Hello community,
here is the log from the commit of package libXrandr.5949 for openSUSE:13.2:Update checked in at 2016-12-07 11:37:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:13.2:Update/libXrandr.5949 (Old)
and /work/SRC/openSUSE:13.2:Update/.libXrandr.5949.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libXrandr.5949"
Changes:
--------
New Changes file:
--- /dev/null 2016-10-27 01:54:32.792041256 +0200
+++ /work/SRC/openSUSE:13.2:Update/.libXrandr.5949.new/libXrandr.changes 2016-12-07 11:37:01.000000000 +0100
@@ -0,0 +1,47 @@
+-------------------------------------------------------------------
+Wed Nov 23 11:34:26 UTC 2016 - sndirsch@suse.com
+
+- U_Avoid-out-of-boundary-accesses-on-illegal-responses.patch
+ * insufficient validation of data from the X server can cause out
+ of boundary memory writes. (bnc#1003000, CVE-2016-7947, CVE-2016-7948)
+
+-------------------------------------------------------------------
+Sun Sep 8 13:54:25 UTC 2013 - tobias.johannes.klausmann@mni.thm.de
+
+- Update to version 1.4.2:
+ This release fixes two small bugs in the library, and fixes an omission
+ in the list of copyright notices in the COPYING file.
+
+-------------------------------------------------------------------
+Sat Jun 1 20:21:52 UTC 2013 - tobias.johannes.klausmann@mni.thm.de
+
+- Update to version 1.4.1:
+ This release brings the fixes for the recently announced security issue
+ CVE-2013-1986, with some related hardening to avoid other issues, alongside
+ a couple small build configuration & compiler warning fixes.
+
+-------------------------------------------------------------------
+Sun Feb 17 17:21:53 UTC 2013 - jengelh@inai.de
+
+- Use more robust make install call
+- Avoid calling fdupes outside of /usr
+
+-------------------------------------------------------------------
+Fri Jul 27 21:42:04 UTC 2012 - tobias.johannes.klausmann@mni.thm.de
+
+- Update to version 1.4.0:
+ + Strip trailing whitespace
+ + Fill in nameLen in XRROutputInfo
+ + libXrandr: add support for provider objects.
+
+-------------------------------------------------------------------
+Wed Apr 11 15:39:12 UTC 2012 - vuntz@opensuse.org
+
+- Update to version 1.3.2:
+ + Man page improvements
+ + Build configuration improvements
+
+-------------------------------------------------------------------
+Tue Feb 7 22:17:49 UTC 2012 - jengelh@medozas.de
+
+- Split xorg-x11-libs into separate packages
New:
----
U_Avoid-out-of-boundary-accesses-on-illegal-responses.patch
baselibs.conf
libXrandr-1.4.2.tar.bz2
libXrandr.changes
libXrandr.spec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libXrandr.spec ++++++
#
# spec file for package libXrandr
#
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: libXrandr
%define lname libXrandr2
Version: 1.4.2
Release: 0
Summary: X Resize, Rotate and Reflection extension library
License: MIT
Group: Development/Libraries/C and C++
Url: http://xorg.freedesktop.org/
#Git-Clone: git://anongit.freedesktop.org/xorg/lib/libXrandr
#Git-Web: http://cgit.freedesktop.org/xorg/lib/libXrandr/
Source: http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.bz2
Patch0: U_Avoid-out-of-boundary-accesses-on-illegal-responses.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: autoconf >= 2.60
BuildRequires: automake
BuildRequires: fdupes
BuildRequires: libtool
BuildRequires: pkgconfig
BuildRequires: pkgconfig(randrproto) >= 1.3
BuildRequires: pkgconfig(renderproto)
BuildRequires: pkgconfig(x11)
BuildRequires: pkgconfig(xext)
BuildRequires: pkgconfig(xextproto)
BuildRequires: pkgconfig(xorg-macros) >= 1.8
BuildRequires: pkgconfig(xrender)
%description
The X Resize, Rotate and Reflect Extension (RandR) allows clients to
dynamically change X screens, so as to resize, to change the
orientation and layout of the root window of a screen.
