diff --git a/U_Xi-Do-not-try-to-swap-GenericEvent.patch b/U_Xi-Do-not-try-to-swap-GenericEvent.patch deleted file mode 100644 index 4ce620d..0000000 --- a/U_Xi-Do-not-try-to-swap-GenericEvent.patch +++ /dev/null @@ -1,44 +0,0 @@ -Author: Michal Srb -Subject: Xi: Do not try to swap GenericEvent. -Git-commit: ba336b24052122b136486961c82deac76bbde455 -Patch-mainline: Upstream -References: bnc#1035283 CVE-2017-10971 - -The SProcXSendExtensionEvent must not attempt to swap GenericEvent because -it is assuming that the event has fixed size and gives the swapping function -xEvent-sized buffer. - -A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway. - -Signed-off-by: Michal Srb -Reviewed-by: Peter Hutterer ---- - Xi/sendexev.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/Xi/sendexev.c b/Xi/sendexev.c -index 5e63bfcca..5c2e0fc56 100644 ---- a/Xi/sendexev.c -+++ b/Xi/sendexev.c -@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client) - - eventP = (xEvent *) &stuff[1]; - for (i = 0; i < stuff->num_events; i++, eventP++) { -+ if (eventP->u.u.type == GenericEvent) { -+ client->errorValue = eventP->u.u.type; -+ return BadValue; -+ } -+ - proc = EventSwapVector[eventP->u.u.type & 0177]; -- if (proc == NotImplemented) /* no swapping proc; invalid event type? */ -+ /* no swapping proc; invalid event type? */ -+ if (proc == NotImplemented) { -+ client->errorValue = eventP->u.u.type; - return BadValue; -+ } - (*proc) (eventP, &eventT); - *eventP = eventT; - } --- -2.12.0 - diff --git a/U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch b/U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch deleted file mode 100644 index 8596f71..0000000 --- a/U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch +++ /dev/null @@ -1,49 +0,0 @@ -Author: Michal Srb -Subject: Xi: Verify all events in ProcXSendExtensionEvent. -Git-commit: 8caed4df36b1f802b4992edcfd282cbeeec35d9d -Patch-mainline: Upstream -References: bnc#1035283 CVE-2017-10971 - -The requirement is that events have type in range -EXTENSION_EVENT_BASE..lastEvent, but it was tested -only for first event of all. - -Signed-off-by: Michal Srb -Reviewed-by: Peter Hutterer ---- - Xi/sendexev.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/Xi/sendexev.c b/Xi/sendexev.c -index 1cf118ab6..5e63bfcca 100644 ---- a/Xi/sendexev.c -+++ b/Xi/sendexev.c -@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client) - int - ProcXSendExtensionEvent(ClientPtr client) - { -- int ret; -+ int ret, i; - DeviceIntPtr dev; - xEvent *first; - XEventClass *list; -@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client) - /* The client's event type must be one defined by an extension. */ - - first = ((xEvent *) &stuff[1]); -- if (!((EXTENSION_EVENT_BASE <= first->u.u.type) && -- (first->u.u.type < lastEvent))) { -- client->errorValue = first->u.u.type; -- return BadValue; -+ for (i = 0; i < stuff->num_events; i++) { -+ if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) && -+ (first[i].u.u.type < lastEvent))) { -+ client->errorValue = first[i].u.u.type; -+ return BadValue; -+ } - } - - list = (XEventClass *) (first + stuff->num_events); --- -2.12.0 - diff --git a/U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch b/U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch deleted file mode 100644 index 9e1f2b4..0000000 --- a/U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch +++ /dev/null @@ -1,38 +0,0 @@ -Author: Michal Srb -Subject: Xi: Zero target buffer in SProcXSendExtensionEvent. -Git-commit: 05442de962d3dc624f79fc1a00eca3ffc5489ced -Patch-mainline: Upstream -References: bnc#1035283 CVE-2017-10972 - -Make sure that the xEvent eventT is initialized with zeros, the same way as -in SProcSendEvent. - -Some event swapping functions do not overwrite all 32 bytes of xEvent -structure, for example XSecurityAuthorizationRevoked. Two cooperating -clients, one swapped and the other not, can send -XSecurityAuthorizationRevoked event to each other to retrieve old stack data -from X server. This can be potentialy misused to go around ASLR or -stack-protector. - -Signed-off-by: Michal Srb -Reviewed-by: Peter Hutterer ---- - Xi/sendexev.