Hello community, here is the log from the commit of package xorg-x11-server for openSUSE:Factory checked in at 2015-02-13 08:34:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xorg-x11-server (Old) and /work/SRC/openSUSE:Factory/.xorg-x11-server.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xorg-x11-server" Changes: -------- --- /work/SRC/openSUSE:Factory/xorg-x11-server/xorg-x11-server.changes 2015-02-10 20:17:43.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.xorg-x11-server.new/xorg-x11-server.changes 2015-02-13 08:34:16.000000000 +0100 @@ -1,0 +2,8 @@ +Tue Feb 10 23:27:48 UTC 2015 - tobias.johannes.klausm...@mni.thm.de + +- Update to version 1.17.1: + Fixes for CVE 2015-0255. + + xkb: Don't swap XkbSetGeometry data in the input buffer + + xkb: Check strings length against request size + +------------------------------------------------------------------- Old: ---- xorg-server-1.17.0.tar.bz2 New: ---- xorg-server-1.17.1.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xorg-x11-server.spec ++++++ --- /var/tmp/diff_new_pack.MzVQgN/_old 2015-02-13 08:34:18.000000000 +0100 +++ /var/tmp/diff_new_pack.MzVQgN/_new 2015-02-13 08:34:18.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package xorg-x11-server # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ Name: xorg-x11-server -%define dirsuffix 1.17.0 +%define dirsuffix 1.17.1 Summary: X License: MIT @@ -485,6 +485,7 @@ %{_sysconfdir}/rpm/macros.xorg-server %files source +%defattr(-,root,root) /usr/src/xserver %changelog ++++++ xorg-server-1.17.0.tar.bz2 -> xorg-server-1.17.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xorg-server-1.17.0/ChangeLog new/xorg-server-1.17.1/ChangeLog --- old/xorg-server-1.17.0/ChangeLog 2015-02-04 18:35:44.000000000 +0100 +++ new/xorg-server-1.17.1/ChangeLog 2015-02-10 23:50:11.000000000 +0100 @@ -1,3 +1,49 @@ +commit 3b0d1ba2266d2780bfc111bab74885b90458eca4 +Author: Keith Packard <kei...@keithp.com> +Date: Tue Feb 10 14:43:34 2015 -0800 + + Release 1.17.1 + + Signed-off-by: Keith Packard <kei...@keithp.com> + +commit f160e722672dbb2b5215870b47bcc51461d96ff1 +Author: Olivier Fourdan <ofour...@redhat.com> +Date: Fri Jan 16 08:44:45 2015 +0100 + + xkb: Check strings length against request size + + Ensure that the given strings length in an XkbSetGeometry request remain + within the limits of the size of the request. + + Signed-off-by: Olivier Fourdan <ofour...@redhat.com> + Reviewed-by: Peter Hutterer <peter.hutte...@who-t.net> + Signed-off-by: Peter Hutterer <peter.hutte...@who-t.net> + (cherry picked from commit 20079c36cf7d377938ca5478447d8b9045cb7d43) + +commit 29be310c303914090298ddda93a5bd5d00a94945 +Author: Olivier Fourdan <ofour...@redhat.com> +Date: Fri Jan 16 20:08:59 2015 +0100 + + xkb: Don't swap XkbSetGeometry data in the input buffer + + The XkbSetGeometry request embeds data which needs to be swapped when the + server and the client have different endianess. + + _XkbSetGeometry() invokes functions that swap these data directly in the + input buffer. + + However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once + (if there is more than one keyboard), thus causing on swapped clients the + same data to be swapped twice in memory, further causing a server crash + because the strings lengths on the second time are way off bounds. + + To allow _XkbSetGeometry() to run reliably more than once with swapped + clients, do not swap the data in the buffer, use variables instead. + + Signed-off-by: Olivier Fourdan <ofour...@redhat.com> + Signed-off-by: Peter Hutterer <peter.hutte...@who-t.net> + (cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd) + commit 28f6427aec1f5a1982e1c01eff45af0d401bf659 Author: Keith Packard <kei...@keithp.com> Date: Mon Feb 2 07:41:06 2015 +0100 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xorg-server-1.17.0/configure new/xorg-server-1.17.1/configure --- old/xorg-server-1.17.0/configure 2015-02-02 07:41:30.000000000 +0100 +++ new/xorg-server-1.17.1/configure 2015-02-10 23:49:52.