%package -n %lname
Summary: X Resize, Rotate and Reflection extension library
Group: System/Libraries
%description -n %lname
The X Resize, Rotate and Reflect Extension (RandR) allows clients to
dynamically change X screens, so as to resize, to change the
orientation and layout of the root window of a screen.
%package devel
Summary: Development files for the X Resize-Rotate-Reflection library
Group: Development/Libraries/C and C++
Requires: %lname = %version
%description devel
The X Resize, Rotate and Reflect Extension (RandR) allows clients to
dynamically change X screens, so as to resize, to change the
orientation and layout of the root window of a screen.
This package contains the development headers for the library found
in %lname.
%prep
%setup -q
%patch0 -p1
%build
autoreconf -fi
%configure --disable-static
make %{?_smp_mflags}
%install
make install DESTDIR="%buildroot"
rm -f "%buildroot/%_libdir"/*.la
%fdupes %buildroot/%_prefix
%post -n %lname -p /sbin/ldconfig
%postun -n %lname -p /sbin/ldconfig
%files -n %lname
%defattr(-,root,root)
%_libdir/libXrandr.so.2*
%files devel
%defattr(-,root,root)
%_includedir/X11/*
%_libdir/libXrandr.so
%_libdir/pkgconfig/xrandr.pc
%_mandir/man3/*
%changelog
++++++ U_Avoid-out-of-boundary-accesses-on-illegal-responses.patch ++++++
From a0df3e1c7728205e5c7650b2e6dce684139254a6 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann
Date: Sun, 25 Sep 2016 22:21:40 +0200
Subject: [PATCH] Avoid out of boundary accesses on illegal responses
The responses of the connected X server have to be properly checked
to avoid out of boundary accesses that could otherwise be triggered
by a malicious server.
Signed-off-by: Tobias Stoeckmann
Reviewed-by: Matthieu Herrb
---
src/XrrConfig.c | 32 +++++++++++++--------
src/XrrCrtc.c | 83 ++++++++++++++++++++++++++++++++++++++++++-------------
src/XrrMonitor.c | 18 ++++++++++++
src/XrrOutput.c | 11 ++++++++
src/XrrProvider.c | 28 ++++++++++++++++---
src/XrrScreen.c | 52 ++++++++++++++++++++++------------
6 files changed, 172 insertions(+), 52 deletions(-)
Index: libXrandr-1.4.2/src/XrrConfig.c
===================================================================
--- libXrandr-1.4.2.orig/src/XrrConfig.c
+++ libXrandr-1.4.2/src/XrrConfig.c
@@ -29,6 +29,7 @@
#include
#endif
+#include
#include
#include
/* we need to be able to manipulate the Display structure on events */
@@ -272,23 +273,30 @@ static XRRScreenConfiguration *_XRRGetSc
rep.rate = 0;
rep.nrateEnts = 0;
}
+ if (rep.length < INT_MAX >> 2) {
+ nbytes = (long) rep.length << 2;
- nbytes = (long) rep.length << 2;
+ nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) +
+ ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF(CARD16) */);
- nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) +
- ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF (CARD16) */);
+ /*
+ * first we must compute how much space to allocate for
+ * randr library's use; we'll allocate the structures in a single
+ * allocation, on cleanlyness grounds.
+ */
+
+ rbytes = sizeof (XRRScreenConfiguration) +
+ (rep.nSizes * sizeof (XRRScreenSize) +
+ rep.nrateEnts * sizeof (int));
- /*
- * first we must compute how much space to allocate for
- * randr library's use; we'll allocate the structures in a single
- * allocation, on cleanlyness grounds.
