commit libICE for openSUSE:Factory
Hello community,
here is the log from the commit of package libICE for openSUSE:Factory checked
in at 2019-07-17 14:22:43
Comparing /work/SRC/openSUSE:Factory/libICE (Old)
and /work/SRC/openSUSE:Factory/.libICE.new.1887 (New)
Package is "libICE"
Wed Jul 17 14:22:43 2019 rev:10 rq:715444 version:1.0.10
Changes:
--- /work/SRC/openSUSE:Factory/libICE/libICE.changes2017-06-20
10:57:22.509092315 +0200
+++ /work/SRC/openSUSE:Factory/.libICE.new.1887/libICE.changes 2019-07-17
14:22:44.564185821 +0200
@@ -1,0 +2,15 @@
+Mon Jul 15 09:45:31 UTC 2019 - Stefan Dirsch
+
+- Update to version 1.0.10
+ * This release provides a fix for CVE-2017-2626 for platforms
+which don't have arc4random_buf() in their default libraries
+but do have getentropy(), such as Linux platforms with a kernel
+version of 3.17 or newer and a glibc version of 2.25 or newer.
+(libICE 1.0.9 already ensured that arc4random_buf() is used on
+platforms that have it to provide sufficient entropy in ICE
+key generation, but left other platforms with the weaker methods.
+Linux platforms could also have linked against libbsd to use
+arc4random_buf() with libICE 1.0.9 for stronger keys.)
+- supersedes U_Use-getentropy-if-arc4random_buf-is-not-available.patch
+
+---
Old:
U_Use-getentropy-if-arc4random_buf-is-not-available.patch
libICE-1.0.9.tar.bz2
New:
libICE-1.0.10.tar.bz2
Other differences:
--
++ libICE.spec ++
--- /var/tmp/diff_new_pack.Pkqlhh/_old 2019-07-17 14:22:44.964184731 +0200
+++ /var/tmp/diff_new_pack.Pkqlhh/_new 2019-07-17 14:22:44.968184720 +0200
@@ -1,7 +1,7 @@
#
# spec file for package libICE
#
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -12,13 +12,13 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: libICE
%define lname libICE6
-Version:1.0.9
+Version:1.0.10
Release:0
Summary:X11 Inter-Client Exchange Library
License:MIT
@@ -29,7 +29,6 @@
#Git-Web: http://cgit.freedesktop.org/xorg/lib/libICE/
Source:
http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.bz2
Source1:baselibs.conf
-Patch0: U_Use-getentropy-if-arc4random_buf-is-not-available.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
#git#BuildRequires:autoconf >= 2.60, automake, libtool
BuildRequires: autoconf
@@ -81,7 +80,6 @@
%prep
%setup -q
-%patch0 -p1
%build
autoreconf -fi
++ libICE-1.0.9.tar.bz2 -> libICE-1.0.10.tar.bz2 ++
29820 lines of diff (skipped)
commit libICE for openSUSE:Factory
Hello community,
here is the log from the commit of package libICE for openSUSE:Factory checked
in at 2017-06-20 10:57:21
Comparing /work/SRC/openSUSE:Factory/libICE (Old)
and /work/SRC/openSUSE:Factory/.libICE.new (New)
Package is "libICE"
Tue Jun 20 10:57:21 2017 rev:9 rq:502905 version:1.0.9
Changes:
--- /work/SRC/openSUSE:Factory/libICE/libICE.changes2014-06-18
07:52:48.0 +0200
+++ /work/SRC/openSUSE:Factory/.libICE.new/libICE.changes 2017-06-20
10:57:22.509092315 +0200
@@ -1,0 +2,8 @@
+Sun Jun 11 18:00:24 UTC 2017 - sndir...@suse.com
+
+- U_Use-getentropy-if-arc4random_buf-is-not-available.patch
+ * Use getentropy() if arc4random_buf() is not available
+(bnc#1025068, CVE-2017-2626)
+- tagged baselibs.conf as source in specfile
+
+---
New:
U_Use-getentropy-if-arc4random_buf-is-not-available.patch
Other differences:
--
++ libICE.spec ++
--- /var/tmp/diff_new_pack.Ao7XMN/_old 2017-06-20 10:57:23.077012265 +0200
+++ /var/tmp/diff_new_pack.Ao7XMN/_new 2017-06-20 10:57:23.077012265 +0200
@@ -1,7 +1,7 @@
#
# spec file for package libICE
#
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -28,8 +28,13 @@
#Git-Clone:git://anongit.freedesktop.org/xorg/lib/libICE
#Git-Web: http://cgit.freedesktop.org/xorg/lib/libICE/
Source:
