Hello community,
here is the log from the commit of package xhost for openSUSE:Factory checked
in at 2019-02-24 18:37:20
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/xhost (Old)
and /work/SRC/openSUSE:Factory/.xhost.new.28833 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xhost"
Sun Feb 24 18:37:20 2019 rev:8 rq:677771 version:1.0.8
Changes:
--------
--- /work/SRC/openSUSE:Factory/xhost/xhost.changes 2015-04-27
12:59:07.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.xhost.new.28833/xhost.changes 2019-02-24
18:37:22.619362760 +0100
@@ -1,0 +2,8 @@
+Wed Feb 20 15:09:25 UTC 2019 - sndir...@suse.com
+
+- Update to version 1.0.8
+ * This release hardens xhost against corrupted or malicious responses from
+ the X server, as well as some minor bug & compatibility fixes, and general
+ janitorial maintenance.
+
+-------------------------------------------------------------------
Old:
----
xhost-1.0.7.tar.bz2
New:
----
xhost-1.0.8.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ xhost.spec ++++++
--- /var/tmp/diff_new_pack.Bvbvst/_old 2019-02-24 18:37:23.679362441 +0100
+++ /var/tmp/diff_new_pack.Bvbvst/_new 2019-02-24 18:37:23.683362439 +0100
@@ -1,7 +1,7 @@
#
# spec file for package xhost
#
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: xhost
-Version: 1.0.7
+Version: 1.0.8
Release: 0
Summary: Utility to control X server access
License: MIT
@@ -50,7 +50,7 @@
%files
%defattr(-,root,root)
-%doc AUTHORS ChangeLog COPYING README
+%doc AUTHORS ChangeLog COPYING README.md
%{_bindir}/xhost
%{_mandir}/man1/xhost.1%{?ext_man}
++++++ xhost-1.0.7.tar.bz2 -> xhost-1.0.8.tar.bz2 ++++++
++++ 5681 lines of diff (skipped)
++++ retrying with extended exclude list
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/xhost-1.0.7/ChangeLog new/xhost-1.0.8/ChangeLog
--- old/xhost-1.0.7/ChangeLog 2015-04-17 08:28:32.000000000 +0200
+++ new/xhost-1.0.8/ChangeLog 2019-02-19 23:51:20.000000000 +0100
@@ -1,3 +1,96 @@
+commit 997135c6e37faa50f8b42a5f95c0cc8461ed6be9
+Author: Alan Coopersmith <alan.coopersm...@oracle.com>
+Date: Tue Feb 19 14:50:20 2019 -0800
+
+ xhost 1.0.8
+
+ Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
+
+commit 0ef87307f77e7e3df04b227046904cecbe6dd3f6
+Author: Alan Coopersmith <alan.coopersm...@oracle.com>
+Date: Wed Nov 21 17:06:21 2018 -0800
+
+ Update configure.ac bug URL for gitlab migration
+
+ Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
+
+commit 136e3be46cbd93a490483126b837f67c391129a1
+Author: Alan Coopersmith <alan.coopersm...@oracle.com>
+Date: Fri Nov 16 22:15:54 2018 -0800
+
+ Update README for gitlab migration
+
+ Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
+
+commit 317312bd23cf5c524932c6f12319ed3eed68d981
+Author: Alan Coopersmith <alan.coopersm...@oracle.com>
+Date: Mon Nov 12 14:05:52 2018 -0800
+
+ Drop ancient workarounds for Cray that are no longer needed
+
+ Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
+
+commit 62bfa9d421138ec538682eb0323fa9f438d6b2c7
+Author: Alan Coopersmith <alan.coopersm...@oracle.com>
+Date: Mon Nov 12 13:27:55 2018 -0800
+
+ Prefer inet_aton, if available, over inet_addr
+
+ Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
+
+commit 0c3627bc7dac395c6af8bd1fb747ef3556e95fb4
+Author: Tobias Stoeckmann <tob...@stoeckmann.org>
+Date: Wed Jul 4 16:20:06 2018 +0200
+
+ Prevent OOB access on illegal server response.
+
+ While parsing Xorg responses it is possible to trigger an out of
+ boundary read if the response does not contain enough bytes.
+
+ In case of IPv4, the padding normally prevents this, but IPv6
+ addresses can trigger an out of boundary read.
