Accepting request 531711 from home:tobijk:X11:XOrg

- Update to version 1.19.4: A collection of stability fixes from the development branch, including two minor CVEs (CVE-2017-13721, CVE-2017-13723). - Remove upstream patches: + U_Xi-Do-not-try-to-swap-GenericEvent.patch + U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch + U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch + U_dix-Disallow-GenericEvent-in-SendEvent-request.patch - Adapt patches to work with the new release: + u_Use-better-fallbacks-to-generate-cookies-if-arc4rand.patch OBS-URL: https://build.opensuse.org/request/show/531711 OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=676
2017-10-05 13:56:05 +00:00 · 2017-10-05 13:56:05 +00:00 · 0c00d6fdc4
commit 0c00d6fdc4
parent d43a2fa0a3
10 changed files with 23 additions and 218 deletions
--- a/U_Xi-Do-not-try-to-swap-GenericEvent.patch
+++ b/U_Xi-Do-not-try-to-swap-GenericEvent.patch
@ -1,44 +0,0 @@
 Author: Michal Srb <msrb@suse.com>
 Subject: Xi: Do not try to swap GenericEvent.
 Git-commit: ba336b24052122b136486961c82deac76bbde455
 Patch-mainline: Upstream
 References: bnc#1035283 CVE-2017-10971
 The SProcXSendExtensionEvent must not attempt to swap GenericEvent because
 it is assuming that the event has fixed size and gives the swapping function
 xEvent-sized buffer.
 A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway.
 Signed-off-by: Michal Srb <msrb@suse.com>
 Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
 ---
 Xi/sendexev.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)
 diff --git a/Xi/sendexev.c b/Xi/sendexev.c
 index 5e63bfcca..5c2e0fc56 100644
 --- a/Xi/sendexev.c
 +++ b/Xi/sendexev.c
@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client)
     eventP = (xEvent *) &stuff[1];
     for (i = 0; i < stuff->num_events; i++, eventP++) {
 +        if (eventP->u.u.type == GenericEvent) {
 +            client->errorValue = eventP->u.u.type;
 +            return BadValue;
 +        }
 +
         proc = EventSwapVector[eventP->u.u.type & 0177];
 -        if (proc == NotImplemented)     /* no swapping proc; invalid event type? */
 +        /* no swapping proc; invalid event type? */
 +        if (proc == NotImplemented) {
 +            client->errorValue = eventP->u.u.type;
             return BadValue;
 +        }
         (*proc) (eventP, &eventT);
         *eventP = eventT;
     }
 -- 
 2.12.0
--- a/U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch
+++ b/U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch
@ -1,49 +0,0 @@
 Author: Michal Srb <msrb@suse.com>
 Subject: Xi: Verify all events in ProcXSendExtensionEvent.
 Git-commit: 8caed4df36b1f802b4992edcfd282cbeeec35d9d
 Patch-mainline: Upstream
 References: bnc#1035283 CVE-2017-10971
 The requirement is that events have type in range
 EXTENSION_EVENT_BASE..lastEvent, but it was tested
 only for first event of all.
 Signed-off-by: Michal Srb <msrb@suse.com>
 Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
 ---
 Xi/sendexev.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)
 diff --git a/Xi/sendexev.c b/Xi/sendexev.c
 index 1cf118ab6..5e63bfcca 100644
 --- a/Xi/sendexev.c
 +++ b/Xi/sendexev.c
@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client)
 int
 ProcXSendExtensionEvent(ClientPtr client)
 {
 -    int ret;
 +    int ret, i;
     DeviceIntPtr dev;
     xEvent *first;
     XEventClass *list;
@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client)
     /* The client's event type must be one defined by an extension. */
     first = ((xEvent *) &stuff[1]);
 -    if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
 -          (first->u.u.type < lastEvent))) {
 -        client->errorValue = first->u.u.type;
 -        return BadValue;
 +    for (i = 0; i < stuff->num_events; i++) {
 +        if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
 +            (first[i].u.u.type < lastEvent))) {
 +            client->errorValue = first[i].u.u.type;
 +            return BadValue;
 +        }
     }
     list = (XEventClass *) (first + stuff->num_events);
 -- 
 2.12.0
--- a/U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch
+++ b/U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch
@ -1,38 +0,0 @@
 Author: Michal Srb <msrb@suse.com>
 Subject: Xi: Zero target buffer in SProcXSendExtensionEvent.
