[update] libXdmcp 1.1.3
Last update of the series for now.
ok? comments ?
Index: ChangeLog
===
RCS file: /cvs/OpenBSD/xenocara/lib/libXdmcp/ChangeLog,v
retrieving revision 1.5
diff -u -r1.5 ChangeLog
--- ChangeLog 6 Apr 2015 13:43:52 - 1.5
+++ ChangeLog 14 Jul 2019 21:09:27 -
@@ -1,3 +1,104 @@
+commit 618b3ba5f826d930df2ca6a6a0ce212fa75cef42
+Author: Alan Coopersmith
+Date: Sat Mar 16 09:19:02 2019 -0700
+
+libXdmcp 1.1.3
+
+Signed-off-by: Alan Coopersmith
+
+commit 7d4c69183b9838c684c1bcedb4e6184301d2816f
+Author: Alan Coopersmith
+Date: Mon Nov 19 21:51:24 2018 -0800
+
+Update README for gitlab migration
+
+Signed-off-by: Alan Coopersmith
+
+commit 6d1aee0310001eca8f6ded9814a2a70b3a774896
+Author: Benjamin Tissoires
+Date: Thu May 4 11:12:13 2017 +0200
+
+Fix compilation error when arc4random_buf is not available
+
+Not sure how I missed that, but I did.
+
+Also rename emulate_getrandom_buf() into insecure_getrandom_buf() as
+requested in the previous patch reviews.
+
+Last, getbits() expects an unsigned char, so remove the warning.
+
+Signed-off-by: Benjamin Tissoires
+Reviewed-by: Peter Hutterer
+Signed-off-by: Peter Hutterer
+
+commit 0554324ec6bbc2071f5d1f8ad211a1643e29eb1f
+Author: Benjamin Tissoires
+Date: Tue Apr 4 19:13:38 2017 +0200
+
+Use getentropy() if arc4random_buf() is not available
+
+This allows to fix CVE-2017-2625 on Linux platforms without pulling in
+libbsd.
+The libc getentropy() is available since glibc 2.25 but also on OpenBSD.
+For Linux, we need at least a v3.17 kernel. If the recommended
+arc4random_buf() function is not available, emulate it by first trying
+to use getentropy() on a supported glibc and kernel. If the call fails,
+fall back to the current (vulnerable) code.
+
+Signed-off-by: Benjamin Tissoires
+Reviewed-by: Mark Kettenis
+Reviewed-by: Alan Coopersmith
+Signed-off-by: Peter Hutterer
+
+commit f1bf902c52884e35d48f4d03915f019337f84717
+Author: Mihail Konev
+Date: Thu Jan 26 13:52:49 2017 +1000
+
+autogen: add default patch prefix
+
+Signed-off-by: Mihail Konev
+
+commit 34ac12e5eb93ba1c4685bd25f5d9a25288d2d89e
+Author: Emil Velikov
+Date: Mon Mar 9 12:00:52 2015 +
+
+autogen.sh: use quoted string variables
+
+Place quotes around the $srcdir, $ORIGDIR and $0 variables to prevent
+fall-outs, when they contain space.
+
+Signed-off-by: Emil Velikov
+Reviewed-by: Peter Hutterer
+Signed-off-by: Peter Hutterer
+
+commit 3d813e1a45fb5d1b4b566c35218b9bcf0261b74a
+Author: Peter Hutterer
+Date: Tue Jan 24 10:32:07 2017 +1000
+
+autogen.sh: use exec instead of waiting for configure to finish
+
+Syncs the invocation of configure with the one from the server.
