Hello community, here is the log from the commit of package libXrandr.5949 for openSUSE:13.2:Update checked in at 2016-12-07 11:37:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/libXrandr.5949 (Old) and /work/SRC/openSUSE:13.2:Update/.libXrandr.5949.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libXrandr.5949" Changes: -------- New Changes file: --- /dev/null 2016-10-27 01:54:32.792041256 +0200 +++ /work/SRC/openSUSE:13.2:Update/.libXrandr.5949.new/libXrandr.changes 2016-12-07 11:37:01.000000000 +0100 @@ -0,0 +1,47 @@ +------------------------------------------------------------------- +Wed Nov 23 11:34:26 UTC 2016 - sndir...@suse.com + +- U_Avoid-out-of-boundary-accesses-on-illegal-responses.patch + * insufficient validation of data from the X server can cause out + of boundary memory writes. (bnc#1003000, CVE-2016-7947, CVE-2016-7948) + +------------------------------------------------------------------- +Sun Sep 8 13:54:25 UTC 2013 - tobias.johannes.klausm...@mni.thm.de + +- Update to version 1.4.2: + This release fixes two small bugs in the library, and fixes an omission + in the list of copyright notices in the COPYING file. + +------------------------------------------------------------------- +Sat Jun 1 20:21:52 UTC 2013 - tobias.johannes.klausm...@mni.thm.de + +- Update to version 1.4.1: + This release brings the fixes for the recently announced security issue + CVE-2013-1986, with some related hardening to avoid other issues, alongside + a couple small build configuration & compiler warning fixes. + +------------------------------------------------------------------- +Sun Feb 17 17:21:53 UTC 2013 - jeng...@inai.de + +- Use more robust make install call +- Avoid calling fdupes outside of /usr + +------------------------------------------------------------------- +Fri Jul 27 21:42:04 UTC 2012 - tobias.johannes.klausm...@mni.thm.de + +- Update to version 1.4.0: + + Strip trailing whitespace + + Fill in nameLen in XRROutputInfo + + libXrandr: add support for provider objects. + +------------------------------------------------------------------- +Wed Apr 11 15:39:12 UTC 2012 - vu...@opensuse.org + +- Update to version 1.3.2: + + Man page improvements + + Build configuration improvements + +------------------------------------------------------------------- +Tue Feb 7 22:17:49 UTC 2012 - jeng...@medozas.de + +- Split xorg-x11-libs into separate packages New: ---- U_Avoid-out-of-boundary-accesses-on-illegal-responses.patch baselibs.conf libXrandr-1.4.2.tar.bz2 libXrandr.changes libXrandr.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libXrandr.spec ++++++ # # spec file for package libXrandr # # Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: libXrandr %define lname libXrandr2 Version: 1.4.2 Release: 0 Summary: X Resize, Rotate and Reflection extension library License: MIT Group: Development/Libraries/C and C++ Url: http://xorg.freedesktop.org/ #Git-Clone: git://anongit.freedesktop.org/xorg/lib/libXrandr #Git-Web: http://cgit.freedesktop.org/xorg/lib/libXrandr/ Source: http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.bz2 Patch0: U_Avoid-out-of-boundary-accesses-on-illegal-responses.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf >= 2.60 BuildRequires: automake BuildRequires: fdupes BuildRequires: libtool BuildRequires: pkgconfig BuildRequires: pkgconfig(randrproto) >= 1.3 BuildRequires: pkgconfig(renderproto) BuildRequires: pkgconfig(x11) BuildRequires: pkgconfig(xext) BuildRequires: pkgconfig(xextproto) BuildRequires: pkgconfig(xorg-macros) >= 1.8 BuildRequires: pkgconfig(xrender) %description The X Resize, Rotate and Reflect Extension (RandR) allows clients to dynamically change X screens, so as to resize, to change the orientation and layout of the root window of a screen. %package -n %lname Summary: X Resize, Rotate and Reflection extension library Group: System/Libraries %description -n %lname The X Resize, Rotate and Reflect Extension (RandR) allows clients to dynamically change X screens, so as to resize, to change the orientation and layout of the root window of a screen. %package devel Summary: Development files for the X Resize-Rotate-Reflection library Group: Development/Libraries/C and C++ Requires: %lname = %version %description devel The X Resize, Rotate and Reflect Extension (RandR) allows clients to dynamically change X screens, so as to resize, to change the orientation and layout of the root window of a screen. This package contains the development headers for the library found in %lname. %prep %setup -q %patch0 -p1 %build autoreconf -fi %configure --disable-static make %{?