Hello community, here is the log from the commit of package libXfont for openSUSE:Factory checked in at 2017-10-28 14:18:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libXfont (Old) and /work/SRC/openSUSE:Factory/.libXfont.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libXfont" Sat Oct 28 14:18:35 2017 rev:18 rq:535492 version:1.5.3 Changes: -------- --- /work/SRC/openSUSE:Factory/libXfont/libXfont.changes 2017-06-04 01:46:41.231603729 +0200 +++ /work/SRC/openSUSE:Factory/.libXfont.new/libXfont.changes 2017-10-28 14:18:36.210310647 +0200 @@ -1,0 +2,7 @@ +Fri Oct 20 13:56:21 UTC 2017 - sndir...@suse.com + +- Update to release 1.5.3 + * Check for end of string in PatternMatch (CVE-2017-13720) + * pcfGetProperties: Check string boundaries (CVE-2017-13722) + +------------------------------------------------------------------- Old: ---- libXfont-1.5.2.tar.bz2 New: ---- libXfont-1.5.3.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libXfont.spec ++++++ --- /var/tmp/diff_new_pack.B5L1q6/_old 2017-10-28 14:18:36.750290903 +0200 +++ /var/tmp/diff_new_pack.B5L1q6/_new 2017-10-28 14:18:36.754290756 +0200 @@ -18,7 +18,7 @@ Name: libXfont %define lname libXfont1 -Version: 1.5.2 +Version: 1.5.3 Release: 0 Summary: X font handling library for server and utilities License: MIT ++++++ libXfont-1.5.2.tar.bz2 -> libXfont-1.5.3.tar.bz2 ++++++ ++++ 1666 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfont-1.5.2/ChangeLog new/libXfont-1.5.3/ChangeLog --- old/libXfont-1.5.2/ChangeLog 2016-08-31 22:19:58.000000000 +0200 +++ new/libXfont-1.5.3/ChangeLog 2017-10-19 22:50:17.000000000 +0200 @@ -1,3 +1,37 @@ +commit f581c2346d025d5b15926db9e58f254173fb58dc +Author: Matt Turner <matts...@gmail.com> +Date: Thu Oct 19 13:45:58 2017 -0700 + + libXfont 1.5.3 + + Signed-off-by: Matt Turner <matts...@gmail.com> + +commit 3b08934dca75e4c559db7d83797bc3d365c2a50a +Author: Michal Srb <m...@suse.com> +Date: Thu Jul 20 17:05:23 2017 +0200 + + pcfGetProperties: Check string boundaries (CVE-2017-13722) + + Without the checks a malformed PCF file can cause the library to make + atom from random heap memory that was behind the `strings` buffer. + This may crash the process or leak information. + + Signed-off-by: Julien Cristau <jcris...@debian.org> + (cherry picked from commit 672bb944311392e2415b39c0d63b1e1902905bcd) + +commit a2a5fa591762b430037e33f1df55b460550ab406 +Author: Michal Srb <m...@suse.com> +Date: Thu Jul 20 13:38:53 2017 +0200 + + Check for end of string in PatternMatch (CVE-2017-13720) + + If a pattern contains '?' character, any character in the string is skipped, + even if it is '\0'. The rest of the matching then reads invalid memory. + + Reviewed-by: Peter Hutterer <peter.hutte...@who-t.net> + Signed-off-by: Julien Cristau <jcris...@debian.org> + (cherry picked from commit d1e670a4a8704b8708e493ab6155589bcd570608) + commit 8cce9834b2e74dccad94ca0adf79ae5585e37d48 Author: Adam Jackson <a...@redhat.com> Date: Wed Aug 31 16:19:11 2016 -0400 @@ -16,21 +50,21 @@ Found by clang's Address Sanitizer - crac.num_auths = set_font_authorizations(&authorizations, &authlen, - client); - /* Work around bug in xfs versions up through modular release 1.0.8 - which rejects CreateAC packets with num_auths = 0 & authlen < 4 */ - if (crac.num_auths == 0) { - authorizations = padding; - authlen = 4; - } else { - authlen = (authlen + 3) & ~0x3; - } - crac.length = (sizeof (fsCreateACReq) + authlen) >> 2; - crac.acid = cur->acid; - _fs_add_req_log(conn, FS_CreateAC); - _fs_write(conn, (char *) &crac, sizeof (fsCreateACReq)); - _fs_write(conn, authorizations, authlen); + crac.num_auths = set_font_authorizations(&authorizations, &authlen, + client); + /* Work around bug in xfs versions up through modular release 1.0.8 + which rejects CreateAC packets with num_auths = 0 & authlen < 4 */ + if (crac.num_auths == 0) { + authorizations = padding; + authlen = 4; + } else { + authlen = (authlen + 3) & ~0x3; + } + crac.length = (sizeof (fsCreateACReq) + authlen) >> 2; + crac.acid = cur->acid; + _fs_add_req_log(conn, FS_CreateAC); + _fs_write(conn, (char *) &crac, sizeof (fsCreateACReq)); + _fs_write(conn, authorizations, authlen); In the case in the report, set_font_authorizations setup authorizations as a 34 byte buffer (and authlen set to 34 as one would expect). The following @@ -1375,7 +1409,7 @@ Conflicts: - ChangeLog + ChangeLog Signed-off-by: Yaakov Selkowitz <yselkow...