+
+Signed-off-by: Peter Hutterer
+Reviewed-by: Emil Velikov
+
+commit 5021b93d68c499831ad65a2abf1bfb7e6ed2724f
+Author: Helmut Grohne
+Date: Wed Nov 11 22:23:15 2015 +0100
+
+do not use in xdmcp.xml (Debian bug 761628)
+
+Signed-off-by: Alan Coopersmith
+
+commit b10f382e3aa2e86cd5a2bc27d6758da55f0ab1f6
+Author: Jon TURNEY
+Date: Sat Sep 13 20:28:38 2014 +0100
+
+Link with winsock library for socket functions on MinGW
+
+Signed-off-by: Jon TURNEY
+Reviewed-by: David Macek
+
commit 0c09444d276fbf46a0e8b427a4f6a325d0625742
Author: Alan Coopersmith
Date: Sat Mar 21 09:39:14 2015 -0700
Index: Key.c
===
RCS file: /cvs/OpenBSD/xenocara/lib/libXdmcp/Key.c,v
retrieving revision 1.3
diff -u -r1.3 Key.c
--- Key.c 6 Apr 2015 13:43:52 - 1.3
+++ Key.c 14 Jul 2019 21:09:27 -
@@ -62,20 +62,41 @@
#define getpid(x) _getpid(x)
#endif
-void
-XdmcpGenerateKey (XdmAuthKeyPtr key)
-{
#ifndef HAVE_ARC4RANDOM_BUF
+
+static void
+insecure_getrandom_buf (unsigned char *auth, int len)
+{
longlowbits, highbits;
srandom ((int)getpid() ^ time((Time_t *)0));
lowbits = random ();
highbits = random ();
-getbits (lowbits, key->data);
-getbits (highbits, key->data + 4);
-#else
+getbits (lowbits, auth);
+getbits (highbits, auth + 4);
+}
+
+static void
+arc4random_buf (void *auth, int len)
+{
+intret;
+
+#if HAVE_GETENTROPY
+/* weak emulation of arc4random through the getentropy libc call */
+ret = getentropy (auth, len);
+if (ret == 0)
+ return;
+#endif /* HAVE_GETENTROPY */
+
+insecure_getrandom_buf (auth, len);
+}
+
+#endif /* !defined(HAVE_ARC4RANDOM_BUF) */
+
+void
+XdmcpGenerateKey (XdmAuthKeyPtr key)
+{
arc4random_buf(key->data, 8);
-#endif
}
int
Index: Makefile.am
===
RCS file: /cvs/OpenBSD/xenocara/lib/libXdmcp/Makefile.am,v
retrieving revision 1.4
diff -u -r1.4
update: libXdmcp 1.1.3
Hi again,
The patch below updates libXdmp to version 1.1.3. No functional
changes.
ok ?
Index: ChangeLog
===
RCS file: /cvs/OpenBSD/xenocara/lib/libXdmcp/ChangeLog,v
retrieving revision 1.5
diff -u -p -u -r1.5 ChangeLog
--- ChangeLog 6 Apr 2015 13:43:52 - 1.5
+++ ChangeLog 17 Mar 2019 10:21:28 -
@@ -1,3 +1,104 @@
+commit 618b3ba5f826d930df2ca6a6a0ce212fa75cef42
+Author: Alan Coopersmith
+Date: Sat Mar 16 09:19:02 2019 -0700
+
+libXdmcp 1.1.3
+
+Signed-off-by: Alan Coopersmith
+
+commit 7d4c69183b9838c684c1bcedb4e6184301d2816f
+Author: Alan Coopersmith
+Date: Mon Nov 19 21:51:24 2018 -0800
+
+Update README for gitlab migration
+
+Signed-off-by: Alan Coopersmith
+
+commit 6d1aee0310001eca8f6ded9814a2a70b3a774896
+Author: Benjamin Tissoires
+Date: Thu May 4 11:12:13 2017 +0200
+
+Fix compilation error when arc4random_buf is not available
+
+Not sure how I missed that, but I did.
+
+Also rename emulate_getrandom_buf() into insecure_getrandom_buf() as
+requested in the previous patch reviews.
+
+Last, getbits() expects an unsigned char, so remove the warning.
+
+Signed-off-by: Benjamin Tissoires
+Reviewed-by: Peter Hutterer
+Signed-off-by: Peter Hutterer
+
+commit 0554324ec6bbc2071f5d1f8ad211a1643e29eb1f
+Author: Benjamin Tissoires
+Date: Tue Apr 4 19:13:38 2017 +0200
+
+Use getentropy() if arc4random_buf() is not available
+
+This allows to fix CVE-2017-2625 on Linux platforms without pulling in
+libbsd.
