Hello community, here is the log from the commit of package libXfont for openSUSE:Factory checked in at 2017-12-03 10:08:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libXfont (Old) and /work/SRC/openSUSE:Factory/.libXfont.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libXfont" Sun Dec 3 10:08:51 2017 rev:19 rq:546295 version:1.5.4 Changes: -------- --- /work/SRC/openSUSE:Factory/libXfont/libXfont.changes 2017-10-28 14:18:36.210310647 +0200 +++ /work/SRC/openSUSE:Factory/.libXfont.new/libXfont.changes 2017-12-03 10:08:53.308877063 +0100 @@ -1,0 +2,6 @@ +Tue Nov 28 19:20:44 UTC 2017 - [email protected] + +- Update to release 1.5.4 + * Open files with O_NOFOLLOW. (CVE-2017-16611) + +------------------------------------------------------------------- Old: ---- libXfont-1.5.3.tar.bz2 New: ---- libXfont-1.5.4.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libXfont.spec ++++++ --- /var/tmp/diff_new_pack.yw2A3a/_old 2017-12-03 10:08:53.896855686 +0100 +++ /var/tmp/diff_new_pack.yw2A3a/_new 2017-12-03 10:08:53.900855540 +0100 @@ -18,7 +18,7 @@ Name: libXfont %define lname libXfont1 -Version: 1.5.3 +Version: 1.5.4 Release: 0 Summary: X font handling library for server and utilities License: MIT ++++++ libXfont-1.5.3.tar.bz2 -> libXfont-1.5.4.tar.bz2 ++++++ ++++ 1967 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfont-1.5.3/ChangeLog new/libXfont-1.5.4/ChangeLog --- old/libXfont-1.5.3/ChangeLog 2017-10-19 22:50:17.000000000 +0200 +++ new/libXfont-1.5.4/ChangeLog 2017-11-28 15:34:44.000000000 +0100 @@ -1,3 +1,22 @@ +commit 7d246751628bb877e04da762ec1a2e41ffa62154 +Author: Matthieu Herrb <[email protected]> +Date: Tue Nov 28 15:33:15 2017 +0100 + + libXfont 1.5.4 + +commit 5ed8ac0e4f063825b8ecda48e9a111d3ce92e825 +Author: Michal Srb <[email protected]> +Date: Thu Oct 26 09:48:13 2017 +0200 + + Open files with O_NOFOLLOW. (CVE-2017-16611) + + A non-privileged X client can instruct X server running under root to open any + file by creating own directory with "fonts.dir", "fonts.alias" or any font file + being a symbolic link to any other file in the system. X server will then open + it. This can be issue with special files such as /dev/watchdog. + + Reviewed-by: Matthieu Herrb <[email protected]> + commit f581c2346d025d5b15926db9e58f254173fb58dc Author: Matt Turner <[email protected]> Date: Thu Oct 19 13:45:58 2017 -0700 @@ -50,21 +69,21 @@ Found by clang's Address Sanitizer - crac.num_auths = set_font_authorizations(&authorizations, &authlen, - client); - /* Work around bug in xfs versions up through modular release 1.0.8 - which rejects CreateAC packets with num_auths = 0 & authlen < 4 */ - if (crac.num_auths == 0) { - authorizations = padding; - authlen = 4; - } else { - authlen = (authlen + 3) & ~0x3; - } - crac.length = (sizeof (fsCreateACReq) + authlen) >> 2; - crac.acid = cur->acid; - _fs_add_req_log(conn, FS_CreateAC); - _fs_write(conn, (char *) &crac, sizeof (fsCreateACReq)); - _fs_write(conn, authorizations, authlen); + crac.num_auths = set_font_authorizations(&authorizations, &authlen, + client); + /* Work around bug in xfs versions up through modular release 1.0.8 + which rejects CreateAC packets with num_auths = 0 & authlen < 4 */ + if (crac.num_auths == 0) { + authorizations = padding; + authlen = 4; + } else { + authlen = (authlen + 3) & ~0x3; + } + crac.length = (sizeof (fsCreateACReq) + authlen) >> 2; + crac.acid = cur->acid; + _fs_add_req_log(conn, FS_CreateAC); + _fs_write(conn, (char *) &crac, sizeof (fsCreateACReq)); + _fs_write(conn, authorizations, authlen); In the case in the report, set_font_authorizations setup authorizations as a 34 byte buffer (and authlen set to 34 as one would expect). The following @@ -1409,7 +1428,7 @@ Conflicts: - ChangeLog + ChangeLog Signed-off-by: Yaakov Selkowitz <[email protected]> @@ -2222,7 +2241,7 @@ This patch adds a new FPE type, which will match font path elements of the form - catalogue:<dir> + catalogue:<dir> The dir specified after the catalogue: prefix will be scanned for symlinks and each symlink destination