+
+ It takes a hostile xorg-server to reproduce this issue. If
+ os/access.c is adjusted to always use a length of 1, it is possible
+ to reproduce it and make it visible with an ASAN-compiled xhost.
+
+ Reading past the memory boundary could reveal sensitive information
+ to external DNS servers, because a lookup will be performed.
+
+ Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org>
+ Reviewed-by: Matthieu Herrb <matth...@herrb.eu>
+
+commit 28015d91e284ee4b797a6e99ec16d53147c0ddb6
+Author: Mihail Konev <k....@ya.ru>
+Date: Thu Jan 26 14:00:21 2017 +1000
+
+ autogen: add default patch prefix
+
+ Signed-off-by: Mihail Konev <k....@ya.ru>
+
+commit 3ee80cd398579c0f182ff7131ebfe7b65efed72b
+Author: Emil Velikov <emil.l.veli...@gmail.com>
+Date: Mon Mar 9 12:00:52 2015 +0000
+
+ autogen.sh: use quoted string variables
+
+ Place quotes around the $srcdir, $ORIGDIR and $0 variables to prevent
+ fall-outs, when they contain space.
+
+ Signed-off-by: Emil Velikov <emil.l.veli...@gmail.com>
+ Reviewed-by: Peter Hutterer <peter.hutte...@who-t.net>
+ Signed-off-by: Peter Hutterer <peter.hutte...@who-t.net>
+
+commit 991e4a8a26e9c03faa291b522067443a8d05af7a
+Author: Jon TURNEY <jon.tur...@dronecode.org.uk>
+Date: Sun Sep 14 18:13:28 2014 +0100
+
+ Move sethostent()/gethostent() stubs used in Windows builds to avoid
implicit-function-declaration warnings
+
+ Signed-off-by: Jon TURNEY <jon.tur...@dronecode.org.uk>
+ Reviewed-by: Alan Coopersmith <alan.coopersm...@oracle.com>
+ Reviewed-by: David Macek <david.mace...@gmail.com>
+
commit 06d71376aa43f9177ec1e37ed1e4d0faca655cff
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Thu Apr 16 23:28:02 2015 -0700
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/xhost-1.0.7/Makefile.am new/xhost-1.0.8/Makefile.am
--- old/xhost-1.0.7/Makefile.am 2015-04-17 08:28:08.000000000 +0200
+++ new/xhost-1.0.8/Makefile.am 2019-02-19 23:51:09.000000000 +0100
@@ -18,4 +18,4 @@
dist-hook: ChangeLog INSTALL
-
+EXTRA_DIST = README.md
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/xhost-1.0.7/README new/xhost-1.0.8/README
--- old/xhost-1.0.7/README 2015-04-17 08:28:08.000000000 +0200
+++ new/xhost-1.0.8/README 1970-01-01 01:00:00.000000000 +0100
@@ -1,26 +0,0 @@
-xhost is used to manage the list of host names or user names
-allowed to make connections to the X server.
-
-All questions regarding this software should be directed at the
-Xorg mailing list:
-
- http://lists.freedesktop.org/mailman/listinfo/xorg
-
-Please submit bug reports to the Xorg bugzilla:
-
- https://bugs.freedesktop.org/enter_bug.cgi?product=xorg
-
-The master development code repository can be found at:
-
- git://anongit.freedesktop.org/git/xorg/app/xhost
-
- http://cgit.freedesktop.org/xorg/app/xhost
-
-For patch submission instructions, see:
-
- http://www.x.org/wiki/Development/Documentation/SubmittingPatches
-
-For more information on the git code manager, see:
-
- http://wiki.x.org/wiki/GitPage
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/xhost-1.0.7/README.md new/xhost-1.0.8/README.md
--- old/xhost-1.0.7/README.md 1970-01-01 01:00:00.000000000 +0100
+++ new/xhost-1.0.8/README.md 2019-02-19 23:51:09.000000000 +0100
@@ -0,0 +1,18 @@
+xhost is used to manage the list of host names or user names
+allowed to make connections to the X server.
+
+All questions regarding this software should be directed at the
+Xorg mailing list:
+
+ https://lists.x.org/mailman/listinfo/xorg
+
+The master development code repository can be found at:
+
+ https://gitlab.freedesktop.org/xorg/app/xhost
+
+Please submit bug reports and requests to merge patches there.
