rpm/libX11
SHA256
1
0
Fork 0
forked from pool/libX11
Code Pull Requests Activity

Accepting request 630965 from home:tobijk:X11:XOrg

Browse Source 
- Update to version 1.6.6:
  + Make Xkb{Get,Set}NamedIndicator spec & manpages match code
  + Clarify state parameter to XkbSetNamedDeviceIndicator
  + Improve table formatting in XkbChangeControls & XkbKeyNumGroups man pages
  + If XGetImage fails to create image, don't dereference it to bounds check
  + Use size_t for buffer sizes in SetHints.c
  + Change fall through comment in lcDB.c to match gcc's requirements
  + _XDefaultError: set XlibDisplayIOError flag before calling exit
  + Fix possible memory leak in cmsProp.c:140
  + Don't rebuild ks_tables.h if nothing changed.
  + Remove statement with no effect.
  + Use flexible array member instead of fake size.
  + Valgrind fix for XStoreColor and XStoreColors.
  + XkbOpenDisplay.3: fix typo
  + Validation of server response in XListHosts.
  + Fixed off-by-one writes (CVE-2018-14599).
  + Fixed out of boundary write (CVE-2018-14600).
  + Fixed crash on invalid reply (CVE-2018-14598).
  + fix shadow warning
  + _XIOError(dpy); will never return so remore dead
  + remove argument check for free() adjust one inden
  + fix shadow char_size
  + fix more shadow warning
  + no need to check argument for _XkbFree()
  + remove stray extern
  + no need to check args for Xfree()
  + fix memleak in error path
  + fix memleak in error path
  + no need to check XFree arguments
  + mark _XDefaultIOError as no_return

OBS-URL: https://build.opensuse.org/request/show/630965
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=46
This commit is contained in:
Stefan Dirsch 2018-08-23 09:57:49 +00:00 committed by Git OBS Bridge
parent b3ab4adca7
commit eac8ab91ba
8 changed files with 47 additions and 233 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
libX11-1.6.5.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4d3890db2ba225ba8c55ca63c6409c1ebb078a2806de59fb16342768ae63435d
size 2361556

3
libX11-1.6.6.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:65fe181d40ec77f45417710c6a67431814ab252d21c2e85c75dd1ed568af414f
size 2342730

43
libX11.changes
View File

@ -1,3 +1,46 @@
-------------------------------------------------------------------
Wed Aug 22 15:09:51 UTC 2018 - tobias.johannes.klausmann@mni.thm.de
- Update to version 1.6.6:
+ Make Xkb{Get,Set}NamedIndicator spec & manpages match code
+ Clarify state parameter to XkbSetNamedDeviceIndicator
+ Improve table formatting in XkbChangeControls & XkbKeyNumGroups man pages
+ If XGetImage fails to create image, don't dereference it to bounds check
+ Use size_t for buffer sizes in SetHints.c
+ Change fall through comment in lcDB.c to match gcc's requirements
+ _XDefaultError: set XlibDisplayIOError flag before calling exit
+ Fix possible memory leak in cmsProp.c:140
+ Don't rebuild ks_tables.h if nothing changed.
+ Remove statement with no effect.
+ Use flexible array member instead of fake size.
+ Valgrind fix for XStoreColor and XStoreColors.
+ XkbOpenDisplay.3: fix typo
+ Validation of server response in XListHosts.
+ Fixed off-by-one writes (CVE-2018-14599).
+ Fixed out of boundary write (CVE-2018-14600).
+ Fixed crash on invalid reply (CVE-2018-14598).
+ fix shadow warning
+ _XIOError(dpy); will never return so remore dead
+ remove argument check for free() adjust one inden
+ fix shadow char_size
+ fix more shadow warning
+ no need to check argument for _XkbFree()
+ remove stray extern
+ no need to check args for Xfree()
+ fix memleak in error path
+ fix memleak in error path
+ no need to check XFree arguments
+ mark _XDefaultIOError as no_return
+ Fixes: warning: variable 'req' set but not,used
+ add _X_UNUSED to avoid unused variable warnings
+ remove empty line
+ silence gcc warning assignment discards 'const' qualifier from pointer target type
- Packaging changes:
+ Remove upstreamed u_Use-flexible-array-member-instead-of-fake-size.patch
+ Remove upstreamed u_off-by-one-write-in-XListExtensions.patch
+ Remove upstreamed u_out-of-boundary-write-in-XListExtensions.patch
+ Remove upstreamed u_crash-on-invalid-reply-in-XListExtensions.patch
-------------------------------------------------------------------
Mon Aug 20 12:15:47 UTC 2018 - sndirsch@suse.com