http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.bz2
+Source1:baselibs.conf
+Patch0: U_Use-getentropy-if-arc4random_buf-is-not-available.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
#git#BuildRequires:autoconf >= 2.60, automake, libtool
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: libtool
BuildRequires: pkgconfig
BuildRequires: pkgconfig(xorg-macros) >= 1.12
BuildRequires: pkgconfig(xproto)
@@ -46,8 +51,8 @@
%package -n %lname
Summary:X11 Inter-Client Exchange Library
-Group: System/Libraries
# O/P added for 12.2
+Group: System/Libraries
Provides: xorg-x11-libICE = 7.6_%version-%release
Obsoletes: xorg-x11-libICE < 7.6_%version-%release
@@ -76,8 +81,10 @@
%prep
%setup -q
+%patch0 -p1
%build
+autoreconf -fi
%configure --docdir=%_docdir/%name --disable-static
make %{?_smp_mflags}
++ U_Use-getentropy-if-arc4random_buf-is-not-available.patch ++
>From ff5e59f32255913bb1cdf51441b98c9107ae165b Mon Sep 17 00:00:00 2001
From: Benjamin Tissoires
Date: Tue, 4 Apr 2017 19:12:53 +0200
Subject: [PATCH] Use getentropy() if arc4random_buf() is not available
This allows to fix CVE-2017-2626 on Linux platforms without pulling in
libbsd.
The libc getentropy() is available since glibc 2.25 but also on OpenBSD.
For Linux, we need at least a v3.17 kernel. If the recommended
arc4random_buf() function is not available, emulate it by first trying
to use getentropy() on a supported glibc and kernel. If the call fails,
fall back to the current (partly vulnerable) code.
Signed-off-by: Benjamin Tissoires
Reviewed-by: Mark Kettenis
Reviewed-by: Alan Coopersmith
Signed-off-by: Peter Hutterer
---
configure.ac | 2 +-
src/iceauth.c | 65 ++-
2 files changed, 47 insertions(+), 20 deletions(-)
diff --git a/configure.ac b/configure.ac
index 458882a..c971ab6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -38,7 +38,7 @@ AC_DEFINE(ICE_t, 1, [Xtrans transport type])
# Checks for library functions.
AC_CHECK_LIB([bsd], [arc4random_buf])
-AC_CHECK_FUNCS([asprintf arc4random_buf])
+AC_CHECK_FUNCS([asprintf arc4random_buf getentropy])
# Allow checking code with lint, sparse, etc.
XORG_WITH_LINT
diff --git a/src/iceauth.c b/src/iceauth.c
index ed31683..de4785b 100644
--- a/src/iceauth.c
+++ b/src/iceauth.c
@@ -44,31 +44,19 @@ Author: Ralph Mor, X Consortium
static int was_called_state;
-/*
- * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by
- * the SI. It is not part of standard ICElib.
- */
+#ifndef HAVE_ARC4RANDOM_BUF
-
-char *
-IceGenerateMagicCookie (
+static void
+emulate_getrandom_buf (
+ char *auth,
int len
)
{
-char*auth;
-#ifndef HAVE_ARC4RANDOM_BUF
longldata[2];
intseed;
intvalue;
inti;
-#endif
-if ((auth = malloc (len + 1)) == NULL)
- return (NULL);
-
-#ifdef HAVE_ARC4RANDOM_BUF
-arc4random_buf(auth, len);
-#else
#ifdef ITIMER_REAL
{
struct timeva
commit libICE for openSUSE:Factory
Hello community, here is the log from the commit of package libICE for openSUSE:Factory checked in at 2014-06-18 07:50:35 Comparing /work/SRC/openSUSE:Factory/libICE (Old) and /work/SRC/openSUSE:Factory/.libICE.new (New) Package is "libICE" Changes: --- /work/SRC/openSUSE:Factory/libICE/libICE.changes2013-03-22 11:26:45.0 +0100 +++ /work/SRC/openSUSE:Factory/.libICE.new/libICE.changes 2014-06-18 07:52:48.0 +0200 @@ -1,0 +2,9 @@ +Tue Jun 10 15:32:39 UTC 2014 - sndir...@suse.com + +- Update to version 1.0.9 + * This release fixes a number of issues found by static analysis and +compiler warnings, and other minor code cleanups. On systems with +arc4random() in either libc or libbsd, it will now use that function +for generating authentication cookies. + +--- Old: libICE-1.0.8.tar.bz2 New: libICE-1.0.9.tar.bz2 Other differences: -- ++ libICE.spec ++ --- /var/tmp/diff_new_pack.UjKLVV/_old 2014-06-18 07:52:49.0 +0200 +++ /var/tmp/diff_new_pack.UjKLVV/_new 2014-06-18 07:52:49.0 +0200 @@ -1,7 +1,7 @@ # # spec file for package libICE # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ Name: libICE %define lname libICE6 -Version:1.0.8 +Version:1.0.9 Release:0 Summary:X11 Inter-Client Exchange Library License:MIT ++ libICE-1.0.8.tar.bz2 -> libICE-1.0.9.tar.bz2 ++ 15791 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit libICE for openSUSE:Factory