will be added as a local fontfile FPE. @@ -2232,22 +2251,22 @@ An example configuration: - 75dpi:unscaled:pri=20 -> /usr/share/X11/fonts/75dpi - ghostscript:pri=60 -> /usr/share/fonts/default/ghostscript - misc:unscaled:pri=10 -> /usr/share/X11/fonts/misc - type1:pri=40 -> /usr/share/X11/fonts/Type1 - type1:pri=50 -> /usr/share/fonts/default/Type1 + 75dpi:unscaled:pri=20 -> /usr/share/X11/fonts/75dpi + ghostscript:pri=60 -> /usr/share/fonts/default/ghostscript + misc:unscaled:pri=10 -> /usr/share/X11/fonts/misc + type1:pri=40 -> /usr/share/X11/fonts/Type1 + type1:pri=50 -> /usr/share/fonts/default/Type1 will add /usr/share/X11/fonts/misc as the first FPE with the attribute 'unscaled', second FPE will be /usr/share/X11/fonts/75dpi, also with the attribute unscaled etc. This is functionally equivalent to setting the following font path: - /usr/share/X11/fonts/misc:unscaled, - /usr/share/X11/fonts/75dpi:unscaled, - /usr/share/X11/fonts/Type1, - /usr/share/fonts/default/Type1, - /usr/share/fonts/default/ghostscript + /usr/share/X11/fonts/misc:unscaled, + /usr/share/X11/fonts/75dpi:unscaled, + /usr/share/X11/fonts/Type1, + /usr/share/fonts/default/Type1, + /usr/share/fonts/default/ghostscript The motivation is to let font packages add a symlink to the new font directory they provide instead of rewriting either the Xorg config file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfont-1.5.3/configure.ac new/libXfont-1.5.4/configure.ac --- old/libXfont-1.5.3/configure.ac 2017-10-19 22:50:07.000000000 +0200 +++ new/libXfont-1.5.4/configure.ac 2017-11-28 15:34:20.000000000 +0100 @@ -21,7 +21,7 @@ # Initialize Autoconf AC_PREREQ([2.60]) -AC_INIT([libXfont], [1.5.3], +AC_INIT([libXfont], [1.5.4], [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXfont]) AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_HEADERS([config.h include/X11/fonts/fontconf.h]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfont-1.5.3/src/fontfile/dirfile.c new/libXfont-1.5.4/src/fontfile/dirfile.c --- old/libXfont-1.5.3/src/fontfile/dirfile.c 2017-10-19 22:50:07.000000000 +0200 +++ new/libXfont-1.5.4/src/fontfile/dirfile.c 2017-11-28 15:34:21.000000000 +0100 @@ -41,6 +41,7 @@ #include <stdio.h> #include <sys/types.h> #include <sys/stat.h> +#include <fcntl.h> #include <errno.h> #include <limits.h> @@ -60,8 +61,9 @@ char dir_file[MAXFONTFILENAMELEN]; char dir_path[MAXFONTFILENAMELEN]; char *ptr; - FILE *file; - int count, + FILE *file = 0; + int file_fd, + count, num_fonts, status; struct stat statb; @@ -91,7 +93,14 @@ if (dir_file[strlen(dir_file) - 1] != '/') strcat(dir_file, "/"); strcat(dir_file, FontDirFile); +#ifndef WIN32 + file_fd = open(dir_file, O_RDONLY | O_NOFOLLOW); + if (file_fd >= 0) { + file = fdopen(file_fd, "rt"); + } +#else file = fopen(dir_file, "rt"); +#endif if (file) { #ifndef WIN32 if (fstat (fileno(file), &statb) == -1) @@ -261,7 +270,8 @@ char alias[MAXFONTNAMELEN]; char font_name[MAXFONTNAMELEN]; char alias_file[MAXFONTFILENAMELEN]; - FILE *file; + int file_fd; + FILE *file = 0; FontDirectoryPtr dir; int token; char *lexToken; @@ -279,7 +289,16 @@ strcat(alias_file, "/"); strcat(alias_file, FontAliasFile); } + +#ifndef WIN32 + file_fd = open(alias_file, O_RDONLY | O_NOFOLLOW); + if (file_fd >= 0) { + file = fdopen(file_fd, "rt"); + } +#else file = fopen(alias_file, "rt"); +#endif + if (!file) return ((errno == ENOENT) ? Successful : BadFontPath); if (!dir) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfont-1.5.3/src/fontfile/fileio.c new/libXfont-1.5.4/src/fontfile/fileio.c --- old/libXfont-1.5.3/src/fontfile/fileio.c 2017-10-19 22:50:07.000000000 +0200 +++ new/libXfont-1.5.4/src/fontfile/fileio.c 2017-11-28 15:34:21.000000000 +0100 @@ -39,6 +39,9 @@ #ifndef O_CLOEXEC #define O_CLOEXEC 0 #endif +#ifndef O_NOFOLLOW +#define O_NOFOLLOW 0 +#endif FontFilePtr FontFileOpen (const char *name) @@ -47,7 +50,7 @@ int len; BufFilePtr raw, cooked; - fd = open (name, O_BINARY|O_CLOEXEC); + fd = open (name, O_BINARY|O_CLOEXEC|O_NOFOLLOW); if (fd < 0) return 0; raw = BufFileOpenRead (fd);