- */
-
- rbytes = sizeof (XRRScreenConfiguration) +
- (rep.nSizes * sizeof (XRRScreenSize) +
- rep.nrateEnts * sizeof (int));
+ scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes);
+ } else {
+ nbytes = 0;
+ nbytesRead = 0;
+ rbytes = 0;
+ scp = NULL;
+ }
- scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes);
if (scp == NULL) {
_XEatData (dpy, (unsigned long) nbytes);
return NULL;
Index: libXrandr-1.4.2/src/XrrCrtc.c
===================================================================
--- libXrandr-1.4.2.orig/src/XrrCrtc.c
+++ libXrandr-1.4.2/src/XrrCrtc.c
@@ -24,6 +24,7 @@
#include
#endif
+#include
#include
#include
/* we need to be able to manipulate the Display structure on events */
@@ -57,22 +58,33 @@ XRRGetCrtcInfo (Display *dpy, XRRScreenR
return NULL;
}
- nbytes = (long) rep.length << 2;
+ if (rep.length < INT_MAX >> 2)
+ {
+ nbytes = (long) rep.length << 2;
- nbytesRead = (long) (rep.nOutput * 4 +
- rep.nPossibleOutput * 4);
+ nbytesRead = (long) (rep.nOutput * 4 +
+ rep.nPossibleOutput * 4);
- /*
- * first we must compute how much space to allocate for
- * randr library's use; we'll allocate the structures in a single
- * allocation, on cleanlyness grounds.
- */
+ /*
+ * first we must compute how much space to allocate for
+ * randr library's use; we'll allocate the structures in a single
+ * allocation, on cleanlyness grounds.
+ */
+
+ rbytes = (sizeof (XRRCrtcInfo) +
+ rep.nOutput * sizeof (RROutput) +
+ rep.nPossibleOutput * sizeof (RROutput));
- rbytes = (sizeof (XRRCrtcInfo) +
- rep.nOutput * sizeof (RROutput) +
- rep.nPossibleOutput * sizeof (RROutput));
+ xci = (XRRCrtcInfo *) Xmalloc(rbytes);
+ }
+ else
+ {
+ nbytes = 0;
+ nbytesRead = 0;
+ rbytes = 0;
+ xci = NULL;
+ }
- xci = (XRRCrtcInfo *) Xmalloc(rbytes);
if (xci == NULL) {
_XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
@@ -194,12 +206,21 @@ XRRGetCrtcGamma (Display *dpy, RRCrtc cr
if (!_XReply (dpy, (xReply *) &rep, 0, xFalse))
goto out;
- nbytes = (long) rep.length << 2;
+ if (rep.length < INT_MAX >> 2)
+ {
+ nbytes = (long) rep.length << 2;
- /* three channels of CARD16 data */
- nbytesRead = (rep.size * 2 * 3);
+ /* three channels of CARD16 data */
+ nbytesRead = (rep.size * 2 * 3);
- crtc_gamma = XRRAllocGamma (rep.size);
+ crtc_gamma = XRRAllocGamma (rep.size);
+ }
+ else
+ {
+ nbytes = 0;
+ nbytesRead = 0;
+ crtc_gamma = NULL;
+ }
if (!crtc_gamma)
{
@@ -357,7 +378,7 @@ XRRGetCrtcTransform (Display *dpy,
xRRGetCrtcTransformReq *req;
int major_version, minor_version;
XRRCrtcTransformAttributes *attr;
- char *extra = NULL, *e;
+ char *extra = NULL, *end = NULL, *e;
int p;
*attributes = NULL;
@@ -395,9 +416,17 @@ XRRGetCrtcTransform (Display *dpy,
else
{
int extraBytes = rep.length * 4 - CrtcTransformExtra;
- extra = Xmalloc (extraBytes);
+ if (rep.length < INT_MAX / 4 &&
+ rep.length * 4 >= CrtcTransformExtra) {
+ extra = Xmalloc (extraBytes);
+ end = extra + extraBytes;
+ } else
+ extra = NULL;
if (!extra) {
- _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2));
