Hello community, here is the log from the commit of package libXfixes for openSUSE:Factory checked in at 2016-11-05 21:21:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libXfixes (Old) and /work/SRC/openSUSE:Factory/.libXfixes.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libXfixes" Changes: -------- --- /work/SRC/openSUSE:Factory/libXfixes/libXfixes.changes 2016-06-03 16:36:09.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libXfixes.new/libXfixes.changes 2016-11-05 21:21:27.000000000 +0100 @@ -1,0 +2,6 @@ +Sat Oct 29 00:08:19 UTC 2016 - [email protected] + +- Update to version 5.0.3: + + fix Integer overflow on illegal server response + +------------------------------------------------------------------- Old: ---- libXfixes-5.0.2.tar.bz2 New: ---- libXfixes-5.0.3.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libXfixes.spec ++++++ --- /var/tmp/diff_new_pack.eS0qmJ/_old 2016-11-05 21:21:28.000000000 +0100 +++ /var/tmp/diff_new_pack.eS0qmJ/_new 2016-11-05 21:21:28.000000000 +0100 @@ -18,7 +18,7 @@ Name: libXfixes %define lname libXfixes3 -Version: 5.0.2 +Version: 5.0.3 Release: 0 Summary: X11 miscellaneous "fixes" extension library License: MIT @@ -44,8 +44,8 @@ %package -n %lname Summary: X11 miscellaneous "fixes" extension library -Group: System/Libraries # O/P added for 12.2 +Group: System/Libraries Provides: xorg-x11-libXfixes = 7.6_%version-%release Obsoletes: xorg-x11-libXfixes < 7.6_%version-%release ++++++ libXfixes-5.0.2.tar.bz2 -> libXfixes-5.0.3.tar.bz2 ++++++ ++++ 27731 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfixes-5.0.2/ChangeLog new/libXfixes-5.0.3/ChangeLog --- old/libXfixes-5.0.2/ChangeLog 2016-05-26 03:54:48.000000000 +0200 +++ new/libXfixes-5.0.3/ChangeLog 2016-10-04 22:21:50.000000000 +0200 @@ -1,3 +1,27 @@ +commit 84df9cb81cc31bbed27ba241a23ae04f61da57db +Author: Matthieu Herrb <[email protected]> +Date: Tue Oct 4 21:11:55 2016 +0200 + + libXfixes 5.0.3 + + Signed-off-by: Matthieu Herrb <[email protected]> + +commit 61c1039ee23a2d1de712843bed3480654d7ef42e +Author: Tobias Stoeckmann <[email protected]> +Date: Sun Sep 25 22:38:44 2016 +0200 + + Integer overflow on illegal server response + + The 32 bit field "rep.length" is not checked for validity, which allows + an integer overflow on 32 bit systems. + + A malicious server could send INT_MAX as length, which gets multiplied + by the size of XRectangle. In that case the client won't read the whole + data from server, getting out of sync. + + Signed-off-by: Tobias Stoeckmann <[email protected]> + Reviewed-by: Matthieu Herrb <[email protected]> + commit b2406ed9031991b7ddc5b76b308623afc8a590c5 Author: Matt Turner <[email protected]> Date: Wed May 25 18:53:28 2016 -0700 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfixes-5.0.2/INSTALL new/libXfixes-5.0.3/INSTALL --- old/libXfixes-5.0.2/INSTALL 2016-05-26 03:54:48.000000000 +0200 +++ new/libXfixes-5.0.3/INSTALL 2016-10-04 22:21:50.000000000 +0200 @@ -1,13 +1,11 @@ Installation Instructions ************************* -Copyright (C) 1994-1996, 1999-2002, 2004-2011 Free Software Foundation, -Inc. +Copyright (C) 1994, 1995, 1996, 1999, 2000, 2001, 2002, 2004, 2005, +2006, 2007, 2008 Free Software Foundation, Inc. - Copying and distribution of this file, with or without modification, -are permitted in any medium without royalty provided the copyright -notice and this notice are preserved. This file is offered as-is, -without warranty of any kind. + This file is free documentation; the Free Software Foundation gives +unlimited permission to copy, distribute and modify it. Basic Installation ================== @@ -15,11 +13,7 @@ Briefly, the shell commands `./configure; make; make install' should configure, build, and install this package. The following more-detailed instructions are generic; see the `README' file for -instructions specific to this package. Some packages provide this -`INSTALL' file but do not implement all of the features documented -below. The lack of an optional feature in a given package is not -necessarily a bug. More recommendations for GNU packages can be found -in *note Makefile Conventions: (standards)Makefile Conventions. +instructions specific to this package. The `configure' shell script attempts to guess correct values for various system-dependent variables used during compilation. It uses @@ -48,7 +42,7 @@ you want to change it or regenerate `configure' using a newer version of `autoconf'. - The simplest way to compile this package is: +The simplest way to compile this package is: 1. `cd' to the directory containing the package's source code and type `./configure' to configure the package for your system. @@ -59,22 +53,12 @@ 2. Type `make' to compile the package. 3. Optionally, type `make check' to run any self-tests that come with - the package, generally using the just-built uninstalled binaries. + the package. 