Hello community,
here is the log from the commit of package xorg-x11-server for openSUSE:Factory
checked in at 2015-02-13 08:34:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/xorg-x11-server (Old)
and /work/SRC/openSUSE:Factory/.xorg-x11-server.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xorg-x11-server"
Changes:
--------
--- /work/SRC/openSUSE:Factory/xorg-x11-server/xorg-x11-server.changes
2015-02-10 20:17:43.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.xorg-x11-server.new/xorg-x11-server.changes
2015-02-13 08:34:16.000000000 +0100
@@ -1,0 +2,8 @@
+Tue Feb 10 23:27:48 UTC 2015 - tobias.johannes.klausm...@mni.thm.de
+
+- Update to version 1.17.1:
+ Fixes for CVE 2015-0255.
+ + xkb: Don't swap XkbSetGeometry data in the input buffer
+ + xkb: Check strings length against request size
+
+-------------------------------------------------------------------
Old:
----
xorg-server-1.17.0.tar.bz2
New:
----
xorg-server-1.17.1.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ xorg-x11-server.spec ++++++
--- /var/tmp/diff_new_pack.MzVQgN/_old 2015-02-13 08:34:18.000000000 +0100
+++ /var/tmp/diff_new_pack.MzVQgN/_new 2015-02-13 08:34:18.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package xorg-x11-server
#
-# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
Name: xorg-x11-server
-%define dirsuffix 1.17.0
+%define dirsuffix 1.17.1
Summary: X
License: MIT
@@ -485,6 +485,7 @@
%{_sysconfdir}/rpm/macros.xorg-server
%files source
+%defattr(-,root,root)
/usr/src/xserver
%changelog
++++++ xorg-server-1.17.0.tar.bz2 -> xorg-server-1.17.1.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/xorg-server-1.17.0/ChangeLog
new/xorg-server-1.17.1/ChangeLog
--- old/xorg-server-1.17.0/ChangeLog 2015-02-04 18:35:44.000000000 +0100
+++ new/xorg-server-1.17.1/ChangeLog 2015-02-10 23:50:11.000000000 +0100
@@ -1,3 +1,49 @@
+commit 3b0d1ba2266d2780bfc111bab74885b90458eca4
+Author: Keith Packard <kei...@keithp.com>
+Date: Tue Feb 10 14:43:34 2015 -0800
+
+ Release 1.17.1
+
+ Signed-off-by: Keith Packard <kei...@keithp.com>
+
+commit f160e722672dbb2b5215870b47bcc51461d96ff1
+Author: Olivier Fourdan <ofour...@redhat.com>
+Date: Fri Jan 16 08:44:45 2015 +0100
+
+ xkb: Check strings length against request size
+
+ Ensure that the given strings length in an XkbSetGeometry request remain
+ within the limits of the size of the request.
+
+ Signed-off-by: Olivier Fourdan <ofour...@redhat.com>
+ Reviewed-by: Peter Hutterer <peter.hutte...@who-t.net>
+ Signed-off-by: Peter Hutterer <peter.hutte...@who-t.net>
+ (cherry picked from commit 20079c36cf7d377938ca5478447d8b9045cb7d43)
+
+commit 29be310c303914090298ddda93a5bd5d00a94945
+Author: Olivier Fourdan <ofour...@redhat.com>
+Date: Fri Jan 16 20:08:59 2015 +0100
+
+ xkb: Don't swap XkbSetGeometry data in the input buffer
+
+ The XkbSetGeometry request embeds data which needs to be swapped when the
+ server and the client have different endianess.
+
+ _XkbSetGeometry() invokes functions that swap these data directly in the
+ input buffer.
+
+ However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
+ (if there is more than one keyboard), thus causing on swapped clients the
+ same data to be swapped twice in memory, further causing a server crash
+ because the strings lengths on the second time are way off bounds.
+
+ To allow _XkbSetGeometry() to run reliably more than once with swapped
+ clients, do not swap the data in the buffer, use variables instead.
+
+ Signed-off-by: Olivier Fourdan <ofour...@redhat.com>
+ Signed-off-by: Peter Hutterer <peter.hutte...@who-t.net>
+ (cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd)
+
commit 28f6427aec1f5a1982e1c01eff45af0d401bf659
Author: Keith Packard <kei...@keithp.com>
Date: Mon Feb 2 07:41:06 2015 +0100
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/xorg-server-1.17.0/configure
new/xorg-server-1.17.1/configure
--- old/xorg-server-1.17.0/configure 2015-02-02 07:41:30.000000000 +0100
+++ new/xorg-server-1.17.1/configure 2015-02-10 23:49:52.000000000 +0100
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for xorg-server 1.17.0.
+# Generated by GNU Autoconf 2.69 for xorg-server 1.17.1.
