible array, so compilers
 don't complain about writing past that array. As bonus we can replace the
 XOffsetOf with regular sizeof.
 Fixes GCC8 error:
  In function 'strcpy',
      inlined from '_XimWriteCachedDefaultTree' at imLcIm.c:479:5,
      inlined from '_XimCreateDefaultTree' at imLcIm.c:616:2,
      inlined from '_XimLocalOpenIM' at imLcIm.c:700:5:
  /usr/include/bits/string_fortified.h:90:10: error: '__builtin_strcpy'
  forming offset 2 is out of the bounds [0, 1] [-Werror=array-bounds]
     return __builtin___strcpy_chk (__dest, __src, __bos (__dest));
 Caused by this line seemingly writing past the fname[1] array:
  imLcIm.c:479:  strcpy (m->fname+strlen(name)+1, encoding);
 ---
 modules/im/ximcp/imLcIm.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 diff --git a/modules/im/ximcp/imLcIm.c b/modules/im/ximcp/imLcIm.c
 index c19695df..743df77b 100644
 --- a/modules/im/ximcp/imLcIm.c
 +++ b/modules/im/ximcp/imLcIm.c
@@ -82,8 +82,8 @@ struct _XimCacheStruct {
     DTCharIndex     mbused;
     DTCharIndex     wcused;
     DTCharIndex     utf8used;
 -    char            fname[1];
 -    /* char encoding[1] */
 +    char            fname[];
 +    /* char encoding[] */
 };
 static struct  _XimCacheStruct* _XimCache_mmap = NULL;
@@ -281,7 +281,7 @@ _XimReadCachedDefaultTree(
     assert (m->id == XIM_CACHE_MAGIC);
     assert (m->version == XIM_CACHE_VERSION);
     if (size != m->size ||
 -	size < XOffsetOf (struct _XimCacheStruct, fname) + namelen + encodinglen) {
 +	size < sizeof (struct _XimCacheStruct) + namelen + encodinglen) {
 	fprintf (stderr, "Ignoring broken XimCache %s [%s]\n", name, encoding);
         munmap (m, size);
         return False;
@@ -442,7 +442,7 @@ _XimWriteCachedDefaultTree(
     int   fd;
     FILE *fp;
     struct _XimCacheStruct *m;
 -    int   msize = (XOffsetOf(struct _XimCacheStruct, fname)
 +    int   msize = (sizeof(struct _XimCacheStruct)
 		   + strlen(name) + strlen(encoding) + 2
 		   + XIM_CACHE_TREE_ALIGNMENT-1) & -XIM_CACHE_TREE_ALIGNMENT;
     DefTreeBase *b = &im->private.local.base;
 -- 
 2.13.6
--- a/u_crash-on-invalid-reply-in-XListExtensions.patch
+++ b/u_crash-on-invalid-reply-in-XListExtensions.patch
@ -1,46 +0,0 @@
 From 060fc58795737e13639f381a7ea55675fd5339c2 Mon Sep 17 00:00:00 2001
 From: Stefan Dirsch <sndirsch@suse.de>
 Date: Tue, 14 Aug 2018 11:46:40 +0200
 Subject: [PATCH] crash on invalid reply in XListExtensions
 References: bsc#1102073 CVE-2018-14598
 If the server sends a reply in which even the first string would
 overflow the transmitted bytes, list[0] will be set to NULL and
 a count of 0 is returned.
 If the resulting list is freed with XFreeExtensionList later on,
 the first Xfree call:
    Xfree (list[0]-1)
 turns into
    Xfree (NULL-1)
 which will most likely trigger a segmentation fault.
 I have modified the code to return NULL if the first string would
 overflow, thus protecting XFreeExtensionList later on.
 Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
 ---
 src/ListExt.c | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/src/ListExt.c b/src/ListExt.c
 index 6537c4dc..ece9ba31 100644
 --- a/src/ListExt.c
 +++ b/src/ListExt.c
@@ -83,6 +83,11 @@ char **XListExtensions(
 		    length = (unsigned char) *ch;
 		    *ch = '\0'; /* and replace with null-termination */
 		    count++;
 +		} else if (i == 0) {
 +		    Xfree(list);
 +		    Xfree(ch);
 +		    list = NULL;
 +		    break;
 		} else
 		    list[i] = NULL;
 	    }
 -- 
 2.16.4
--- a/u_off-by-one-write-in-XListExtensions.patch
+++ b/u_off-by-one-write-in-XListExtensions.patch
@ -1,67 +0,0 @@
 From b4692168dfd66cdcd91d970ff255ded144d6ef95 Mon Sep 17 00:00:00 2001
 From: Stefan Dirsch <sndirsch@suse.de>
 Date: Mon, 23 Jul 2018 14:26:05 +0200
 Subject: [PATCH] off-by-one write in XListExtensions
 References: bsc#1102062 CVE-2018-14599
 The function XListExtensions is vulnerable to an off-by-one override on
 malicious server responses.
 The server reply consists of extension names consisting of a length byte
 followed by actual string, which is not NUL-terminated.
 While parsing the response, the length byte is overridden with '\0',
 thus the memory area can be used as storage of C strings later on. To
 be able to NUL-terminate the last string, the buffer is reserved with
 an additional byte of space.
 For a boundary check, the variable chend (end of ch) was introduced,
 pointing at the end of the buffer which ch initially points to.
 Unfortunately there is a difference in handling "the end of ch".
 While chend points at the first byte that must not be written to,
 the for-loop uses chend as the last byte that can be written to.
 Therefore, an off-by-one can occur.
 I have refactored the code so chend actually points to the last byte
 that can be written to without an out of boundary access. As it is not
 possible to achieve "ch + length < chend" and "ch + length + 1 > chend"
 with the corrected chend meaning, I removed the inner if-check.
 Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
 ---
 src/ListExt.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)
 diff --git a/src/ListExt.c b/src/ListExt.c
 index 7fdf9932..8f344ac0 100644
 --- a/src/ListExt.c
 +++ b/src/ListExt.c
@@ -74,19 +74,15 @@ char **XListExtensions(
 	    /*
 	     * unpack into null terminated strings.
 	     */
 -	    chend = ch + (rlen + 1);
 +	    chend = ch + rlen;
 	    length = *ch;
 	    for (i = 0; i < rep.nExtensions; i++) {
 		if (ch + length < chend) {
 		    list[i] = ch+1;  /* skip over length */
 		    ch += length + 1; /* find next length ... */
 -		    if (ch <= chend) {
 -			length = *ch;
 -			*ch = '\0'; /* and replace with null-termination */
 -			count++;
 -		    } else {
 -			list[i] = NULL;
 -		    }
 +		    length = *ch;
 +		    *ch = '\0'; /* and replace with null-termination */
 +		    count++;
 		} else
 		    list[i] = NULL;
 	    }
 -- 
 2.16.4
--- a/u_out-of-boundary-write-in-XListExtensions.patch
+++ b/u_out-of-boundary-write-in-XListExtensions.patch
@ -1,41 +0,0 @@
 From 7ca52a28d0423642b6640b15fb150cac3eef7177 Mon Sep 17 00:00:00 2001
 From: Stefan Dirsch <sndirsch@suse.de>
 Date: Mon, 23 Jul 2018 14:30:54 +0200
 Subject: [PATCH] out of boundary write in XListExtensions
 References: bsc#1102068 CVE-2018-14600
 The length value is interpreted as signed char on many systems
 (depending on default signedness of char), which can lead to an out of
 boundary write up to 128 bytes in front of the allocated storage, but
 limited to NUL byte(s).
 Casting the length value to unsigned char fixes the problem and allows
 string values with up to 255 characters.
 Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
 ---
 src/ListExt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/ListExt.c b/src/ListExt.c
 index 8f344ac0..6537c4dc 100644
 --- a/src/ListExt.c
 +++ b/src/ListExt.c
@@ -75,12 +75,12 @@ char **XListExtensions(
 	     * unpack into null terminated strings.
 	     */
 	    chend = ch + rlen;
 -	    length = *ch;
 +	    length = (unsigned char) *ch;
 	    for (i = 0; i < rep.nExtensions; i++) {
 		if (ch + length < chend) {
 		    list[i] = ch+1;  /* skip over length */
 		    ch += length + 1; /* find next length ... */
 -		    length = *ch;
 +		    length = (unsigned char) *ch;
 		    *ch = '\0'; /* and replace with null-termination */
 		    count++;
 		} else
 -- 
 2.16.4