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Xi/sendexev.c b/Xi/sendexev.c -index 11d82029f..1cf118ab6 100644 ---- a/Xi/sendexev.c -+++ b/Xi/sendexev.c -@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client) - { - CARD32 *p; - int i; -- xEvent eventT; -+ xEvent eventT = { .u.u.type = 0 }; - xEvent *eventP; - EventSwapPtr proc; - --- -2.12.0 - diff --git a/U_dix-Disallow-GenericEvent-in-SendEvent-request.patch b/U_dix-Disallow-GenericEvent-in-SendEvent-request.patch deleted file mode 100644 index 29aae42..0000000 --- a/U_dix-Disallow-GenericEvent-in-SendEvent-request.patch +++ /dev/null @@ -1,70 +0,0 @@ -Author: Michal Srb -Subject: dix: Disallow GenericEvent in SendEvent request. -Git-commit: 215f894965df5fb0bb45b107d84524e700d2073c -Patch-mainline: Upstream -References: bnc#1035283 CVE-2017-10971 - -The SendEvent request holds xEvent which is exactly 32 bytes long, no more, -no less. Both ProcSendEvent and SProcSendEvent verify that the received data -exactly match the request size. However nothing stops the client from passing -in event with xEvent::type = GenericEvent and any value of -xGenericEvent::length. - -In the case of ProcSendEvent, the event will be eventually passed to -WriteEventsToClient which will see that it is Generic event and copy the -arbitrary length from the receive buffer (and possibly past it) and send it to -the other client. This allows clients to copy unitialized heap memory out of X -server or to crash it. - -In case of SProcSendEvent, it will attempt to swap the incoming event by -calling a swapping function from the EventSwapVector array. The swapped event -is written to target buffer, which in this case is local xEvent variable. The -xEvent variable is 32 bytes long, but the swapping functions for GenericEvents -expect that the target buffer has size matching the size of the source -GenericEvent. This allows clients to cause stack buffer overflows. - -Signed-off-by: Michal Srb -Reviewed-by: Peter Hutterer ---- - dix/events.c | 6 ++++++ - dix/swapreq.c | 7 +++++++ - 2 files changed, 13 insertions(+) - -diff --git a/dix/events.c b/dix/events.c -index cc26ba5db..3faad53a8 100644 ---- a/dix/events.c -+++ b/dix/events.c -@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client) - client->errorValue = stuff->event.u.u.type; - return BadValue; - } -+ /* Generic events can have variable size, but SendEvent request holds -+ exactly 32B of event data. */ -+ if (stuff->event.u.u.type == GenericEvent) { -+ client->errorValue = stuff->event.u.u.type; -+ return BadValue; -+ } - if (stuff->event.u.u.type == ClientMessage && - stuff->event.u.u.detail != 8 && - stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) { -diff --git a/dix/swapreq.c b/dix/swapreq.c -index 719e9b81c..67850593b 100644 ---- a/dix/swapreq.c -+++ b/dix/swapreq.c -@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client) - swapl(&stuff->destination); - swapl(&stuff->eventMask); - -+ /* Generic events can have variable size, but SendEvent request holds -+ exactly 32B of event data. */ -+ if (stuff->event.u.u.type == GenericEvent) { -+ client->errorValue = stuff->event.u.u.type; -+ return BadValue; -+ } -+ - /* Swap event */ - proc = EventSwapVector[stuff->event.u.u.type & 0177]; - if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */ --- -2.12.0 - diff --git a/u_Use-better-fallbacks-to-generate-cookies-if-arc4rand.patch b/u_Use-better-fallbacks-to-generate-cookies-if-arc4rand.patch index