#
# Report bugs to <https://bugs.freedesktop.org/enter_bug.cgi?product=xorg>.
#
@@ -651,8 +651,8 @@
# Identity of this package.
PACKAGE_NAME='xorg-server'
PACKAGE_TARNAME='xorg-server'
-PACKAGE_VERSION='1.17.0'
-PACKAGE_STRING='xorg-server 1.17.0'
+PACKAGE_VERSION='1.17.1'
+PACKAGE_STRING='xorg-server 1.17.1'
PACKAGE_BUGREPORT='https://bugs.freedesktop.org/enter_bug.cgi?product=xorg'
PACKAGE_URL=''
@@ -2047,7 +2047,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures xorg-server 1.17.0 to adapt to many kinds of systems.
+\`configure' configures xorg-server 1.17.1 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -2117,7 +2117,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of xorg-server 1.17.0:";;
+ short | recursive ) echo "Configuration of xorg-server 1.17.1:";;
esac
cat <<\_ACEOF
@@ -2564,7 +2564,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-xorg-server configure 1.17.0
+xorg-server configure 1.17.1
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -3273,7 +3273,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by xorg-server $as_me 1.17.0, which was
+It was created by xorg-server $as_me 1.17.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3621,8 +3621,8 @@
ac_compiler_gnu=$ac_cv_c_compiler_gnu
-RELEASE_DATE="2015-02-02"
-RELEASE_NAME="Côte de veau"
+RELEASE_DATE="2015-02-10"
+RELEASE_NAME="lambic"
am__api_version='1.14'
@@ -4140,7 +4140,7 @@
# Define the identity of the package.
PACKAGE='xorg-server'
- VERSION='1.17.0'
+ VERSION='1.17.1'
cat >>confdefs.h <<_ACEOF
@@ -32783,7 +32783,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by xorg-server $as_me 1.17.0, which was
+This file was extended by xorg-server $as_me 1.17.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -32849,7 +32849,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //;
s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-xorg-server config.status 1.17.0
+xorg-server config.status 1.17.1
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/xorg-server-1.17.0/configure.ac
new/xorg-server-1.17.1/configure.ac
--- old/xorg-server-1.17.0/configure.ac 2015-02-02 07:40:17.000000000 +0100
+++ new/xorg-server-1.17.1/configure.ac 2015-02-10 23:43:52.000000000 +0100
@@ -26,9 +26,9 @@
dnl Process this file with autoconf to create configure.
AC_PREREQ(2.60)
-AC_INIT([xorg-server], 1.17.0,
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
-RELEASE_DATE="2015-02-02"
-RELEASE_NAME="Côte de veau"
+AC_INIT([xorg-server], 1.17.1,
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
+RELEASE_DATE="2015-02-10"
+RELEASE_NAME="lambic"
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_MACRO_DIR([m4])
AM_INIT_AUTOMAKE([foreign dist-bzip2])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/xorg-server-1.17.0/os/Makefile.in
new/xorg-server-1.17.1/os/Makefile.in
--- old/xorg-server-1.17.0/os/Makefile.in 2015-02-02 07:41:37.000000000
+0100
+++ new/xorg-server-1.17.1/os/Makefile.in 2015-02-10 23:50:06.000000000
+0100
@@ -86,8 +86,8 @@
@BUSFAULT_TRUE@am__append_5 = $(BUSFAULT_SRCS)
@SPECIAL_DTRACE_OBJECTS_TRUE@noinst_PROGRAMS = os.O$(EXEEXT)
subdir = os
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am strcasecmp.c \
- strlcat.c strlcpy.c strcasestr.c strndup.c \
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am strlcpy.c \
+ strndup.c strcasestr.c strlcat.c strcasecmp.c \
$(top_srcdir)/depcomp
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ac_define_dir.m4 \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/xorg-server-1.17.0/xkb/xkb.c
new/xorg-server-1.17.1/xkb/xkb.c
--- old/xorg-server-1.17.0/xkb/xkb.c 2015-01-18 00:42:52.000000000 +0100
+++ new/xorg-server-1.17.1/xkb/xkb.c 2015-02-10 23:40:00.000000000 +0100
@@ -4957,26 +4957,29 @@
/***====================================================================***/
-static char *
-_GetCountedString(char **wire_inout, Bool swap)
+static Status
+_GetCountedString(char **wire_inout, ClientPtr client, char **str)
{
- char *wire, *str;
- CARD16 len, *plen;
+ char *wire, *next;
+ CARD16 len;
wire = *wire_inout;
