Hello community,
here is the log from the commit of package libICE for openSUSE:Factory checked
in at 2017-06-20 10:57:21
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libICE (Old)
and /work/SRC/openSUSE:Factory/.libICE.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libICE"
Tue Jun 20 10:57:21 2017 rev:9 rq:502905 version:1.0.9
Changes:
--------
--- /work/SRC/openSUSE:Factory/libICE/libICE.changes 2014-06-18
07:52:48.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.libICE.new/libICE.changes 2017-06-20
10:57:22.509092315 +0200
@@ -1,0 +2,8 @@
+Sun Jun 11 18:00:24 UTC 2017 - [email protected]
+
+- U_Use-getentropy-if-arc4random_buf-is-not-available.patch
+ * Use getentropy() if arc4random_buf() is not available
+ (bnc#1025068, CVE-2017-2626)
+- tagged baselibs.conf as source in specfile
+
+-------------------------------------------------------------------
New:
----
U_Use-getentropy-if-arc4random_buf-is-not-available.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libICE.spec ++++++
--- /var/tmp/diff_new_pack.Ao7XMN/_old 2017-06-20 10:57:23.077012265 +0200
+++ /var/tmp/diff_new_pack.Ao7XMN/_new 2017-06-20 10:57:23.077012265 +0200
@@ -1,7 +1,7 @@
#
# spec file for package libICE
#
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -28,8 +28,13 @@
#Git-Clone: git://anongit.freedesktop.org/xorg/lib/libICE
#Git-Web: http://cgit.freedesktop.org/xorg/lib/libICE/
Source:
http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.bz2
+Source1: baselibs.conf
+Patch0: U_Use-getentropy-if-arc4random_buf-is-not-available.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
#git#BuildRequires: autoconf >= 2.60, automake, libtool
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: libtool
BuildRequires: pkgconfig
BuildRequires: pkgconfig(xorg-macros) >= 1.12
BuildRequires: pkgconfig(xproto)
@@ -46,8 +51,8 @@
%package -n %lname
Summary: X11 Inter-Client Exchange Library
-Group: System/Libraries
# O/P added for 12.2
+Group: System/Libraries
Provides: xorg-x11-libICE = 7.6_%version-%release
Obsoletes: xorg-x11-libICE < 7.6_%version-%release
@@ -76,8 +81,10 @@
%prep
%setup -q
+%patch0 -p1
%build
+autoreconf -fi
%configure --docdir=%_docdir/%name --disable-static
make %{?_smp_mflags}
++++++ U_Use-getentropy-if-arc4random_buf-is-not-available.patch ++++++
>From ff5e59f32255913bb1cdf51441b98c9107ae165b Mon Sep 17 00:00:00 2001
From: Benjamin Tissoires <[email protected]>
Date: Tue, 4 Apr 2017 19:12:53 +0200
Subject: [PATCH] Use getentropy() if arc4random_buf() is not available
This allows to fix CVE-2017-2626 on Linux platforms without pulling in
libbsd.
The libc getentropy() is available since glibc 2.25 but also on OpenBSD.
For Linux, we need at least a v3.17 kernel. If the recommended
arc4random_buf() function is not available, emulate it by first trying
to use getentropy() on a supported glibc and kernel. If the call fails,
fall back to the current (partly vulnerable) code.
Signed-off-by: Benjamin Tissoires <[email protected]>
Reviewed-by: Mark Kettenis <[email protected]>
Reviewed-by: Alan Coopersmith <[email protected]>
Signed-off-by: Peter Hutterer <[email protected]>
---
configure.ac | 2 +-
src/iceauth.c | 65 ++++++++++++++++++++++++++++++++++++++++++-----------------
2 files changed, 47 insertions(+), 20 deletions(-)
diff --git a/configure.ac b/configure.ac
index 458882a..c971ab6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -38,7 +38,7 @@ AC_DEFINE(ICE_t, 1, [Xtrans transport type])
# Checks for library functions.
AC_CHECK_LIB([bsd], [arc4random_buf])
-AC_CHECK_FUNCS([asprintf arc4random_buf])
+AC_CHECK_FUNCS([asprintf arc4random_buf getentropy])
# Allow checking code with lint, sparse, etc.
XORG_WITH_LINT
diff --git a/src/iceauth.c b/src/iceauth.c
index ed31683..de4785b 100644
--- a/src/iceauth.c
+++ b/src/iceauth.c
@@ -44,31 +44,19 @@ Author: Ralph Mor, X Consortium
static int was_called_state;
-/*
- * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by
- * the SI. It is not part of standard ICElib.
- */
+#ifndef HAVE_ARC4RANDOM_BUF
-�
-char *
-IceGenerateMagicCookie (
+static void
+emulate_getrandom_buf (
+ char *auth,
int len
)
{
- char *auth;
-#ifndef HAVE_ARC4RANDOM_BUF
long ldata[2];
int seed;
int value;
int i;
-#endif
- if ((auth = malloc (len + 1)) == NULL)
- return (NULL);
-
-#ifdef HAVE_ARC4RANDOM_BUF
- arc4random_buf(auth, len);
-#else
#ifdef ITIMER_REAL
{
struct timeval now;
@@ -76,13 +64,13 @@ IceGenerateMagicCookie (
ldata[0] = now.tv_sec;
ldata[1] = now.tv_usec;
}
-#else
+#else /* ITIMER_REAL */
{
long time ();
ldata[0] = time ((long *) 0);
ldata[1] = getpid ();
}
-#endif
+#endif /* ITIMER_REAL */
seed = (ldata[0]) + (ldata[1] << 16);
srand (seed);
for (i = 0; i < len; i++)
@@ -90,7 +78,46 @@ IceGenerateMagicCookie (
value = rand ();
auth[i] = value & 0xff;
}
-#endif
+}
+
+static void
+arc4random_buf (
+ char *auth,
+ int len
+)
+{
+ int ret;
+
+#if HAVE_GETENTROPY
+ /* weak emulation of arc4random through the entropy libc */
+ ret = getentropy (auth, len);
+ if (ret == 0)
+ return;
+#endif /* HAVE_GETENTROPY */
+
+ emulate_getrandom_buf (auth, len);
+}
+
+#endif /* !defined(HAVE_ARC4RANDOM_BUF) */
+
+/*
+ * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by
+ * the SI. It is not part of standard ICElib.
+ */
+
+�
+char *
+IceGenerateMagicCookie (
+ int len
+)
+{
+ char *auth;
+
+ if ((auth = malloc (len + 1)) == NULL)
+ return (NULL);
+
+ arc4random_buf (auth, len);
+
auth[len] = '\0';
return (auth);
}
--
2.12.3