@users.sourceforge.net> @@ -2188,7 +2222,7 @@ This patch adds a new FPE type, which will match font path elements of the form - catalogue:<dir> + catalogue:<dir> The dir specified after the catalogue: prefix will be scanned for symlinks and each symlink destination will be added as a local fontfile FPE. @@ -2198,22 +2232,22 @@ An example configuration: - 75dpi:unscaled:pri=20 -> /usr/share/X11/fonts/75dpi - ghostscript:pri=60 -> /usr/share/fonts/default/ghostscript - misc:unscaled:pri=10 -> /usr/share/X11/fonts/misc - type1:pri=40 -> /usr/share/X11/fonts/Type1 - type1:pri=50 -> /usr/share/fonts/default/Type1 + 75dpi:unscaled:pri=20 -> /usr/share/X11/fonts/75dpi + ghostscript:pri=60 -> /usr/share/fonts/default/ghostscript + misc:unscaled:pri=10 -> /usr/share/X11/fonts/misc + type1:pri=40 -> /usr/share/X11/fonts/Type1 + type1:pri=50 -> /usr/share/fonts/default/Type1 will add /usr/share/X11/fonts/misc as the first FPE with the attribute 'unscaled', second FPE will be /usr/share/X11/fonts/75dpi, also with the attribute unscaled etc. This is functionally equivalent to setting the following font path: - /usr/share/X11/fonts/misc:unscaled, - /usr/share/X11/fonts/75dpi:unscaled, - /usr/share/X11/fonts/Type1, - /usr/share/fonts/default/Type1, - /usr/share/fonts/default/ghostscript + /usr/share/X11/fonts/misc:unscaled, + /usr/share/X11/fonts/75dpi:unscaled, + /usr/share/X11/fonts/Type1, + /usr/share/fonts/default/Type1, + /usr/share/fonts/default/ghostscript The motivation is to let font packages add a symlink to the new font directory they provide instead of rewriting either the Xorg config file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfont-1.5.2/configure.ac new/libXfont-1.5.3/configure.ac --- old/libXfont-1.5.2/configure.ac 2016-08-31 22:18:48.000000000 +0200 +++ new/libXfont-1.5.3/configure.ac 2017-10-19 22:50:07.000000000 +0200 @@ -21,7 +21,7 @@ # Initialize Autoconf AC_PREREQ([2.60]) -AC_INIT([libXfont], [1.5.2], +AC_INIT([libXfont], [1.5.3], [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXfont]) AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_HEADERS([config.h include/X11/fonts/fontconf.h]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfont-1.5.2/src/bitmap/pcfread.c new/libXfont-1.5.3/src/bitmap/pcfread.c --- old/libXfont-1.5.2/src/bitmap/pcfread.c 2016-08-31 22:18:36.000000000 +0200 +++ new/libXfont-1.5.3/src/bitmap/pcfread.c 2017-10-19 22:50:07.000000000 +0200 @@ -44,6 +44,7 @@ #include <stdarg.h> #include <stdint.h> +#include <string.h> void pcfError(const char* message, ...) @@ -310,11 +311,19 @@ if (IS_EOF(file)) goto Bail; position += string_size; for (i = 0; i < nprops; i++) { + if (props[i].name >= string_size) { + pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].name, string_size); + goto Bail; + } props[i].name = MakeAtom(strings + props[i].name, - strlen(strings + props[i].name), TRUE); + strnlen(strings + props[i].name, string_size - props[i].name), TRUE); if (isStringProp[i]) { + if (props[i].value >= string_size) { + pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].value, string_size); + goto Bail; + } props[i].value = MakeAtom(strings + props[i].value, - strlen(strings + props[i].value), TRUE); + strnlen(strings + props[i].value, string_size - props[i].value), TRUE); } } free(strings); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfont-1.5.2/src/fontfile/fontdir.c new/libXfont-1.5.3/src/fontfile/fontdir.c --- old/libXfont-1.5.2/src/fontfile/fontdir.c 2016-08-31 22:18:36.000000000 +0200 +++ new/libXfont-1.5.3/src/fontfile/fontdir.c 2017-10-19 22:50:07.000000000 +0200 @@ -399,8 +399,10 @@ } } case '?': - if (*string++ == XK_minus) + if ((t = *string++) == XK_minus) stringdashes--; + if (!t) + return 0; break; case '\0': return (*string == '\0');