4. Type `make install' to install the programs and any data files and - documentation. When installing into a prefix owned by root, it is - recommended that the package be configured and built as a regular - user, and only the `make install' phase executed with root - privileges. - - 5. Optionally, type `make installcheck' to repeat any self-tests, but - this time using the binaries in their final installed location. - This target does not install anything. Running this target as a - regular user, particularly if the prior `make install' required - root privileges, verifies that the installation completed - correctly. + documentation. - 6. You can remove the program binaries and object files from the + 5. You can remove the program binaries and object files from the source code directory by typing `make clean'. To also remove the files that `configure' created (so you can compile the package for a different kind of computer), type `make distclean'. There is @@ -83,15 +67,8 @@ all sorts of other programs in order to regenerate files that came with the distribution. - 7. Often, you can also type `make uninstall' to remove the installed - files again. In practice, not all packages have tested that - uninstallation works correctly, even though it is required by the - GNU Coding Standards. - - 8. Some packages, particularly those that use Automake, provide `make - distcheck', which can by used by developers to test that all other - targets like `make install' and `make uninstall' work correctly. - This target is generally not run by end users. + 6. Often, you can also type `make uninstall' to remove the installed + files again. Compilers and Options ===================== @@ -116,8 +93,7 @@ own directory. To do this, you can use GNU `make'. `cd' to the directory where you want the object files and executables to go and run the `configure' script. `configure' automatically checks for the -source code in the directory that `configure' is in and in `..'. This -is known as a "VPATH" build. +source code in the directory that `configure' is in and in `..'. With a non-GNU `make', it is safer to compile the package for one architecture at a time in the source code directory. After you have @@ -144,8 +120,7 @@ By default, `make install' installs the package's commands under `/usr/local/bin', include files under `/usr/local/include', etc. You can specify an installation prefix other than `/usr/local' by giving -`configure' the option `--prefix=PREFIX', where PREFIX must be an -absolute file name. +`configure' the option `--prefix=PREFIX'. You can specify separate installation prefixes for architecture-specific files and architecture-independent files. If you @@ -156,46 +131,15 @@ In addition, if you use an unusual directory layout you can give options like `--bindir=DIR' to specify different values for particular kinds of files. Run `configure --help' for a list of the directories -you can set and what kinds of files go in them. In general, the -default for these options is expressed in terms of `${prefix}', so that -specifying just `--prefix' will affect all of the other directory -specifications that were not explicitly provided. - - The most portable way to affect installation locations is to pass the -correct locations to `configure'; however, many packages provide one or -both of the following shortcuts of passing variable assignments to the -`make install' command line to change installation locations without -having to reconfigure or recompile. - - The first method involves providing an override variable for each -affected directory. For example, `make install -prefix=/alternate/directory' will choose an alternate location for all -directory configuration variables that were expressed in terms of -`${prefix}'. Any directories that were specified during `configure', -but not in terms of `${prefix}', must each be overridden at install -time for the entire installation to be relocated. The approach of -makefile variable overrides for each directory variable is required by -the GNU Coding Standards, and ideally causes no recompilation. -However, some platforms have known limitations with the semantics of -shared libraries that end up requiring recompilation when using this -method, particularly noticeable in packages that use GNU Libtool. - - The second method involves providing the `DESTDIR' variable. For -example, `make install DESTDIR=/alternate/directory' will prepend -`/alternate/directory' before all installation names. The approach of -`DESTDIR' overrides is not required by the GNU Coding Standards, and -does not work on platforms that have drive letters. On the other hand, -it does better at avoiding recompilation issues, and works well even -when some directory options were not specified in terms of `${prefix}' -at `configure' time. - -Optional Features -================= +you can set and what kinds of files go in them. If the package supports it, you can cause programs to be installed with an extra prefix or suffix on their names by giving `configure' the option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. +Optional Features +================= + Some packages pay attention to `--enable-FEATURE' options to `configure', where FEATURE indicates an optional part of the package. They may also pay attention to `--with-PACKAGE' options, where PACKAGE @@ -208,13 +152,6 @@ you can use the `configure' options `--x-includes=DIR' and `--x-libraries=DIR' to specify their