_smp_mflags} %install make install DESTDIR="%buildroot" rm -f "%buildroot/%_libdir"/*.la %fdupes %buildroot/%_prefix %post -n %lname -p /sbin/ldconfig %postun -n %lname -p /sbin/ldconfig %files -n %lname %defattr(-,root,root) %_libdir/libXrandr.so.2* %files devel %defattr(-,root,root) %_includedir/X11/* %_libdir/libXrandr.so %_libdir/pkgconfig/xrandr.pc %_mandir/man3/* %changelog ++++++ U_Avoid-out-of-boundary-accesses-on-illegal-responses.patch ++++++ >From a0df3e1c7728205e5c7650b2e6dce684139254a6 Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann <tob...@stoeckmann.org> Date: Sun, 25 Sep 2016 22:21:40 +0200 Subject: [PATCH] Avoid out of boundary accesses on illegal responses The responses of the connected X server have to be properly checked to avoid out of boundary accesses that could otherwise be triggered by a malicious server. Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org> Reviewed-by: Matthieu Herrb <matth...@herrb.eu> --- src/XrrConfig.c | 32 +++++++++++++-------- src/XrrCrtc.c | 83 ++++++++++++++++++++++++++++++++++++++++++------------- src/XrrMonitor.c | 18 ++++++++++++ src/XrrOutput.c | 11 ++++++++ src/XrrProvider.c | 28 ++++++++++++++++--- src/XrrScreen.c | 52 ++++++++++++++++++++++------------ 6 files changed, 172 insertions(+), 52 deletions(-) Index: libXrandr-1.4.2/src/XrrConfig.c =================================================================== --- libXrandr-1.4.2.orig/src/XrrConfig.c +++ libXrandr-1.4.2/src/XrrConfig.c @@ -29,6 +29,7 @@ #include <config.h> #endif +#include <limits.h> #include <stdio.h> #include <X11/Xlib.h> /* we need to be able to manipulate the Display structure on events */ @@ -272,23 +273,30 @@ static XRRScreenConfiguration *_XRRGetSc rep.rate = 0; rep.nrateEnts = 0; } + if (rep.length < INT_MAX >> 2) { + nbytes = (long) rep.length << 2; - nbytes = (long) rep.length << 2; + nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) + + ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF(CARD16) */); - nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) + - ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF (CARD16) */); + /* + * first we must compute how much space to allocate for + * randr library's use; we'll allocate the structures in a single + * allocation, on cleanlyness grounds. + */ + + rbytes = sizeof (XRRScreenConfiguration) + + (rep.nSizes * sizeof (XRRScreenSize) + + rep.nrateEnts * sizeof (int)); - /* - * first we must compute how much space to allocate for - * randr library's use; we'll allocate the structures in a single - * allocation, on cleanlyness grounds. - */ - - rbytes = sizeof (XRRScreenConfiguration) + - (rep.nSizes * sizeof (XRRScreenSize) + - rep.nrateEnts * sizeof (int)); + scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes); + } else { + nbytes = 0; + nbytesRead = 0; + rbytes = 0; + scp = NULL; + } - scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes); if (scp == NULL) { _XEatData (dpy, (unsigned long) nbytes); return NULL; Index: libXrandr-1.4.2/src/XrrCrtc.c =================================================================== --- libXrandr-1.4.2.orig/src/XrrCrtc.c +++ libXrandr-1.4.2/src/XrrCrtc.c @@ -24,6 +24,7 @@ #include <config.h> #endif +#include <limits.h> #include <stdio.h> #include <X11/Xlib.h> /* we need to be able to manipulate the Display structure on events */ @@ -57,22 +58,33 @@ XRRGetCrtcInfo (Display *dpy, XRRScreenR return NULL; } - nbytes = (long) rep.length << 2; + if (rep.length < INT_MAX >> 2) + { + nbytes = (long) rep.length << 2; - nbytesRead = (long) (rep.nOutput * 4 + - rep.nPossibleOutput * 4); + nbytesRead = (long) (rep.nOutput * 4 + + rep.nPossibleOutput * 4); - /* - * first we must compute how much space to allocate for - * randr library's use; we'll allocate the structures in a single - * allocation, on cleanlyness grounds. - */ + /* + * first we must compute how much space to allocate for + * randr library's use; we'll allocate the structures in a single + * allocation, on cleanlyness grounds. + */ + + rbytes = (sizeof (XRRCrtcInfo) + + rep.nOutput * sizeof (RROutput) + + rep.nPossibleOutput * sizeof (RROutput)); - rbytes = (sizeof (XRRCrtcInfo) + - rep.nOutput * sizeof (RROutput) + - rep.nPossibleOutput * sizeof (RROutput)); + xci = (XRRCrtcInfo *) Xmalloc(rbytes); + } + else + { + nbytes = 0; + nbytesRead = 0; + rbytes = 0; + xci = NULL; + } - xci = (XRRCrtcInfo *) Xmalloc(rbytes); if (xci == NULL) { _XEatDataWords (dpy, rep.length); UnlockDisplay (dpy); @@ -194,12 +206,21 @@ XRRGetCrtcGamma (Display *dpy, RRCrtc cr if (!_XReply (dpy, (xReply *) &rep, 0, xFalse)) goto out; - nbytes = (long) rep.length << 2; + if (rep.length < INT_MAX >> 2) + { + nbytes = (long) rep.length << 2; - /* three channels of CARD16 data */ - nbytesRead = (rep.size * 2 * 3); + /* three channels of CARD16 data */ + nbytesRead = (rep.size * 2 * 3); - crtc_gamma = XRRAllocGamma (rep.size); + crtc_gamma = XRRAllocGamma (rep.size); + } + else + { + nbytes = 0; + nbytesRead = 0; + crtc_gamma = NULL; + } if (!crtc_gamma) { @@ -357,7 +378,7 @@ XRRGetCrtcTransform (Display *dpy, xRRGetCrtcTransformReq *req; int major_version, minor_version; XRRCrtcTransformAttributes *attr; - char *extra = NULL, *e; + char *extra = NULL, *end = NULL, *e; int p; *attributes = NULL; @@ -395,9 +416,17 @@ XRRGetCrtcTransform (Display *dpy, else { int extraBytes = rep.length * 4 - CrtcTransformExtra; - extra = Xmalloc (extraBytes); + if (rep.length < INT_MAX / 4 && + rep.length * 4 >= CrtcTransformExtra) { + extra = Xmalloc (extraBytes); + end = extra + extraBytes; + } else + extra = NULL; if (!extra) { - _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2)); + if (rep.length > (CrtcTransformExtra >> 2)) + _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2)); + else + _XEatDataWords (dpy, rep.length); UnlockDisplay (dpy); SyncHandle (); return False; @@ -429,22 +458,38 @@ XRRGetCrtcTransform (Display *dpy, e = extra; + if (e + rep.pendingNbytesFilter > end) { + XFree (extra); + return False; + } memcpy (attr->pendingFilter, e, rep.pendingNbytesFilter); attr->pendingFilter[rep.pendingNbytesFilter] = '\0'; e += (rep.pendingNbytesFilter + 3) & ~3; for (p = 0; p < rep.pendingNparamsFilter; p++) { INT32 f; + if (e + 4 > end) { + XFree (extra); + return False; + } memcpy (&f, e, 4); e += 4; attr->pendingParams[p] = (XFixed) f; } attr->pendingNparams = rep.pendingNparamsFilter; + if (e + rep.currentNbytesFilter > end) { + XFree (extra); + return False; + } memcpy (attr->currentFilter, e, rep.currentNbytesFilter); attr->currentFilter[rep.currentNbytesFilter] = '\0'; e += (rep.currentNbytesFilter + 3) & ~3; for (p = 0; p < rep.currentNparamsFilter; p++) { INT32 f; + if (e + 4 > end) { + XFree (extra); + return False; + } memcpy (&f, e, 4); e += 4; attr->currentParams[p] = (XFixed) f; Index: libXrandr-1.4.2/src/XrrOutput.c =================================================================== --- libXrandr-1.4.2.orig/src/XrrOutput.c +++ libXrandr-1.4.2/src/XrrOutput.c @@ -25,6 +25,7 @@ #include <config.h> #endif +#include <limits.h> #include <stdio.h> #include <X11/Xlib.h> /* we need to be able to manipulate the Display structure on events */ @@ -60,6 +61,16 @@ XRRGetOutputInfo (Display *dpy, XRRScree return NULL; } + if (rep.length > INT_MAX >> 2 || rep.length < (OutputInfoExtra >> 2)) + { + if (rep.length > (OutputInfoExtra >> 2)) + _XEatDataWords (dpy, rep.length - (OutputInfoExtra >> 2)); + else + _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; + } nbytes = ((long) (rep.length) << 2) - OutputInfoExtra; nbytesRead = (long) (rep.nCrtcs * 4 + Index: libXrandr-1.4.2/src/XrrProvider.c =================================================================== --- libXrandr-1.4.2.orig/src/XrrProvider.c +++ libXrandr-1.4.2/src/XrrProvider.c @@ -25,6 +25,7 @@ #include <config.h> #endif +#include <limits.h> #include <stdio.h> #include <X11/Xlib.h> /* we need to be able to manipulate the Display structure on events */ @@ -59,12 +60,20 @@ XRRGetProviderResources(Display *dpy, Wi return NULL; } - nbytes = (long) rep.length << 2; + if (rep.length < INT_MAX >> 2) { + nbytes = (long) rep.length << 2; - nbytesRead = (long) (rep.nProviders * 4); + nbytesRead = (long) (rep.nProviders * 4); - rbytes = (sizeof(XRRProviderResources) + rep.nProviders * sizeof(RRProvider)); - xrpr = (XRRProviderResources *) Xmalloc(rbytes); + rbytes = (sizeof(XRRProviderResources) + rep.nProviders * + sizeof(RRProvider)); + xrpr = (XRRProviderResources *) Xmalloc(rbytes); + } else { + nbytes = 0; + nbytesRead = 0; + rbytes = 0; + xrpr = NULL; + } if (xrpr == NULL) { _XEatDataWords (dpy, rep.length); @@ -119,6 +128,17 @@ XRRGetProviderInfo(Display *dpy, XRRScre UnlockDisplay (dpy); SyncHandle (); return NULL; + } + + if (rep.length > INT_MAX >> 2 || rep.length < ProviderInfoExtra >> 2) + { + if (rep.length < ProviderInfoExtra >> 2) + _XEatDataWords (dpy, rep.length); + else + _XEatDataWords (dpy, rep.length - (ProviderInfoExtra >> 2)); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; } nbytes = ((long) rep.length << 2) - ProviderInfoExtra; Index: libXrandr-1.4.2/src/XrrScreen.c =================================================================== --- libXrandr-1.4.2.orig/src/XrrScreen.c +++ libXrandr-1.4.2/src/XrrScreen.c @@ -24,6 +24,7 @@ #include <config.h> #endif +#include <limits.h> #include <stdio.h> #include <X11/Xlib.h> /* we need to be able to manipulate the Display structure on events */ @@ -105,27 +106,36 @@ doGetScreenResources (Display *dpy, Wind xrri->has_rates = _XRRHasRates (xrri->minor_version, xrri->major_version); } - nbytes = (long) rep.length << 2; + if (rep.length < INT_MAX >> 2) { + nbytes = (long) rep.length << 2; - nbytesRead = (long) (rep.nCrtcs * 4 + - rep.nOutputs * 4 + - rep.nModes * SIZEOF (xRRModeInfo) + - ((rep.nbytesNames + 3) & ~3)); - - /* - * first we must compute how much space to allocate for - * randr library's use; we'll allocate the structures in a single - * allocation, on cleanlyness grounds. - */ - - rbytes = (sizeof (XRRScreenResources) + - rep.nCrtcs * sizeof (RRCrtc) + - rep.nOutputs * sizeof (RROutput) + - rep.nModes * sizeof (XRRModeInfo) + - rep.nbytesNames + rep.nModes); /* '\0' terminate names */ + nbytesRead = (long) (rep.nCrtcs * 4 + + rep.nOutputs * 4 + + rep.nModes * SIZEOF (xRRModeInfo) + + ((rep.nbytesNames + 3) & ~3)); + + /* + * first we must compute how much space to allocate for + * randr library's use; we'll allocate the structures in a single + * allocation, on cleanlyness grounds. + */ + + rbytes = (sizeof (XRRScreenResources) + + rep.nCrtcs * sizeof (RRCrtc) + + rep.nOutputs * sizeof (RROutput) + + rep.nModes * sizeof (XRRModeInfo) + + rep.nbytesNames + rep.nModes); /* '\0' terminate names */ + + xrsr = (XRRScreenResources *) Xmalloc(rbytes); + wire_names = (char *) Xmalloc (rep.nbytesNames); + } else { + nbytes = 0; + nbytesRead = 0; + rbytes = 0; + xrsr = NULL; + wire_names = NULL; + } - xrsr = (XRRScreenResources *) Xmalloc(rbytes); - wire_names = (char *) Xmalloc (rep.nbytesNames); if (xrsr == NULL || wire_names == NULL) { if (xrsr) Xfree (xrsr); if (wire_names) Xfree (wire_names); @@ -174,6 +184,14 @@ doGetScreenResources (Display *dpy, Wind wire_name = wire_names; for (i = 0; i < rep.nModes; i++) { xrsr->modes[i].name = names; + if (xrsr->modes[i].nameLength > rep.nbytesNames) { + Xfree (xrsr); + Xfree (wire_names); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; + } + rep.nbytesNames -= xrsr->modes[i].nameLength; memcpy (names, wire_name, xrsr->modes[i].nameLength); names[xrsr->modes[i].nameLength] = '\0'; names += xrsr->modes[i].nameLength + 1; ++++++ baselibs.conf ++++++ libXrandr2 libXrandr-devel requires -libXrandr-<targettype> requires "libXrandr2-<targettype> = <version>"