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for xorg-server 1.17.0. +# Generated by GNU Autoconf 2.69 for xorg-server 1.17.1. # # Report bugs to <https://bugs.freedesktop.org/enter_bug.cgi?product=xorg>. # @@ -651,8 +651,8 @@ # Identity of this package. PACKAGE_NAME='xorg-server' PACKAGE_TARNAME='xorg-server' -PACKAGE_VERSION='1.17.0' -PACKAGE_STRING='xorg-server 1.17.0' +PACKAGE_VERSION='1.17.1' +PACKAGE_STRING='xorg-server 1.17.1' PACKAGE_BUGREPORT='https://bugs.freedesktop.org/enter_bug.cgi?product=xorg' PACKAGE_URL='' @@ -2047,7 +2047,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures xorg-server 1.17.0 to adapt to many kinds of systems. +\`configure' configures xorg-server 1.17.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -2117,7 +2117,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of xorg-server 1.17.0:";; + short | recursive ) echo "Configuration of xorg-server 1.17.1:";; esac cat <<\_ACEOF @@ -2564,7 +2564,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -xorg-server configure 1.17.0 +xorg-server configure 1.17.1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -3273,7 +3273,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by xorg-server $as_me 1.17.0, which was +It was created by xorg-server $as_me 1.17.1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3621,8 +3621,8 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu -RELEASE_DATE="2015-02-02" -RELEASE_NAME="Côte de veau" +RELEASE_DATE="2015-02-10" +RELEASE_NAME="lambic" am__api_version='1.14' @@ -4140,7 +4140,7 @@ # Define the identity of the package. PACKAGE='xorg-server' - VERSION='1.17.0' + VERSION='1.17.1' cat >>confdefs.h <<_ACEOF @@ -32783,7 +32783,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by xorg-server $as_me 1.17.0, which was +This file was extended by xorg-server $as_me 1.17.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -32849,7 +32849,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -xorg-server config.status 1.17.0 +xorg-server config.status 1.17.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xorg-server-1.17.0/configure.ac new/xorg-server-1.17.1/configure.ac --- old/xorg-server-1.17.0/configure.ac 2015-02-02 07:40:17.000000000 +0100 +++ new/xorg-server-1.17.1/configure.ac 2015-02-10 23:43:52.000000000 +0100 @@ -26,9 +26,9 @@ dnl Process this file with autoconf to create configure. AC_PREREQ(2.60) -AC_INIT([xorg-server], 1.17.0, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server) -RELEASE_DATE="2015-02-02" -RELEASE_NAME="Côte de veau" +AC_INIT([xorg-server], 1.17.1, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server) +RELEASE_DATE="2015-02-10" +RELEASE_NAME="lambic" AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_MACRO_DIR([m4]) AM_INIT_AUTOMAKE([foreign dist-bzip2]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xorg-server-1.17.0/os/Makefile.in new/xorg-server-1.17.1/os/Makefile.in --- old/xorg-server-1.17.0/os/Makefile.in 2015-02-02 07:41:37.000000000 +0100 +++ new/xorg-server-1.17.1/os/Makefile.in 2015-02-10 23:50:06.000000000 +0100 @@ -86,8 +86,8 @@ @BUSFAULT_TRUE@am__append_5 = $(BUSFAULT_SRCS) @SPECIAL_DTRACE_OBJECTS_TRUE@noinst_PROGRAMS = os.O$(EXEEXT) subdir = os -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am strcasecmp.c \ - strlcat.c strlcpy.c strcasestr.c strndup.c \ +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am strlcpy.c \ + strndup.c strcasestr.c strlcat.c strcasecmp.c \ $(top_srcdir)/depcomp ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ac_define_dir.m4 \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xorg-server-1.17.0/xkb/xkb.c new/xorg-server-1.17.1/xkb/xkb.c --- old/xorg-server-1.17.0/xkb/xkb.c 2015-01-18 00:42:52.000000000 +0100 +++ new/xorg-server-1.17.1/xkb/xkb.c 2015-02-10 23:40:00.000000000 +0100 @@ -4957,26 +4957,29 @@ /***====================================================================***/ -static char * -_GetCountedString(char **wire_inout, Bool swap) +static Status +_GetCountedString(char **wire_inout, ClientPtr client, char **str) { - char *wire, *str; - CARD16 len, *plen; + char *wire, *next; + CARD16 len; wire = *wire_inout; - plen = (CARD16 *) wire; - if (swap) { - swaps(plen); - } - len = *plen; - str = malloc(len + 1); - if (str) { - memcpy(str, &wire[2], len); - str[len] = '\0'; + len = *(CARD16 *) wire; + if (client->swapped) { + swaps(&len); } - wire += XkbPaddedSize(len + 2); - *wire_inout = wire; - return str; + next = wire + XkbPaddedSize(len + 2); + /* Check we're still within the size of the request */ + if (client->req_len < + bytes_to_int32(next - (char *) client->requestBuffer)) + return BadValue; + *str = malloc(len + 1); + if (!