 Git-commit: 05442de962d3dc624f79fc1a00eca3ffc5489ced
 Patch-mainline: Upstream
 References: bnc#1035283 CVE-2017-10972
 Make sure that the xEvent eventT is initialized with zeros, the same way as
 in SProcSendEvent.
 Some event swapping functions do not overwrite all 32 bytes of xEvent
 structure, for example XSecurityAuthorizationRevoked. Two cooperating
 clients, one swapped and the other not, can send
 XSecurityAuthorizationRevoked event to each other to retrieve old stack data
 from X server. This can be potentialy misused to go around ASLR or
 stack-protector.
 Signed-off-by: Michal Srb <msrb@suse.com>
 Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
 ---
 Xi/sendexev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/Xi/sendexev.c b/Xi/sendexev.c
 index 11d82029f..1cf118ab6 100644
 --- a/Xi/sendexev.c
 +++ b/Xi/sendexev.c
@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)
 {
     CARD32 *p;
     int i;
 -    xEvent eventT;
 +    xEvent eventT = { .u.u.type = 0 };
     xEvent *eventP;
     EventSwapPtr proc;
 -- 
 2.12.0
--- a/U_dix-Disallow-GenericEvent-in-SendEvent-request.patch
+++ b/U_dix-Disallow-GenericEvent-in-SendEvent-request.patch
@ -1,70 +0,0 @@
 Author: Michal Srb <msrb@suse.com>
 Subject: dix: Disallow GenericEvent in SendEvent request.
 Git-commit: 215f894965df5fb0bb45b107d84524e700d2073c
 Patch-mainline: Upstream
 References: bnc#1035283 CVE-2017-10971
 The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
 no less. Both ProcSendEvent and SProcSendEvent verify that the received data
 exactly match the request size. However nothing stops the client from passing
 in event with xEvent::type = GenericEvent and any value of
 xGenericEvent::length.
 In the case of ProcSendEvent, the event will be eventually passed to
 WriteEventsToClient which will see that it is Generic event and copy the
 arbitrary length from the receive buffer (and possibly past it) and send it to
 the other client. This allows clients to copy unitialized heap memory out of X
 server or to crash it.
 In case of SProcSendEvent, it will attempt to swap the incoming event by
 calling a swapping function from the EventSwapVector array. The swapped event
 is written to target buffer, which in this case is local xEvent variable. The
 xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
 expect that the target buffer has size matching the size of the source
 GenericEvent. This allows clients to cause stack buffer overflows.
 Signed-off-by: Michal Srb <msrb@suse.com>
 Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
 ---
 dix/events.c  | 6 ++++++
 dix/swapreq.c | 7 +++++++
 2 files changed, 13 insertions(+)
 diff --git a/dix/events.c b/dix/events.c
 index cc26ba5db..3faad53a8 100644
 --- a/dix/events.c
 +++ b/dix/events.c
@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client)
         client->errorValue = stuff->event.u.u.type;
         return BadValue;
     }
 +    /* Generic events can have variable size, but SendEvent request holds
 +       exactly 32B of event data. */
 +    if (stuff->event.u.u.type == GenericEvent) {
 +        client->errorValue = stuff->event.u.u.type;
 +        return BadValue;
 +    }
     if (stuff->event.u.u.type == ClientMessage &&
         stuff->event.u.u.detail != 8 &&
         stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) {
 diff --git a/dix/swapreq.c b/dix/swapreq.c
 index 719e9b81c..67850593b 100644
 --- a/dix/swapreq.c
 +++ b/dix/swapreq.c
@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client)
     swapl(&stuff->destination);
     swapl(&stuff->eventMask);
 +    /* Generic events can have variable size, but SendEvent request holds
 +       exactly 32B of event data. */
 +    if (stuff->event.u.u.type == GenericEvent) {
 +        client->errorValue = stuff->event.u.u.type;
 +        return BadValue;
 +    }
 +
     /* Swap event */
     proc = EventSwapVector[stuff->event.u.u.type & 0177];
     if (!proc || proc == NotImplemented)        /* no swapping proc; invalid event type? */
 -- 
 2.12.0
--- a/u_Use-better-fallbacks-to-generate-cookies-if-arc4rand.patch
+++ b/u_Use-better-fallbacks-to-generate-cookies-if-arc4rand.patch
@ -32,8 +32,8 @@ Index: xorg-server-1.19.3/configure.ac
 AC_HEADER_DIRENT
 AC_HEADER_STDC
 AC_CHECK_HEADERS([fcntl.h stdlib.h string.h unistd.h dlfcn.h stropts.h \
- fnmatch.h sys/mkdev.h sys/utsname.h])
+- fnmatch.h sys/mkdev.h sys/sysmacros.h sys/utsname.h])
-+ fnmatch.h sys/mkdev.h sys/utsname.h sys/syscall.h])
+ fnmatch.h sys/mkdev.h sys/sysmacros.h sys/utsname.h sys/syscall.h])
 dnl Checks for typedefs, structures, and compiler characteristics.