+ if (rep.length > (CrtcTransformExtra >> 2))
+ _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2));
+ else
+ _XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return False;
@@ -429,22 +458,38 @@ XRRGetCrtcTransform (Display *dpy,
e = extra;
+ if (e + rep.pendingNbytesFilter > end) {
+ XFree (extra);
+ return False;
+ }
memcpy (attr->pendingFilter, e, rep.pendingNbytesFilter);
attr->pendingFilter[rep.pendingNbytesFilter] = '\0';
e += (rep.pendingNbytesFilter + 3) & ~3;
for (p = 0; p < rep.pendingNparamsFilter; p++) {
INT32 f;
+ if (e + 4 > end) {
+ XFree (extra);
+ return False;
+ }
memcpy (&f, e, 4);
e += 4;
attr->pendingParams[p] = (XFixed) f;
}
attr->pendingNparams = rep.pendingNparamsFilter;
+ if (e + rep.currentNbytesFilter > end) {
+ XFree (extra);
+ return False;
+ }
memcpy (attr->currentFilter, e, rep.currentNbytesFilter);
attr->currentFilter[rep.currentNbytesFilter] = '\0';
e += (rep.currentNbytesFilter + 3) & ~3;
for (p = 0; p < rep.currentNparamsFilter; p++) {
INT32 f;
+ if (e + 4 > end) {
+ XFree (extra);
+ return False;
+ }
memcpy (&f, e, 4);
e += 4;
attr->currentParams[p] = (XFixed) f;
Index: libXrandr-1.4.2/src/XrrOutput.c
===================================================================
--- libXrandr-1.4.2.orig/src/XrrOutput.c
+++ libXrandr-1.4.2/src/XrrOutput.c
@@ -25,6 +25,7 @@
#include
#endif
+#include
#include
#include
/* we need to be able to manipulate the Display structure on events */
@@ -60,6 +61,16 @@ XRRGetOutputInfo (Display *dpy, XRRScree
return NULL;
}
+ if (rep.length > INT_MAX >> 2 || rep.length < (OutputInfoExtra >> 2))
+ {
+ if (rep.length > (OutputInfoExtra >> 2))
+ _XEatDataWords (dpy, rep.length - (OutputInfoExtra >> 2));
+ else
+ _XEatDataWords (dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return NULL;
+ }
nbytes = ((long) (rep.length) << 2) - OutputInfoExtra;
nbytesRead = (long) (rep.nCrtcs * 4 +
Index: libXrandr-1.4.2/src/XrrProvider.c
===================================================================
--- libXrandr-1.4.2.orig/src/XrrProvider.c
+++ libXrandr-1.4.2/src/XrrProvider.c
@@ -25,6 +25,7 @@
#include
#endif
+#include
#include
#include
/* we need to be able to manipulate the Display structure on events */
@@ -59,12 +60,20 @@ XRRGetProviderResources(Display *dpy, Wi
return NULL;
}
- nbytes = (long) rep.length << 2;
+ if (rep.length < INT_MAX >> 2) {
+ nbytes = (long) rep.length << 2;
- nbytesRead = (long) (rep.nProviders * 4);
+ nbytesRead = (long) (rep.nProviders * 4);
- rbytes = (sizeof(XRRProviderResources) + rep.nProviders * sizeof(RRProvider));
- xrpr = (XRRProviderResources *) Xmalloc(rbytes);
+ rbytes = (sizeof(XRRProviderResources) + rep.nProviders *
+ sizeof(RRProvider));
+ xrpr = (XRRProviderResources *) Xmalloc(rbytes);
+ } else {
+ nbytes = 0;
+ nbytesRead = 0;
+ rbytes = 0;
+ xrpr = NULL;
+ }
if (xrpr == NULL) {
_XEatDataWords (dpy, rep.length);
@@ -119,6 +128,17 @@ XRRGetProviderInfo(Display *dpy, XRRScre
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