*str) + return BadAlloc; + memcpy(*str, &wire[2], len); + *(*str + len) = '\0'; + *wire_inout = next; + return Success; } static Status @@ -4985,25 +4988,29 @@ { char *wire; xkbDoodadWireDesc *dWire; + xkbAnyDoodadWireDesc any; + xkbTextDoodadWireDesc text; XkbDoodadPtr doodad; + Status status; dWire = (xkbDoodadWireDesc *) (*wire_inout); + any = dWire->any; wire = (char *) &dWire[1]; if (client->swapped) { - swapl(&dWire->any.name); - swaps(&dWire->any.top); - swaps(&dWire->any.left); - swaps(&dWire->any.angle); + swapl(&any.name); + swaps(&any.top); + swaps(&any.left); + swaps(&any.angle); } CHK_ATOM_ONLY(dWire->any.name); - doodad = XkbAddGeomDoodad(geom, section, dWire->any.name); + doodad = XkbAddGeomDoodad(geom, section, any.name); if (!doodad) return BadAlloc; doodad->any.type = dWire->any.type; doodad->any.priority = dWire->any.priority; - doodad->any.top = dWire->any.top; - doodad->any.left = dWire->any.left; - doodad->any.angle = dWire->any.angle; + doodad->any.top = any.top; + doodad->any.left = any.left; + doodad->any.angle = any.angle; switch (doodad->any.type) { case XkbOutlineDoodad: case XkbSolidDoodad: @@ -5026,15 +5033,22 @@ dWire->text.colorNdx); return BadMatch; } + text = dWire->text; if (client->swapped) { - swaps(&dWire->text.width); - swaps(&dWire->text.height); + swaps(&text.width); + swaps(&text.height); } - doodad->text.width = dWire->text.width; - doodad->text.height = dWire->text.height; + doodad->text.width = text.width; + doodad->text.height = text.height; doodad->text.color_ndx = dWire->text.colorNdx; - doodad->text.text = _GetCountedString(&wire, client->swapped); - doodad->text.font = _GetCountedString(&wire, client->swapped); + status = _GetCountedString(&wire, client, &doodad->text.text); + if (status != Success) + return status; + status = _GetCountedString(&wire, client, &doodad->text.font); + if (status != Success) { + free (doodad->text.text); + return status; + } break; case XkbIndicatorDoodad: if (dWire->indicator.onColorNdx >= geom->num_colors) { @@ -5069,7 +5083,9 @@ } doodad->logo.color_ndx = dWire->logo.colorNdx; doodad->logo.shape_ndx = dWire->logo.shapeNdx; - doodad->logo.logo_name = _GetCountedString(&wire, client->swapped); + status = _GetCountedString(&wire, client, &doodad->logo.logo_name); + if (status != Success) + return status; break; default: client->errorValue = _XkbErrCode2(0x4F, dWire->any.type); @@ -5301,18 +5317,20 @@ char *wire; wire = (char *) &req[1]; - geom->label_font = _GetCountedString(&wire, client->swapped); + status = _GetCountedString(&wire, client, &geom->label_font); + if (status != Success) + return status; for (i = 0; i < req->nProperties; i++) { char *name, *val; - name = _GetCountedString(&wire, client->swapped); - if (!name) - return BadAlloc; - val = _GetCountedString(&wire, client->swapped); - if (!val) { + status = _GetCountedString(&wire, client, &name); + if (status != Success) + return status; + status = _GetCountedString(&wire, client, &val); + if (status != Success) { free(name); - return BadAlloc; + return status; } if (XkbAddGeomProperty(geom, name, val) == NULL) { free(name); @@ -5346,9 +5364,9 @@ for (i = 0; i < req->nColors; i++) { char *name; - name = _GetCountedString(&wire, client->swapped); - if (!name) - return BadAlloc; + status = _GetCountedString(&wire, client, &name); + if (status != Success) + return status; if (!XkbAddGeomColor(geom, name, geom->num_colors)) { free(name); return BadAlloc; -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org