locations. - Some packages offer the ability to configure how verbose the -execution of `make' will be. For these packages, running `./configure ---enable-silent-rules' sets the default to minimal output, which can be -overridden with `make V=1'; while running `./configure ---disable-silent-rules' sets the default to verbose, which can be -overridden with `make V=0'. - Particular systems ================== @@ -222,15 +159,10 @@ CC is not installed, it is recommended to use the following options in order to use an ANSI C compiler: - ./configure CC="cc -Ae -D_XOPEN_SOURCE=500" + ./configure CC="cc -Ae" and if that doesn't work, install pre-built binaries of GCC for HP-UX. - HP-UX `make' updates targets which have the same time stamps as -their prerequisites, which makes it generally unusable when shipped -generated files such as `configure' are involved. Use GNU `make' -instead. - On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot parse its `<wchar.h>' header file. The option `-nodtk' can be used as a workaround. If GNU CC is not installed, it is therefore recommended @@ -242,16 +174,6 @@ ./configure CC="cc -nodtk" - On Solaris, don't put `/usr/ucb' early in your `PATH'. This -directory contains several dysfunctional programs; working variants of -these programs are available in `/usr/bin'. So, if you need `/usr/ucb' -in your `PATH', put it _after_ `/usr/bin'. - - On Haiku, software installed for all users goes in `/boot/common', -not `/usr/local'. It is recommended to use the following options: - - ./configure --prefix=/boot/common - Specifying the System Type ========================== @@ -267,8 +189,7 @@ where SYSTEM can have one of these forms: - OS - KERNEL-OS + OS KERNEL-OS See the file `config.sub' for the possible values of each field. If `config.sub' isn't included in this package, then this package doesn't @@ -356,7 +277,7 @@ `configure' can determine that directory automatically. `--prefix=DIR' - Use DIR as the installation prefix. *note Installation Names:: + Use DIR as the installation prefix. *Note Installation Names:: for more details, including other options available for fine-tuning the installation locations. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfixes-5.0.2/compile new/libXfixes-5.0.3/compile --- old/libXfixes-5.0.2/compile 2016-05-26 03:54:41.000000000 +0200 +++ new/libXfixes-5.0.3/compile 2016-10-04 00:48:12.000000000 +0200 @@ -3,7 +3,7 @@ scriptversion=2012-10-14.11; # UTC -# Copyright (C) 1999-2014 Free Software Foundation, Inc. +# Copyright (C) 1999-2013 Free Software Foundation, Inc. # Written by Tom Tromey <[email protected]>. # # This program is free software; you can redistribute it and/or modify diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfixes-5.0.2/config.h.in new/libXfixes-5.0.3/config.h.in --- old/libXfixes-5.0.2/config.h.in 2016-05-26 03:54:41.000000000 +0200 +++ new/libXfixes-5.0.3/config.h.in 2016-10-04 21:11:27.000000000 +0200 @@ -30,7 +30,8 @@ /* Define to 1 if you have the <unistd.h> header file. */ #undef HAVE_UNISTD_H -/* Define to the sub-directory where libtool stores uninstalled libraries. */ +/* Define to the sub-directory in which libtool stores uninstalled libraries. + */ #undef LT_OBJDIR /* Name of package */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfixes-5.0.2/configure.ac new/libXfixes-5.0.3/configure.ac --- old/libXfixes-5.0.2/configure.ac 2016-05-26 03:53:19.000000000 +0200 +++ new/libXfixes-5.0.3/configure.ac 2016-10-04 21:11:07.000000000 +0200 @@ -32,7 +32,7 @@ # that 'revision' number appears in Xfixes.h and has to be manually # synchronized. # -AC_INIT(libXfixes, [5.0.2], +AC_INIT(libXfixes, [5.0.3], [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXfixes]) AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_HEADERS([config.h]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfixes-5.0.2/missing new/libXfixes-5.0.3/missing --- old/libXfixes-5.0.2/missing 2016-05-26 03:54:41.000000000 +0200 +++ new/libXfixes-5.0.3/missing 2016-10-04 00:48:12.000000000 +0200 @@ -3,7 +3,7 @@ scriptversion=2013-10-28.13; # UTC -# Copyright (C) 1996-2014 Free Software Foundation, Inc. +# Copyright (C) 1996-2013 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard <[email protected]>, 1996. # This program is free software; you can redistribute it and/or modify diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfixes-5.0.2/src/Region.c new/libXfixes-5.0.3/src/Region.c --- old/libXfixes-5.0.2/src/Region.c 2016-05-26 03:52:00.000000000 +0200 +++ new/libXfixes-5.0.3/src/Region.c 2016-09-23 09:56:49.000000000 +0200 @@ -23,6 +23,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> #endif +#include <limits.h> #include "Xfixesint.h" XserverRegion @@ -333,9 +334,17 @@ bounds->y = rep.y; bounds->width = rep.width; bounds->height = rep.height; - nbytes = (long) rep.length << 2; - nrects = rep.length >> 1; - rects = Xmalloc (nrects * sizeof (XRectangle)); + + if (rep.length < (INT_MAX >> 2)) { + nbytes = (long) rep.length << 2; + nrects = rep.length >> 1; + rects = Xmalloc (nrects * sizeof (XRectangle)); + } else { + nbytes = 0; + nrects = 0; + rects = NULL; + } + if (!rects) { _XEatDataWords(dpy, rep.length);
