OpenBSD X11 changes summary for 2017-10-08 to 2017-10-15 inclusive ==================================================================
app lib xserver == app =============================================================== 01/03 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/X11/app app - xdm/AUTHORS - xdm/COPYING - xdm/ChangeLog - xdm/INSTALL - xdm/Makefile.am - xdm/Makefile.bsd-wrapper - xdm/Makefile.in - xdm/README - xdm/aclocal.m4 - xdm/compile - xdm/config.guess - xdm/config.h.in - xdm/config.sub - xdm/configure - xdm/configure.ac - xdm/cpprules.in - xdm/depcomp - xdm/install-sh - xdm/ltmain.sh - xdm/missing - xdm/xdm.service.in - xdm/app-defaults/Chooser - xdm/app-defaults/Makefile.am - xdm/app-defaults/Makefile.in - xdm/chooser/Makefile.am - xdm/chooser/Makefile.in - xdm/chooser/chooser.c - xdm/config/GiveConsole - xdm/config/Makefile.am - xdm/config/Makefile.in - xdm/config/OpenBSD_15bpp.xpm - xdm/config/OpenBSD_1bpp.xpm - xdm/config/OpenBSD_4bpp.xpm - xdm/config/OpenBSD_8bpp.xpm - xdm/config/README - xdm/config/TakeConsole - xdm/config/Xaccess - xdm/config/Xreset.cpp - xdm/config/Xresources.cpp - xdm/config/Xservers.fs - xdm/config/Xservers.ws.cpp - xdm/config/Xsession.cpp - xdm/config/Xsetup_0 - xdm/config/Xstartup.cpp - xdm/config/Xwilling - xdm/config/xdm-config.cpp - xdm/config/xorg-bw.xpm - xdm/config/xorg.xpm - xdm/greeter/Login.c - xdm/greeter/Login.h - xdm/greeter/LoginP.h - xdm/greeter/Makefile.am - xdm/greeter/Makefile.in - xdm/greeter/greet.c - xdm/greeter/verify.c - xdm/include/Makefile.am - xdm/include/Makefile.in - xdm/include/dm.h - xdm/include/dm_auth.h - xdm/include/dm_error.h - xdm/include/dm_socket.h - xdm/include/greet.h - xdm/m4/ax_define_dir.m4 - xdm/m4/libtool.m4 - xdm/m4/ltoptions.m4 - xdm/m4/ltsugar.m4 - xdm/m4/ltversion.m4 - xdm/m4/lt~obsolete.m4 - xdm/man/Makefile.am - xdm/man/Makefile.in - xdm/man/xdm.man - xdm/man/xdmshell.man - xdm/xdm/Makefile.am - xdm/xdm/Makefile.in - xdm/xdm/access.c - xdm/xdm/auth.c - xdm/xdm/choose.c - xdm/xdm/daemon.c - xdm/xdm/dm.c - xdm/xdm/dpylist.c - xdm/xdm/error.c - xdm/xdm/file.c - xdm/xdm/genauth.c - xdm/xdm/krb5auth.c - xdm/xdm/mitauth.c - xdm/xdm/netaddr.c - xdm/xdm/policy.c - xdm/xdm/prngc.c - xdm/xdm/protodpy.c - xdm/xdm/reset.c - xdm/xdm/resource.c - xdm/xdm/rpcauth.c - xdm/xdm/server.c - xdm/xdm/session.c - xdm/xdm/socket.c - xdm/xdm/streams.c - xdm/xdm/util.c - xdm/xdm/xdmauth.c - xdm/xdm/xdmcp.c - xdm/xdmshell/Makefile.am - xdm/xdmshell/Makefile.in - xdm/xdmshell/xdmshell.c > Remove xdm. Unhooked since more than 6 months. (matthieu@) == lib =============================================================== 02/03 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/X11/lib lib ~ libXfont/src/fontfile/fontdir.c > MFC: Check for end of string in PatternMatch (CVE-2017-13720) > If a pattern contains '?' character, any character in the string is > skipped, > even if it is '\0'. The rest of the matching then reads invalid memory. > (matthieu@) ~ libXfont/src/bitmap/pcfread.c > MFC: pcfGetProperties: Check string boundaries (CVE-2017-13722) > Without the checks a malformed PCF file can cause the library to make > atom from random heap memory that was behind the `strings` buffer. > This may crash the process or leak information. (matthieu@) == xserver =========================================================== 03/03 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/X11/xserver