+The libc getentropy() is available since glibc 2.25 but also on OpenBSD.
+For Linux, we need at least a v3.17 kernel. If the recommended
+arc4random_buf() function is not available, emulate it by first trying
+to use getentropy() on a supported glibc and kernel. If the call fails,
+fall back to the current (vulnerable) code.
+
+Signed-off-by: Benjamin Tissoires
+Reviewed-by: Mark Kettenis
+Reviewed-by: Alan Coopersmith
+Signed-off-by: Peter Hutterer
+
+commit f1bf902c52884e35d48f4d03915f019337f84717
+Author: Mihail Konev
+Date: Thu Jan 26 13:52:49 2017 +1000
+
+autogen: add default patch prefix
+
+Signed-off-by: Mihail Konev
+
+commit 34ac12e5eb93ba1c4685bd25f5d9a25288d2d89e
+Author: Emil Velikov
+Date: Mon Mar 9 12:00:52 2015 +
+
+autogen.sh: use quoted string variables
+
+Place quotes around the $srcdir, $ORIGDIR and $0 variables to prevent
+fall-outs, when they contain space.
+
+Signed-off-by: Emil Velikov
+Reviewed-by: Peter Hutterer
+Signed-off-by: Peter Hutterer
+
+commit 3d813e1a45fb5d1b4b566c35218b9bcf0261b74a
+Author: Peter Hutterer
+Date: Tue Jan 24 10:32:07 2017 +1000
+
+autogen.sh: use exec instead of waiting for configure to finish
+
+Syncs the invocation of configure with the one from the server.
+
+Signed-off-by: Peter Hutterer
+Reviewed-by: Emil Velikov
+
+commit 5021b93d68c499831ad65a2abf1bfb7e6ed2724f
+Author: Helmut Grohne
+Date: Wed Nov 11 22:23:15 2015 +0100
+
+do not use in xdmcp.xml (Debian bug 761628)
+
+Signed-off-by: Alan Coopersmith
+
+commit b10f382e3aa2e86cd5a2bc27d6758da55f0ab1f6
+Author: Jon TURNEY
+Date: Sat Sep 13 20:28:38 2014 +0100
+
+Link with winsock library for socket functions on MinGW
+
+Signed-off-by: Jon TURNEY
+Reviewed-by: David Macek
+
commit 0c09444d276fbf46a0e8b427a4f6a325d0625742
Author: Alan Coopersmith
Date: Sat Mar 21 09:39:14 2015 -0700
Index: Key.c
===
RCS file: /cvs/OpenBSD/xenocara/lib/libXdmcp/Key.c,v
retrieving revision 1.3
diff -u -p -u -r1.3 Key.c
--- Key.c 6 Apr 2015 13:43:52 - 1.3
+++ Key.c 17 Mar 2019 10:21:28 -
@@ -62,20 +62,41 @@ getbits (long data, unsigned char *dst)
#define getpid(x) _getpid(x)
#endif
-void
-XdmcpGenerateKey (XdmAuthKeyPtr key)
-{
#ifndef HAVE_ARC4RANDOM_BUF
+
+static void
+insecure_getrandom_buf (unsigned char *auth, int len)
+{
longlowbits, highbits;
srandom ((int)getpid() ^ time((Time_t *)0));
lowbits = random ();
highbits = random ();
-getbits (lowbits, key->data);
-getbits (highbits, key->data + 4);
-#else
+getbits (lowbits, auth);
+getbits (highbits, auth + 4);
+}
+
+static void
+arc4random_buf (void *auth, int len)
+{
+intret;
+
+#if HAVE_GETENTROPY
+/* weak emulation of arc4random through the getentropy libc call */
+ret = getentropy (auth, len);
+if (ret == 0)
+ return;
+#endif /* HAVE_GETENTROPY */
+
+insecure_getrandom_buf (auth, len);
+}
+
+#endif /* !defined(HAVE_ARC4RANDOM_BUF) */
+
+void
+XdmcpGenerateKey (XdmAuthKeyPtr key)
+{
arc4random_buf(key->data, 8);
-#endif
}
int
Index: Makefile.am
===
RCS file:
