Hello community, here is the log from the commit of package xhost for openSUSE:Factory checked in at 2019-02-24 18:37:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xhost (Old) and /work/SRC/openSUSE:Factory/.xhost.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xhost" Sun Feb 24 18:37:20 2019 rev:8 rq:677771 version:1.0.8 Changes: -------- --- /work/SRC/openSUSE:Factory/xhost/xhost.changes 2015-04-27 12:59:07.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.xhost.new.28833/xhost.changes 2019-02-24 18:37:22.619362760 +0100 @@ -1,0 +2,8 @@ +Wed Feb 20 15:09:25 UTC 2019 - sndir...@suse.com + +- Update to version 1.0.8 + * This release hardens xhost against corrupted or malicious responses from + the X server, as well as some minor bug & compatibility fixes, and general + janitorial maintenance. + +------------------------------------------------------------------- Old: ---- xhost-1.0.7.tar.bz2 New: ---- xhost-1.0.8.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xhost.spec ++++++ --- /var/tmp/diff_new_pack.Bvbvst/_old 2019-02-24 18:37:23.679362441 +0100 +++ /var/tmp/diff_new_pack.Bvbvst/_new 2019-02-24 18:37:23.683362439 +0100 @@ -1,7 +1,7 @@ # # spec file for package xhost # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: xhost -Version: 1.0.7 +Version: 1.0.8 Release: 0 Summary: Utility to control X server access License: MIT @@ -50,7 +50,7 @@ %files %defattr(-,root,root) -%doc AUTHORS ChangeLog COPYING README +%doc AUTHORS ChangeLog COPYING README.md %{_bindir}/xhost %{_mandir}/man1/xhost.1%{?ext_man} ++++++ xhost-1.0.7.tar.bz2 -> xhost-1.0.8.tar.bz2 ++++++ ++++ 5681 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/xhost-1.0.7/ChangeLog new/xhost-1.0.8/ChangeLog --- old/xhost-1.0.7/ChangeLog 2015-04-17 08:28:32.000000000 +0200 +++ new/xhost-1.0.8/ChangeLog 2019-02-19 23:51:20.000000000 +0100 @@ -1,3 +1,96 @@ +commit 997135c6e37faa50f8b42a5f95c0cc8461ed6be9 +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Tue Feb 19 14:50:20 2019 -0800 + + xhost 1.0.8 + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 0ef87307f77e7e3df04b227046904cecbe6dd3f6 +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Wed Nov 21 17:06:21 2018 -0800 + + Update configure.ac bug URL for gitlab migration + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 136e3be46cbd93a490483126b837f67c391129a1 +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Fri Nov 16 22:15:54 2018 -0800 + + Update README for gitlab migration + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 317312bd23cf5c524932c6f12319ed3eed68d981 +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Mon Nov 12 14:05:52 2018 -0800 + + Drop ancient workarounds for Cray that are no longer needed + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 62bfa9d421138ec538682eb0323fa9f438d6b2c7 +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Mon Nov 12 13:27:55 2018 -0800 + + Prefer inet_aton, if available, over inet_addr + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 0c3627bc7dac395c6af8bd1fb747ef3556e95fb4 +Author: Tobias Stoeckmann <tob...@stoeckmann.org> +Date: Wed Jul 4 16:20:06 2018 +0200 + + Prevent OOB access on illegal server response. + + While parsing Xorg responses it is possible to trigger an out of + boundary read if the response does not contain enough bytes. + + In case of IPv4, the padding normally prevents this, but IPv6 + addresses can trigger an out of boundary read. + + It takes a hostile xorg-server to reproduce this issue. If + os/access.c is adjusted to always use a length of 1, it is possible + to reproduce it and make it visible with an ASAN-compiled xhost. + + Reading past the memory boundary could reveal sensitive information + to external DNS servers, because a lookup will be performed. + + Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org> + Reviewed-by: Matthieu Herrb <matth...@herrb.eu> + +commit 28015d91e284ee4b797a6e99ec16d53147c0ddb6 +Author: Mihail Konev <k....@ya.ru> +Date: Thu Jan 26 14:00:21 2017 +1000 + + autogen: add default patch prefix + + Signed-off-by: Mihail Konev <k....@ya.ru> + +commit 3ee80cd398579c0f182ff7131ebfe7b65efed72b +Author: Emil Velikov <emil.l.veli...@gmail.com> +Date: Mon Mar 9 12:00:52 2015 +0000 + + autogen.sh: use quoted string variables + + Place quotes around the $srcdir, $ORIGDIR and $0 variables to prevent + fall-outs, when they contain space. + + Signed-off-by: Emil Velikov <emil.l.veli...@gmail.com> + Reviewed-by: Peter Hutterer <peter.hutte...@who-t.net> + Signed-off-by: Peter Hutterer <peter.hutte...@who-t.net> + +commit 991e4a8a26e9c03faa291b522067443a8d05af7a +Author: Jon TURNEY <jon.tur...@dronecode.org.uk> +Date: Sun Sep 14 18:13:28 2014 +0100 + + Move sethostent()/gethostent() stubs used in Windows builds to avoid implicit-function-declaration warnings + + Signed-off-by: Jon TURNEY <jon.tur...@dronecode.org.uk> + Reviewed-by: Alan Coopersmith <alan.coopersm...@oracle.com> + Reviewed-by: David Macek <david.mace...@gmail.com> + commit 06d71376aa43f9177ec1e37ed1e4d0faca655cff Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Thu Apr 16 23:28:02 2015 -0700 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/xhost-1.0.7/Makefile.am new/xhost-1.0.8/Makefile.am --- old/xhost-1.0.7/Makefile.am 2015-04-17 08:28:08.000000000 +0200 +++ new/xhost-1.0.8/Makefile.am 2019-02-19 23:51:09.000000000 +0100 @@ -18,4 +18,4 @@ dist-hook: ChangeLog INSTALL - +EXTRA_DIST = README.md diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/xhost-1.0.7/README new/xhost-1.0.8/README --- old/xhost-1.0.7/README 2015-04-17 08:28:08.000000000 +0200 +++ new/xhost-1.0.8/README 1970-01-01 01:00:00.000000000 +0100 @@ -1,26 +0,0 @@ -xhost is used to manage the list of host names or user names -allowed to make connections to the X server. - -All questions regarding this software should be directed at the -Xorg mailing list: - - http://lists.freedesktop.org/mailman/listinfo/xorg - -Please submit bug reports to the Xorg bugzilla: - - https://bugs.freedesktop.org/enter_bug.cgi?product=xorg - -The master development code repository can be found at: - - git://anongit.freedesktop.org/git/xorg/app/xhost - - http://cgit.freedesktop.org/xorg/app/xhost - -For patch submission instructions, see: - - http://www.x.org/wiki/Development/Documentation/SubmittingPatches - -For more information on the git code manager, see: - - http://wiki.x.org/wiki/GitPage - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/xhost-1.0.7/README.md new/xhost-1.0.8/README.md --- old/xhost-1.0.7/README.md 1970-01-01 01:00:00.000000000 +0100 +++ new/xhost-1.0.8/README.md 2019-02-19 23:51:09.000000000 +0100 @@ -0,0 +1,18 @@ +xhost is used to manage the list of host names or user names +allowed to make connections to the X server. + +All questions regarding this software