xserver ~ Xext/shm.c > MFC: Xext/shm: Validate shmseg resource id (CVE-2017-13721) > Otherwise it can belong to a non-existing client and abort X server with > FatalError "client not in use", or overwrite existing segment of another > existing client. (matthieu@) ~ xkb/xkbtext.c > MFC: xkb: Escape non-printable characters correctly > XkbStringText escapes non-printable characters using octal numbers. > Such escape sequence would be at most 5 characters long ("\0123"), so > it reserves 5 bytes in the buffer. Due to char->unsigned int > conversion, it would print much longer string for negative numbers. > (matthieu@) ~ xkb/xkbtext.c > MFC: xkb: Handle xkb formated string output safely (CVE-2017-13723) > Generating strings for XKB data used a single shared static buffer, > which offered several opportunities for errors. Use a ring of > resizable buffers instead, to avoid problems when strings end up > longer than anticipated. (matthieu@) ~ os/io.c > MFC: os: Make sure big requests have sufficient length. > A client can send a big request where the 32B "length" field has value > 0. When the big request header is removed and the length corrected, > the value will underflow to 0xFFFFFFFF. Functions processing the > request later will think that the client sent much more data and may > touch memory beyond the receive buffer. (matthieu@) ~ Xext/panoramiX.c ~ Xext/saver.c ~ Xext/xres.c ~ Xext/xvdisp.c ~ hw/dmx/dmxpict.c ~ pseudoramiX/pseudoramiX.c ~ render/render.c > MFC: Unvalidated lengths > v2: Add overflow check and remove unnecessary check (Julien Cristau) > This addresses: > CVE-2017-12184 in XINERAMA > CVE-2017-12185 in MIT-SCREEN-SAVER > CVE-2017-12186 in X-Resource > CVE-2017-12187 in RENDER (matthieu@) ~ xfixes/cursor.c ~ xfixes/region.c ~ xfixes/saveset.c ~ xfixes/xfixes.c > MFC: xfixes: unvalidated lengths (CVE-2017-12183) > v2: Use before swap (Jeremy Huddleston Sequoia) > v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith) (matthieu@) ~ Xext/vidmode.c ~ hw/xfree86/common/xf86DGA.c ~ hw/xfree86/dri/xf86dri.c > MFC: hw/xfree86: unvalidated lengths > This addresses: > CVE-2017-12180 in XFree86-VidModeExtension > CVE-2017-12181 in XFree86-DGA > CVE-2017-12182 in XFree86-DRI (matthieu@) ~ Xi/xibarriers.c > MFC: Xi: Test exact size of XIBarrierReleasePointer > Otherwise a client can send any value of num_barriers and cause > reading or swapping of values on heap behind the receive buffer. > (matthieu@) ~ Xi/xibarriers.c > MFC: Xi: integer overflow and unvalidated length in > (S)ProcXIBarrierReleasePointer > [jcristau: originally this patch fixed the same issue as commit > 211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the > addition of these checks] > This addresses CVE-2017-12179 (matthieu@) ~ Xi/xichangehierarchy.c > MFC: Xi: fix wrong extra length check in ProcXIChangeHierarchy > (CVE-2017-12178) (matthieu@) ~ dbe/dbe.c > MFC: dbe: Unvalidated variable-length request in > ProcDbeGetVisualInfo (CVE-2017-12177) > v2: Protect against integer overflow (Alan Coopersmith) (matthieu@) ~ dix/dispatch.c > MFC: Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176) > (matthieu@) =============================================================================== _______________________________________________ owc mailing list [email protected] http://www.squish.net/mailman/listinfo/owc