Hello community,
here is the log from the commit of package libICE for openSUSE:Factory checked
in at 2013-03-22 11:26:44
Comparing /work/SRC/openSUSE:Factory/libICE (Old)
and /work/SRC/openSUSE:Factory/.libICE.new (New)
Package is "libICE", Maintainer is ""
Changes:
--- /work/SRC/openSUSE:Factory/libICE/libICE.changes2012-05-08
11:57:15.0 +0200
+++ /work/SRC/openSUSE:Factory/.libICE.new/libICE.changes 2013-03-22
11:26:45.0 +0100
@@ -1,0 +2,5 @@
+Sun Feb 17 17:21:53 UTC 2013 - jeng...@inai.de
+
+- Use more robust make install call
+
+---
Other differences:
--
++ libICE.spec ++
--- /var/tmp/diff_new_pack.1Tep7N/_old 2013-03-22 11:26:45.0 +0100
+++ /var/tmp/diff_new_pack.1Tep7N/_new 2013-03-22 11:26:45.0 +0100
@@ -1,7 +1,7 @@
#
# spec file for package libICE
#
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -82,7 +82,7 @@
make %{?_smp_mflags}
%install
-%makeinstall
+make install DESTDIR="%buildroot"
rm -f "%buildroot/%_libdir"/*.la
%post -n %lname -p /sbin/ldconfig
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit libICE for openSUSE:Factory
Hello community,
here is the log from the commit of package libICE for openSUSE:Factory checked
in at 2012-05-08 11:57:02
Comparing /work/SRC/openSUSE:Factory/libICE (Old)
and /work/SRC/openSUSE:Factory/.libICE.new (New)
Package is "libICE", Maintainer is ""
Changes:
--- /work/SRC/openSUSE:Factory/libICE/libICE.changes2012-02-17
12:01:17.0 +0100
+++ /work/SRC/openSUSE:Factory/.libICE.new/libICE.changes 2012-05-08
11:57:15.0 +0200
@@ -1,0 +2,9 @@
+Wed Apr 11 15:03:16 UTC 2012 - vu...@opensuse.org
+
+- Update to version 1.0.8:
+ + Fix a number of issues found by static analysis and compiler
+warnings
+ + Large set of cleanups and improvements to the DocBook format
+specs for the protocol and docs for the API.
+
+---
Old:
libICE-1.0.7.tar.bz2
New:
libICE-1.0.8.tar.bz2
Other differences:
--
++ libICE.spec ++
--- /var/tmp/diff_new_pack.hmOC9y/_old 2012-05-08 11:57:16.0 +0200
+++ /var/tmp/diff_new_pack.hmOC9y/_new 2012-05-08 11:57:16.0 +0200
@@ -14,22 +14,26 @@
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
+
+
Name: libICE
%define lname libICE6
-Version:1.0.7
+Version:1.0.8
Release:0
Summary:X11 Inter-Client Exchange Library
License:MIT
Group: Development/Libraries/C and C++
-URL: http://xorg.freedesktop.org/
+Url:http://xorg.freedesktop.org/
#Git-Clone:git://anongit.freedesktop.org/xorg/lib/libICE
#Git-Web: http://cgit.freedesktop.org/xorg/lib/libICE/
-Source: %name-%version.tar.bz2
-BuildRoot: %_tmppath/%name-%version-build
+Source:
http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.bz2
+BuildRoot: %{_tmppath}/%{name}-%{version}-build
#git#BuildRequires:autoconf >= 2.60, automake, libtool
-BuildRequires: pkgconfig, pkgconfig(xorg-macros) >= 1.10
-BuildRequires: pkgconfig(xproto), pkgconfig(xtrans)
+BuildRequires: pkgconfig
+BuildRequires: pkgconfig(xorg-macros) >= 1.12
+BuildRequires: pkgconfig(xproto)
+BuildRequires: pkgconfig(xtrans)
%description
There are numerous possible inter-client protocols, with many
++ libICE-1.0.7.tar.bz2 -> libICE-1.0.8.tar.bz2 ++
60342 lines of diff (skipped)
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