+
+For patch submission instructions, see:
+
+ https://www.x.org/wiki/Development/Documentation/SubmittingPatches
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/xhost-1.0.7/config.h.in new/xhost-1.0.8/config.h.in
--- old/xhost-1.0.7/config.h.in 2015-04-17 08:28:13.000000000 +0200
+++ new/xhost-1.0.8/config.h.in 2019-02-19 23:51:12.000000000 +0100
@@ -9,6 +9,9 @@
/* Define to 1 if you have the `authdes_seccreate' function. */
#undef HAVE_AUTHDES_SECCREATE
+/* Define to 1 if you have the `inet_aton' function. */
+#undef HAVE_INET_ATON
+
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/xhost-1.0.7/configure.ac new/xhost-1.0.8/configure.ac
--- old/xhost-1.0.7/configure.ac 2015-04-17 08:28:08.000000000 +0200
+++ new/xhost-1.0.8/configure.ac 2019-02-19 23:51:09.000000000 +0100
@@ -2,8 +2,8 @@
# Initialize Autoconf
AC_PREREQ([2.60])
-AC_INIT([xhost], [1.0.7],
- [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [xhost])
+AC_INIT([xhost], [1.0.8],
+ [https://gitlab.freedesktop.org/xorg/app/xhost/issues], [xhost])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([config.h])
@@ -42,6 +42,9 @@
;;
esac
+# Checks for library functions.
+AC_CHECK_FUNCS([inet_aton])
+
AC_CONFIG_FILES([
Makefile
man/Makefile])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/xhost-1.0.7/xhost.c new/xhost-1.0.8/xhost.c
--- old/xhost-1.0.7/xhost.c 2015-04-17 08:28:08.000000000 +0200
+++ new/xhost-1.0.8/xhost.c 2019-02-19 23:51:09.000000000 +0100
@@ -160,6 +160,14 @@
}
#endif /* NEEDSOCKETS */
+#if defined(__CYGWIN__) || defined(WIN32)
+void sethostent(int x)
+{}
+
+void endhostent()
+{}
+#endif
+
int
main(int argc, char *argv[])
{
@@ -501,13 +509,18 @@
}
#ifdef NEEDSOCKETS
/*
- * First see if inet_addr() can grok the name; if so, then use it.
+ * First see if inet_aton/inet_addr can grok the name; if so, then use it.
*/
if (((family == FamilyWild) || (family == FamilyInternet)) &&
- ((addr.s_addr = inet_addr(name)) != -1)) {
+#ifdef HAVE_INET_ATON
+ (inet_aton (name, &addr) != 0)
+#else
+ ((addr.s_addr = inet_addr(name)) != -1)
+#endif
+ ) {
ha.family = FamilyInternet;
- ha.length = 4; /* but for Cray would be sizeof(addr.s_addr) */
- ha.address = (char *)&addr; /* but for Cray would be &addr.s_addr */
+ ha.length = sizeof(addr.s_addr);
+ ha.address = (char *) &addr.s_addr;
if (add) {
XAddHost (dpy, &ha);
printf ("%s %s\n", name, add_msg);
@@ -674,6 +687,8 @@
#endif
sin->sin_family = AF_INET;
sin->sin_port = 0;
+ if (sizeof(sin->sin_addr) > ha->length)
+ return "";
memcpy(&sin->sin_addr, ha->address, sizeof(sin->sin_addr));
saddrlen = sizeof(struct sockaddr_in);
} else {
@@ -683,6 +698,8 @@
#endif
sin6->sin6_family = AF_INET6;
sin6->sin6_port = 0;
+ if (sizeof(sin6->sin6_addr) > ha->length)
+ return "";
memcpy(&sin6->sin6_addr, ha->address, sizeof(sin6->sin6_addr));
saddrlen = sizeof(struct sockaddr_in6);
}
@@ -842,12 +859,3 @@
XmuPrintDefaultErrorMessage (dpy, rep, stderr);
return 0;
}
-
-#if defined(__CYGWIN__) || defined(WIN32)
-void sethostent(int x)
-{}
-
-void endhostent()
-{}
-#endif
-