+ }
+
+ if (rep.length > INT_MAX >> 2 || rep.length < ProviderInfoExtra >> 2)
+ {
+ if (rep.length < ProviderInfoExtra >> 2)
+ _XEatDataWords (dpy, rep.length);
+ else
+ _XEatDataWords (dpy, rep.length - (ProviderInfoExtra >> 2));
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return NULL;
}
nbytes = ((long) rep.length << 2) - ProviderInfoExtra;
Index: libXrandr-1.4.2/src/XrrScreen.c
===================================================================
--- libXrandr-1.4.2.orig/src/XrrScreen.c
+++ libXrandr-1.4.2/src/XrrScreen.c
@@ -24,6 +24,7 @@
#include
#endif
+#include
#include
#include
/* we need to be able to manipulate the Display structure on events */
@@ -105,27 +106,36 @@ doGetScreenResources (Display *dpy, Wind
xrri->has_rates = _XRRHasRates (xrri->minor_version, xrri->major_version);
}
- nbytes = (long) rep.length << 2;
+ if (rep.length < INT_MAX >> 2) {
+ nbytes = (long) rep.length << 2;
- nbytesRead = (long) (rep.nCrtcs * 4 +
- rep.nOutputs * 4 +
- rep.nModes * SIZEOF (xRRModeInfo) +
- ((rep.nbytesNames + 3) & ~3));
-
- /*
- * first we must compute how much space to allocate for
- * randr library's use; we'll allocate the structures in a single
- * allocation, on cleanlyness grounds.
- */
-
- rbytes = (sizeof (XRRScreenResources) +
- rep.nCrtcs * sizeof (RRCrtc) +
- rep.nOutputs * sizeof (RROutput) +
- rep.nModes * sizeof (XRRModeInfo) +
- rep.nbytesNames + rep.nModes); /* '\0' terminate names */
+ nbytesRead = (long) (rep.nCrtcs * 4 +
+ rep.nOutputs * 4 +
+ rep.nModes * SIZEOF (xRRModeInfo) +
+ ((rep.nbytesNames + 3) & ~3));
+
+ /*
+ * first we must compute how much space to allocate for
+ * randr library's use; we'll allocate the structures in a single
+ * allocation, on cleanlyness grounds.
+ */
+
+ rbytes = (sizeof (XRRScreenResources) +
+ rep.nCrtcs * sizeof (RRCrtc) +
+ rep.nOutputs * sizeof (RROutput) +
+ rep.nModes * sizeof (XRRModeInfo) +
+ rep.nbytesNames + rep.nModes); /* '\0' terminate names */
+
+ xrsr = (XRRScreenResources *) Xmalloc(rbytes);
+ wire_names = (char *) Xmalloc (rep.nbytesNames);
+ } else {
+ nbytes = 0;
+ nbytesRead = 0;
+ rbytes = 0;
+ xrsr = NULL;
+ wire_names = NULL;
+ }
- xrsr = (XRRScreenResources *) Xmalloc(rbytes);
- wire_names = (char *) Xmalloc (rep.nbytesNames);
if (xrsr == NULL || wire_names == NULL) {
if (xrsr) Xfree (xrsr);
if (wire_names) Xfree (wire_names);
@@ -174,6 +184,14 @@ doGetScreenResources (Display *dpy, Wind
wire_name = wire_names;
for (i = 0; i < rep.nModes; i++) {
xrsr->modes[i].name = names;
+ if (xrsr->modes[i].nameLength > rep.nbytesNames) {
+ Xfree (xrsr);
+ Xfree (wire_names);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return NULL;
+ }
+ rep.nbytesNames -= xrsr->modes[i].nameLength;
memcpy (names, wire_name, xrsr->modes[i].nameLength);
names[xrsr->modes[i].nameLength] = '\0';
names += xrsr->modes[i].nameLength + 1;
++++++ baselibs.conf ++++++
libXrandr2
libXrandr-devel
requires -libXrandr-<targettype>
requires "libXrandr2-<targettype> = <version>"