 AC_C_CONST
--- a/u_xorg-wrapper-Drop-supplemental-group-IDs.patch
+++ b/u_xorg-wrapper-Drop-supplemental-group-IDs.patch
@ -15,13 +15,13 @@ index d930962..64a43c4 100644
 --- a/hw/xfree86/xorg-wrapper.c
 +++ b/hw/xfree86/xorg-wrapper.c
@@ -36,6 +36,8 @@
 #include <string.h>
 #include <sys/ioctl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 +#include <pwd.h>
 +#include <grp.h>
- #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
+ #ifdef HAVE_SYS_SYSMACROS_H
- #include <sys/consio.h>
+ #include <sys/sysmacros.h>
 #endif
@@ -252,6 +254,52 @@ int main(int argc, char *argv[])
     if (needs_root_rights == 0 || (total_cards && kms_cards == total_cards)) {
--- a/xorg-server-1.19.3.tar.bz2
+++ b/xorg-server-1.19.3.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:677a8166e03474719238dfe396ce673c4234735464d6dadf2959b600d20e5a98
 size 6050221
--- a/xorg-server-1.19.4.tar.bz2
+++ b/xorg-server-1.19.4.tar.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:aa758acea91deaf1f95069ddc5ea3818e13675fb14fef40ad1b3d0b2bf03c9a8
 size 5962834
--- a/xorg-x11-server.changes
+++ b/xorg-x11-server.changes
@ -1,3 +1,17 @@
 -------------------------------------------------------------------
 Thu Oct  5 12:24:40 UTC 2017 - tobias.johannes.klausmann@mni.thm.de
 - Update to version 1.19.4:
  A collection of stability fixes from the development branch, including
  two minor CVEs (CVE-2017-13721, CVE-2017-13723).
 - Remove upstream patches:
  + U_Xi-Do-not-try-to-swap-GenericEvent.patch
  + U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch
  + U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch
  + U_dix-Disallow-GenericEvent-in-SendEvent-request.patch
 - Adapt patches to work with the new release:
  + u_Use-better-fallbacks-to-generate-cookies-if-arc4rand.patch
 -------------------------------------------------------------------
 Thu Aug 31 15:18:20 UTC 2017 - ilya@ilya.pp.ua
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -41,7 +41,7 @@
 %endif
 Name:           xorg-x11-server
-Version:        1.19.3
+Version:        1.19.4
 Release:        0
 Url:            http://xorg.freedesktop.org/
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@ -205,10 +205,6 @@ Patch208:       u_Panning-Set-panning-state-in-xf86RandR12ScreenSetSize.patch
 Patch209:       u_pci-primary-Fix-up-primary-PCI-device-detection-for-the-platfrom-bus.patch
 Patch210:       u_os-connections-Check-for-stale-FDs.patch
 Patch211:       U_Xi-Do-not-try-to-swap-GenericEvent.patch
 Patch212:       U_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch
 Patch213:       U_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch
 Patch214:       U_dix-Disallow-GenericEvent-in-SendEvent-request.patch
 Patch215:       u_Use-better-fallbacks-to-generate-cookies-if-arc4rand.patch
 Patch1000:      n_xserver-optimus-autoconfig-hack.patch
@ -343,10 +339,6 @@ sh %{SOURCE92} --verify . %{SOURCE91}
 ### not applicable anymore
 #%patch210 -p1
 %patch211 -p1
 %patch212 -p1
 %patch213 -p1
 %patch214 -p1
 %patch215 -p1
 ### disabled for now