should be directed at the +Xorg mailing list: + + https://lists.x.org/mailman/listinfo/xorg + +The master development code repository can be found at: + + https://gitlab.freedesktop.org/xorg/app/xhost + +Please submit bug reports and requests to merge patches there. + +For patch submission instructions, see: + + https://www.x.org/wiki/Development/Documentation/SubmittingPatches + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/xhost-1.0.7/config.h.in new/xhost-1.0.8/config.h.in --- old/xhost-1.0.7/config.h.in 2015-04-17 08:28:13.000000000 +0200 +++ new/xhost-1.0.8/config.h.in 2019-02-19 23:51:12.000000000 +0100 @@ -9,6 +9,9 @@ /* Define to 1 if you have the `authdes_seccreate' function. */ #undef HAVE_AUTHDES_SECCREATE +/* Define to 1 if you have the `inet_aton' function. */ +#undef HAVE_INET_ATON + /* Define to 1 if you have the <inttypes.h> header file. */ #undef HAVE_INTTYPES_H diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/xhost-1.0.7/configure.ac new/xhost-1.0.8/configure.ac --- old/xhost-1.0.7/configure.ac 2015-04-17 08:28:08.000000000 +0200 +++ new/xhost-1.0.8/configure.ac 2019-02-19 23:51:09.000000000 +0100 @@ -2,8 +2,8 @@ # Initialize Autoconf AC_PREREQ([2.60]) -AC_INIT([xhost], [1.0.7], - [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [xhost]) +AC_INIT([xhost], [1.0.8], + [https://gitlab.freedesktop.org/xorg/app/xhost/issues], [xhost]) AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_HEADERS([config.h]) @@ -42,6 +42,9 @@ ;; esac +# Checks for library functions. +AC_CHECK_FUNCS([inet_aton]) + AC_CONFIG_FILES([ Makefile man/Makefile]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/xhost-1.0.7/xhost.c new/xhost-1.0.8/xhost.c --- old/xhost-1.0.7/xhost.c 2015-04-17 08:28:08.000000000 +0200 +++ new/xhost-1.0.8/xhost.c 2019-02-19 23:51:09.000000000 +0100 @@ -160,6 +160,14 @@ } #endif /* NEEDSOCKETS */ +#if defined(__CYGWIN__) || defined(WIN32) +void sethostent(int x) +{} + +void endhostent() +{} +#endif + int main(int argc, char *argv[]) { @@ -501,13 +509,18 @@ } #ifdef NEEDSOCKETS /* - * First see if inet_addr() can grok the name; if so, then use it. + * First see if inet_aton/inet_addr can grok the name; if so, then use it. */ if (((family == FamilyWild) || (family == FamilyInternet)) && - ((addr.s_addr = inet_addr(name)) != -1)) { +#ifdef HAVE_INET_ATON + (inet_aton (name, &addr) != 0) +#else + ((addr.s_addr = inet_addr(name)) != -1) +#endif + ) { ha.family = FamilyInternet; - ha.length = 4; /* but for Cray would be sizeof(addr.s_addr) */ - ha.address = (char *)&addr; /* but for Cray would be &addr.s_addr */ + ha.length = sizeof(addr.s_addr); + ha.address = (char *) &addr.s_addr; if (add) { XAddHost (dpy, &ha); printf ("%s %s\n", name, add_msg); @@ -674,6 +687,8 @@ #endif sin->sin_family = AF_INET; sin->sin_port = 0; + if (sizeof(sin->sin_addr) > ha->length) + return ""; memcpy(&sin->sin_addr, ha->address, sizeof(sin->sin_addr)); saddrlen = sizeof(struct sockaddr_in); } else { @@ -683,6 +698,8 @@ #endif sin6->sin6_family = AF_INET6; sin6->sin6_port = 0; + if (sizeof(sin6->sin6_addr) > ha->length) + return ""; memcpy(&sin6->sin6_addr, ha->address, sizeof(sin6->sin6_addr)); saddrlen = sizeof(struct sockaddr_in6); } @@ -842,12 +859,3 @@ XmuPrintDefaultErrorMessage (dpy, rep, stderr); return 0; } - -#if defined(__CYGWIN__) || defined(WIN32) -void sethostent(int x) -{} - -void endhostent() -{} -#endif -