Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libX11 for openSUSE:Factory checked in at 2023-07-19 19:09:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libX11 (Old) and /work/SRC/openSUSE:Factory/.libX11.new.5570 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libX11" Wed Jul 19 19:09:37 2023 rev:49 rq:1098898 version:1.8.6 Changes: -------- --- /work/SRC/openSUSE:Factory/libX11/libX11.changes 2023-06-17 22:20:21.127551971 +0200 +++ /work/SRC/openSUSE:Factory/.libX11.new.5570/libX11.changes 2023-07-19 19:09:38.368217120 +0200 @@ -1,0 +2,14 @@ +Sat Jul 15 14:44:18 UTC 2023 - Dirk Müller <dmuel...@suse.com> + +- update to 1.8.6: + * InitExt.c: Add bounds checks for extension request, + event, & error codes + * Fixes CVE-2023-3138: X servers could return values from + XQueryExtension that would cause Xlib to write entries + out-of-bounds of the arrays to store them, though this + would only overwrite other parts of the Display + struct, not outside the bounds allocated for that + structure. +- drop U_InitExt.c-Add-bounds-checks-for-extension-request-ev.patch (upstream) + +------------------------------------------------------------------- Old: ---- U_InitExt.c-Add-bounds-checks-for-extension-request-ev.patch libX11-1.8.5.tar.xz New: ---- libX11-1.8.6.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libX11.spec ++++++ --- /var/tmp/diff_new_pack.K0KrvI/_old 2023-07-19 19:09:39.816225589 +0200 +++ /var/tmp/diff_new_pack.K0KrvI/_new 2023-07-19 19:09:39.820225612 +0200 @@ -17,7 +17,7 @@ Name: libX11 -Version: 1.8.5 +Version: 1.8.6 Release: 0 Summary: Core X11 protocol client library License: MIT @@ -32,7 +32,6 @@ # PATCH-FIX-UPSTREAM en-locales.diff fdo#48596 bnc#388711 -- Add missing data for more en locales Patch2: en-locales.diff Patch3: u_no-longer-crash-in-XVisualIDFromVisual.patch -Patch1212102: U_InitExt.c-Add-bounds-checks-for-extension-request-ev.patch BuildRequires: fdupes BuildRequires: libtool BuildRequires: pkgconfig @@ -136,7 +135,6 @@ %patch1 %patch2 %patch3 -p1 -%patch1212102 -p1 %build %configure \ ++++++ libX11-1.8.5.tar.xz -> libX11-1.8.6.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libX11-1.8.5/ChangeLog new/libX11-1.8.6/ChangeLog --- old/libX11-1.8.5/ChangeLog 2023-06-01 03:16:48.000000000 +0200 +++ new/libX11-1.8.6/ChangeLog 2023-06-15 18:28:37.000000000 +0200 @@ -1,3 +1,25 @@ +commit 695e90ad26f632feb0f58ad94882fb3a263bf114 +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Thu Jun 15 09:14:48 2023 -0700 + + libX11 1.8.6 + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 304a654a0d57bf0f00d8998185f0360332cfa36c +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Sat Jun 10 16:30:07 2023 -0700 + + InitExt.c: Add bounds checks for extension request, event, & error codes + + Fixes CVE-2023-3138: X servers could return values from XQueryExtension + that would cause Xlib to write entries out-of-bounds of the arrays to + store them, though this would only overwrite other parts of the Display + struct, not outside the bounds allocated for that structure. + + Reported-by: Gregory James DUCK <gjd...@gmail.com> + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + commit 71b08b8af20474bb704a11affaa8ea39b06d5ddf Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Wed May 31 17:45:40 2023 -0700 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libX11-1.8.5/README.md new/libX11-1.8.6/README.md --- old/libX11-1.8.5/README.md 2023-06-01 03:16:22.000000000 +0200 +++ new/libX11-1.8.6/README.md 2023-06-15 18:28:10.000000000 +0200 @@ -31,6 +31,10 @@ https://www.x.org/wiki/Development/Documentation/SubmittingPatches +## Release 1.8.6 + + * Add bounds checks in InitExt.c (CVE-2023-3138) + ## Release 1.8.5 * autoconf & libtool updates (!187, !188) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libX11-1.8.5/configure new/libX11-1.8.6/configure --- old/libX11-1.8.5/configure 2023-06-01 03:16:31.000000000 +0200 +++ new/libX11-1.8.6/configure 2023-06-15 18:28:19.