- plen = (CARD16 *) wire;
- if (swap) {
- swaps(plen);
- }
- len = *plen;
- str = malloc(len + 1);
- if (str) {
- memcpy(str, &wire[2], len);
- str[len] = '\0';
+ len = *(CARD16 *) wire;
+ if (client->swapped) {
+ swaps(&len);
}
- wire += XkbPaddedSize(len + 2);
- *wire_inout = wire;
- return str;
+ next = wire + XkbPaddedSize(len + 2);
+ /* Check we're still within the size of the request */
+ if (client->req_len <
+ bytes_to_int32(next - (char *) client->requestBuffer))
+ return BadValue;
+ *str = malloc(len + 1);
+ if (!*str)
+ return BadAlloc;
+ memcpy(*str, &wire[2], len);
+ *(*str + len) = '\0';
+ *wire_inout = next;
+ return Success;
}
static Status
@@ -4985,25 +4988,29 @@
{
char *wire;
xkbDoodadWireDesc *dWire;
+ xkbAnyDoodadWireDesc any;
+ xkbTextDoodadWireDesc text;
XkbDoodadPtr doodad;
+ Status status;
dWire = (xkbDoodadWireDesc *) (*wire_inout);
+ any = dWire->any;
wire = (char *) &dWire[1];
if (client->swapped) {
- swapl(&dWire->any.name);
- swaps(&dWire->any.top);
- swaps(&dWire->any.left);
- swaps(&dWire->any.angle);
+ swapl(&any.name);
+ swaps(&any.top);
+ swaps(&any.left);
+ swaps(&any.angle);
}
CHK_ATOM_ONLY(dWire->any.name);
- doodad = XkbAddGeomDoodad(geom, section, dWire->any.name);
+ doodad = XkbAddGeomDoodad(geom, section, any.name);
if (!doodad)
return BadAlloc;
doodad->any.type = dWire->any.type;
doodad->any.priority = dWire->any.priority;
- doodad->any.top = dWire->any.top;
- doodad->any.left = dWire->any.left;
- doodad->any.angle = dWire->any.angle;
+ doodad->any.top = any.top;
+ doodad->any.left = any.left;
+ doodad->any.angle = any.angle;
switch (doodad->any.type) {
case XkbOutlineDoodad:
case XkbSolidDoodad:
@@ -5026,15 +5033,22 @@
dWire->text.colorNdx);
return BadMatch;
}
+ text = dWire->text;
if (client->swapped) {
- swaps(&dWire->text.width);
- swaps(&dWire->text.height);
+ swaps(&text.width);
+ swaps(&text.height);
}
- doodad->text.width = dWire->text.width;
- doodad->text.height = dWire->text.height;
+ doodad->text.width = text.width;
+ doodad->text.height = text.height;
doodad->text.color_ndx = dWire->text.colorNdx;
- doodad->text.text = _GetCountedString(&wire, client->swapped);
- doodad->text.font = _GetCountedString(&wire, client->swapped);
+ status = _GetCountedString(&wire, client, &doodad->text.text);
+ if (status != Success)
+ return status;
+ status = _GetCountedString(&wire, client, &doodad->text.font);
+ if (status != Success) {
+ free (doodad->text.text);
+ return status;
+ }
break;
case XkbIndicatorDoodad:
if (dWire->indicator.onColorNdx >= geom->num_colors) {
@@ -5069,7 +5083,9 @@
}
doodad->logo.color_ndx = dWire->logo.colorNdx;
doodad->logo.shape_ndx = dWire->logo.shapeNdx;
- doodad->logo.logo_name = _GetCountedString(&wire, client->swapped);
+ status = _GetCountedString(&wire, client, &doodad->logo.logo_name);
+ if (status != Success)
+ return status;
break;
default:
client->errorValue = _XkbErrCode2(0x4F, dWire->any.type);
@@ -5301,18 +5317,20 @@
char *wire;
wire = (char *) &req[1];
- geom->label_font = _GetCountedString(&wire, client->swapped);
+ status = _GetCountedString(&wire, client, &geom->label_font);
+ if (status != Success)
+ return status;
for (i = 0; i < req->nProperties; i++) {
char *name, *val;
- name = _GetCountedString(&wire, client->swapped);
- if (!name)
- return BadAlloc;
- val = _GetCountedString(&wire, client->swapped);
- if (!val) {
+ status = _GetCountedString(&wire, client, &name);
+ if (status != Success)
+ return status;
+ status = _GetCountedString(&wire, client, &val);
+ if (status != Success) {
free(name);
- return BadAlloc;
+ return status;
}
if (XkbAddGeomProperty(geom, name, val) == NULL) {
free(name);
@@ -5346,9 +5364,9 @@
for (i = 0; i < req->nColors; i++) {
char *name;
- name = _GetCountedString(&wire, client->swapped);
- if (!name)
- return BadAlloc;
+ status = _GetCountedString(&wire, client, &name);
+ if (status != Success)
+ return status;
if (!XkbAddGeomColor(geom, name, geom->num_colors)) {
free(name);
return BadAlloc;
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