14
libX11.spec
View File

@ -17,7 +17,7 @@
Name: libX11
Version: 1.6.5
Version: 1.6.6
Release: 0
Summary: Core X11 protocol client library
License: MIT
@ -34,14 +34,6 @@ Patch7: p_khmer-compose.diff
Patch9: p_xlib_skip_ext_env.diff
# PATCH-FIX-UPSTREAM en-locales.diff fdo#48596 bnc#388711 -- Add missing data for more en locales
Patch15: en-locales.diff
# PATCH-FIX-UPSTREAM u_Use-flexible-array-member-instead-of-fake-size.patch -- Fix build error with gcc8.
Patch16: u_Use-flexible-array-member-instead-of-fake-size.patch
# CVE-2018-14599
Patch1102062: u_off-by-one-write-in-XListExtensions.patch
# CVE-2018-14600
Patch1102068: u_out-of-boundary-write-in-XListExtensions.patch
# CVE-2018-14598
Patch1102073: u_crash-on-invalid-reply-in-XListExtensions.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: autoconf >= 2.60
@ -150,10 +142,6 @@ test -f nls/ja.S90/XLC_LOCALE.pre && exit 1
%patch7 -p0
%patch9 -p0
%patch15 -p0
%patch16 -p1
%patch1102062 -p1
%patch1102068 -p1
%patch1102073 -p1
%build
# Got patches which change auto*files

63
u_Use-flexible-array-member-instead-of-fake-size.patch
View File

@ -1,63 +0,0 @@
Author: Michal Srb <msrb@suse.com>
Subject: Use flexible array member instead of fake size.
Patch-mainline: To be upstreamed
References: bnc#1084639
The _XimCacheStruct structure is followed in memory by two strings containing
fname and encoding. The memory was accessed using the last member of the
structure `char fname[1]`. That is a lie, prohibits us from using sizeof and
confuses checkers. Lets declare it properly as a flexible array, so compilers
don't complain about writing past that array. As bonus we can replace the
XOffsetOf with regular sizeof.
Fixes GCC8 error:
In function 'strcpy',
inlined from '_XimWriteCachedDefaultTree' at imLcIm.c:479:5,
inlined from '_XimCreateDefaultTree' at imLcIm.c:616:2,
inlined from '_XimLocalOpenIM' at imLcIm.c:700:5:
/usr/include/bits/string_fortified.h:90:10: error: '__builtin_strcpy'
forming offset 2 is out of the bounds [0, 1] [-Werror=array-bounds]
return __builtin___strcpy_chk (__dest, __src, __bos (__dest));
Caused by this line seemingly writing past the fname[1] array:
imLcIm.c:479: strcpy (m->fname+strlen(name)+1, encoding);
---
modules/im/ximcp/imLcIm.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/modules/im/ximcp/imLcIm.c b/modules/im/ximcp/imLcIm.c
index c19695df..743df77b 100644
--- a/modules/im/ximcp/imLcIm.c
+++ b/modules/im/ximcp/imLcIm.c
@@ -82,8 +82,8 @@ struct _XimCacheStruct {
DTCharIndex mbused;
DTCharIndex wcused;
DTCharIndex utf8used;
- char fname[1];
- /* char encoding[1] */
+ char fname[];
+ /* char encoding[] */
};
static struct _XimCacheStruct* _XimCache_mmap = NULL;
@@ -281,7 +281,7 @@ _XimReadCachedDefaultTree(
assert (m->id == XIM_CACHE_MAGIC);
assert (m->version == XIM_CACHE_VERSION);
if (size != m->size ||
- size < XOffsetOf (struct _XimCacheStruct, fname) + namelen + encodinglen) {
+ size < sizeof (struct _XimCacheStruct) + namelen + encodinglen) {
fprintf (stderr, "Ignoring broken XimCache %s [%s]\n", name, encoding);
munmap (m, size);
return False;
@@ -442,7 +442,7 @@ _XimWriteCachedDefaultTree(
int fd;
FILE *fp;
struct _XimCacheStruct *m;
- int msize = (XOffsetOf(struct _XimCacheStruct, fname)
+ int msize = (sizeof(struct _XimCacheStruct)
+ strlen(name) + strlen(encoding) + 2
+ XIM_CACHE_TREE_ALIGNMENT-1) & -XIM_CACHE_TREE_ALIGNMENT;
DefTreeBase *b = &im->private.local.base;
--
2.13.6