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for libX11 1.8.5. +# Generated by GNU Autoconf 2.71 for libX11 1.8.6. # # Report bugs to <https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues>. # @@ -682,8 +682,8 @@ # Identity of this package. PACKAGE_NAME='libX11' PACKAGE_TARNAME='libX11' -PACKAGE_VERSION='1.8.5' -PACKAGE_STRING='libX11 1.8.5' +PACKAGE_VERSION='1.8.6' +PACKAGE_STRING='libX11 1.8.6' PACKAGE_BUGREPORT='https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues' PACKAGE_URL='' @@ -1551,7 +1551,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libX11 1.8.5 to adapt to many kinds of systems. +\`configure' configures libX11 1.8.6 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1622,7 +1622,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libX11 1.8.5:";; + short | recursive ) echo "Configuration of libX11 1.8.6:";; esac cat <<\_ACEOF @@ -1794,7 +1794,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libX11 configure 1.8.5 +libX11 configure 1.8.6 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -2262,7 +2262,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libX11 $as_me 1.8.5, which was +It was created by libX11 $as_me 1.8.6, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -4910,7 +4910,7 @@ # Define the identity of the package. PACKAGE='libX11' - VERSION='1.8.5' + VERSION='1.8.6' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -23676,7 +23676,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libX11 $as_me 1.8.5, which was +This file was extended by libX11 $as_me 1.8.6, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -23744,7 +23744,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -libX11 config.status 1.8.5 +libX11 config.status 1.8.6 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libX11-1.8.5/configure.ac new/libX11-1.8.6/configure.ac --- old/libX11-1.8.5/configure.ac 2023-06-01 03:16:22.000000000 +0200 +++ new/libX11-1.8.6/configure.ac 2023-06-15 18:28:10.000000000 +0200 @@ -1,7 +1,7 @@ # Initialize Autoconf AC_PREREQ([2.70]) -AC_INIT([libX11], [1.8.5], +AC_INIT([libX11], [1.8.6], [https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues], [libX11]) AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_HEADERS([src/config.h include/X11/XlibConf.h]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libX11-1.8.5/src/InitExt.c new/libX11-1.8.6/src/InitExt.c --- old/libX11-1.8.5/src/InitExt.c 2023-06-01 03:16:22.000000000 +0200 +++ new/libX11-1.8.6/src/InitExt.c 2023-06-15 18:28:10.000000000 +0200 @@ -33,6 +33,18 @@ #include <X11/Xos.h> #include <stdio.h> +/* The X11 protocol spec reserves events 64 through 127 for extensions */ +#ifndef LastExtensionEvent +#define LastExtensionEvent 127 +#endif + +/* The X11 protocol spec reserves requests 128 through 255 for extensions */ +#ifndef LastExtensionRequest +#define FirstExtensionRequest 128 +#define LastExtensionRequest 255 +#endif + + /* * This routine is used to link a extension in so it will be called * at appropriate times. @@ -242,6 +254,12 @@ WireToEventType proc) /* routine to call when converting event */ { register WireToEventType oldproc; + if (event_number < 0 || + event_number > LastExtensionEvent) { + fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", + event_number); + return (WireToEventType)_XUnknownWireEvent; + } if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent; LockDisplay (dpy); oldproc = dpy->event_vec[event_number]; @@ -263,6 +281,12 @@ ) { WireToEventCookieType oldproc; + if (extension < FirstExtensionRequest || + extension > LastExtensionRequest) { + fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", + extension); + return (WireToEventCookieType)_XUnknownWireEventCookie; + } if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie; LockDisplay (dpy); oldproc = dpy->generic_event_vec[extension & 0x7F]; @@ -284,6 +308,12 @@ ) { CopyEventCookieType oldproc; + if (extension < FirstExtensionRequest || + extension > LastExtensionRequest) { + fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", + extension); + return (CopyEventCookieType)_XUnknownCopyEventCookie; + } if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie; LockDisplay (dpy); oldproc = dpy->generic_event_copy_vec[extension & 0x7F]; @@ -305,6 +335,12 @@ EventToWireType proc) /* routine to call when converting event */ { register EventToWireType oldproc; + if (event_number < 0 || + event_number > LastExtensionEvent) { + fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", + event_number); + return (EventToWireType)_XUnknownNativeEvent; + } if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent; LockDisplay (dpy); oldproc = dpy->wire_vec[event_number]; @@ -325,6 +361,12 @@ WireToErrorType proc) /* routine to call when converting error */ { register WireToErrorType oldproc = NULL; + if (error_number < 0 || + error_number > LastExtensionError) { + fprintf(stderr, "Xlib: ignoring invalid extension error %d\n", + error_number); + return (WireToErrorType)_XDefaultWireError; + } if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError; LockDisplay (dpy); if (!dpy->error_vec) {