f2af7b9..b907ee1 100644 --- a/u_Use-better-fallbacks-to-generate-cookies-if-arc4rand.patch +++ b/u_Use-better-fallbacks-to-generate-cookies-if-arc4rand.patch @@ -32,8 +32,8 @@ Index: xorg-server-1.19.3/configure.ac AC_HEADER_DIRENT AC_HEADER_STDC AC_CHECK_HEADERS([fcntl.h stdlib.h string.h unistd.h dlfcn.h stropts.h \ -- fnmatch.h sys/mkdev.h sys/utsname.h]) -+ fnmatch.h sys/mkdev.h sys/utsname.h sys/syscall.h]) +- fnmatch.h sys/mkdev.h sys/sysmacros.h sys/utsname.h]) ++ fnmatch.h sys/mkdev.h sys/sysmacros.h sys/utsname.h sys/syscall.h]) dnl Checks for typedefs, structures, and compiler characteristics. AC_C_CONST diff --git a/u_xorg-wrapper-Drop-supplemental-group-IDs.patch b/u_xorg-wrapper-Drop-supplemental-group-IDs.patch index 9c3f45f..61e16f6 100644 --- a/u_xorg-wrapper-Drop-supplemental-group-IDs.patch +++ b/u_xorg-wrapper-Drop-supplemental-group-IDs.patch @@ -15,13 +15,13 @@ index d930962..64a43c4 100644 --- a/hw/xfree86/xorg-wrapper.c +++ b/hw/xfree86/xorg-wrapper.c @@ -36,6 +36,8 @@ + #include #include #include - #include +#include +#include - #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) - #include + #ifdef HAVE_SYS_SYSMACROS_H + #include #endif @@ -252,6 +254,52 @@ int main(int argc, char *argv[]) if (needs_root_rights == 0 || (total_cards && kms_cards == total_cards)) { diff --git a/xorg-server-1.19.3.tar.bz2 b/xorg-server-1.19.3.tar.bz2 deleted file mode 100644 index 32ef153..0000000 --- a/xorg-server-1.19.3.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:677a8166e03474719238dfe396ce673c4234735464d6dadf2959b600d20e5a98 -size 6050221 diff --git a/xorg-server-1.19.4.tar.bz2 b/xorg-server-1.19.4.tar.bz2 new file mode 100644 index 0000000..b16de19 --- /dev/null +++ b/xorg-server-1.19.4.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aa758acea91deaf1f95069ddc5ea3818e13675fb14fef40ad1b3d0b2bf03c9a8 +size 5962834 diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index c7295d4..2dfe63e 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Thu Oct 5 12:24:40 UTC 2017 - tobias.johannes.klausmann@mni.thm.de + +- Update to version 1.19.4: + A collection of stability fixes from the development branch, including + two minor CVEs (CVE-2017-13721, CVE-2017-13723). +- Remove upstream patches: + + U_Xi-Do-not-try-to-swap-GenericEvent.patch + + U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch + + U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch + + U_dix-Disallow-GenericEvent-in-SendEvent-request.patch +- Adapt patches to work with the new release: + + u_Use-better-fallbacks-to-generate-cookies-if-arc4rand.patch + ------------------------------------------------------------------- Thu Aug 31 15:18:20 UTC 2017 - ilya@ilya.pp.ua diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 97d8df0..228ae66 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -41,7 +41,7 @@ %endif Name: xorg-x11-server -Version: 1.19.3 +Version: 1.19.4 Release: 0 Url: http://xorg.freedesktop.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -205,10 +205,6 @@ Patch208: u_Panning-Set-panning-state-in-xf86RandR12ScreenSetSize.patch Patch209: u_pci-primary-Fix-up-primary-PCI-device-detection-for-the-platfrom-bus.patch Patch210: u_os-connections-Check-for-stale-FDs.patch -Patch211: U_Xi-Do-not-try-to-swap-GenericEvent.patch -Patch212: U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch -Patch213: U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch -Patch214: U_dix-Disallow-GenericEvent-in-SendEvent-request.patch Patch215: u_Use-better-fallbacks-to-generate-cookies-if-arc4rand.patch Patch1000: n_xserver-optimus-autoconfig-hack.patch @@ -343,10 +339,6 @@ sh %{SOURCE92} --verify . %{SOURCE91} ### not applicable anymore #%patch210 -p1 -%patch211 -p1 -%patch212 -p1 -%patch213 -p1 -%patch214 -p1 %patch215 -p1 ### disabled for now