46
u_crash-on-invalid-reply-in-XListExtensions.patch
View File

@ -1,46 +0,0 @@
From 060fc58795737e13639f381a7ea55675fd5339c2 Mon Sep 17 00:00:00 2001
From: Stefan Dirsch <sndirsch@suse.de>
Date: Tue, 14 Aug 2018 11:46:40 +0200
Subject: [PATCH] crash on invalid reply in XListExtensions
References: bsc#1102073 CVE-2018-14598
If the server sends a reply in which even the first string would
overflow the transmitted bytes, list[0] will be set to NULL and
a count of 0 is returned.
If the resulting list is freed with XFreeExtensionList later on,
the first Xfree call:
Xfree (list[0]-1)
turns into
Xfree (NULL-1)
which will most likely trigger a segmentation fault.
I have modified the code to return NULL if the first string would
overflow, thus protecting XFreeExtensionList later on.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
src/ListExt.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/ListExt.c b/src/ListExt.c
index 6537c4dc..ece9ba31 100644
--- a/src/ListExt.c
+++ b/src/ListExt.c
@@ -83,6 +83,11 @@ char **XListExtensions(
length = (unsigned char) *ch;
*ch = '\0'; /* and replace with null-termination */
count++;
+ } else if (i == 0) {
+ Xfree(list);
+ Xfree(ch);
+ list = NULL;
+ break;
} else
list[i] = NULL;
}
--
2.16.4

67
u_off-by-one-write-in-XListExtensions.patch
View File

@ -1,67 +0,0 @@
From b4692168dfd66cdcd91d970ff255ded144d6ef95 Mon Sep 17 00:00:00 2001
From: Stefan Dirsch <sndirsch@suse.de>
Date: Mon, 23 Jul 2018 14:26:05 +0200
Subject: [PATCH] off-by-one write in XListExtensions
References: bsc#1102062 CVE-2018-14599
The function XListExtensions is vulnerable to an off-by-one override on
malicious server responses.
The server reply consists of extension names consisting of a length byte
followed by actual string, which is not NUL-terminated.
While parsing the response, the length byte is overridden with '\0',
thus the memory area can be used as storage of C strings later on. To
be able to NUL-terminate the last string, the buffer is reserved with
an additional byte of space.
For a boundary check, the variable chend (end of ch) was introduced,
pointing at the end of the buffer which ch initially points to.
Unfortunately there is a difference in handling "the end of ch".
While chend points at the first byte that must not be written to,
the for-loop uses chend as the last byte that can be written to.
Therefore, an off-by-one can occur.
I have refactored the code so chend actually points to the last byte
that can be written to without an out of boundary access. As it is not
possible to achieve "ch + length < chend" and "ch + length + 1 > chend"
with the corrected chend meaning, I removed the inner if-check.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
src/ListExt.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/src/ListExt.c b/src/ListExt.c
index 7fdf9932..8f344ac0 100644
--- a/src/ListExt.c
+++ b/src/ListExt.c
@@ -74,19 +74,15 @@ char **XListExtensions(
/*
* unpack into null terminated strings.
*/
- chend = ch + (rlen + 1);
+ chend = ch + rlen;
length = *ch;
for (i = 0; i < rep.nExtensions; i++) {
if (ch + length < chend) {
list[i] = ch+1; /* skip over length */
ch += length + 1; /* find next length ... */
- if (ch <= chend) {
- length = *ch;
- *ch = '\0'; /* and replace with null-termination */
- count++;
- } else {
- list[i] = NULL;
- }
+ length = *ch;
+ *ch = '\0'; /* and replace with null-termination */
+ count++;
} else
list[i] = NULL;
}
--
2.16.4

41
u_out-of-boundary-write-in-XListExtensions.patch
View File

@ -1,41 +0,0 @@
From 7ca52a28d0423642b6640b15fb150cac3eef7177 Mon Sep 17 00:00:00 2001
From: Stefan Dirsch <sndirsch@suse.de>
Date: Mon, 23 Jul 2018 14:30:54 +0200
Subject: [PATCH] out of boundary write in XListExtensions
References: bsc#1102068 CVE-2018-14600
The length value is interpreted as signed char on many systems
(depending on default signedness of char), which can lead to an out of
boundary write up to 128 bytes in front of the allocated storage, but
limited to NUL byte(s).
Casting the length value to unsigned char fixes the problem and allows
string values with up to 255 characters.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
src/ListExt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/ListExt.c b/src/ListExt.c
index 8f344ac0..6537c4dc 100644
--- a/src/ListExt.c
+++ b/src/ListExt.c
@@ -75,12 +75,12 @@ char **XListExtensions(
* unpack into null terminated strings.
*/
chend = ch + rlen;
- length = *ch;
+ length = (unsigned char) *ch;
for (i = 0; i < rep.nExtensions; i++) {
if (ch + length < chend) {
list[i] = ch+1; /* skip over length */
ch += length + 1; /* find next length ... */
- length = *ch;
+ length = (unsigned char) *ch;
*ch = '\0'; /* and replace with null-termination */
count++;
} else
--
2.16.4