Hello community,
here is the log from the commit of package libXfont for openSUSE:Factory checked in at 2017-10-28 14:18:35
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libXfont (Old)
and /work/SRC/openSUSE:Factory/.libXfont.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libXfont"
Sat Oct 28 14:18:35 2017 rev:18 rq:535492 version:1.5.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/libXfont/libXfont.changes 2017-06-04 01:46:41.231603729 +0200
+++ /work/SRC/openSUSE:Factory/.libXfont.new/libXfont.changes 2017-10-28 14:18:36.210310647 +0200
@@ -1,0 +2,7 @@
+Fri Oct 20 13:56:21 UTC 2017 - sndirsch@suse.com
+
+- Update to release 1.5.3
+ * Check for end of string in PatternMatch (CVE-2017-13720)
+ * pcfGetProperties: Check string boundaries (CVE-2017-13722)
+
+-------------------------------------------------------------------
Old:
----
libXfont-1.5.2.tar.bz2
New:
----
libXfont-1.5.3.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libXfont.spec ++++++
--- /var/tmp/diff_new_pack.B5L1q6/_old 2017-10-28 14:18:36.750290903 +0200
+++ /var/tmp/diff_new_pack.B5L1q6/_new 2017-10-28 14:18:36.754290756 +0200
@@ -18,7 +18,7 @@
Name: libXfont
%define lname libXfont1
-Version: 1.5.2
+Version: 1.5.3
Release: 0
Summary: X font handling library for server and utilities
License: MIT
++++++ libXfont-1.5.2.tar.bz2 -> libXfont-1.5.3.tar.bz2 ++++++
++++ 1666 lines of diff (skipped)
++++ retrying with extended exclude list
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfont-1.5.2/ChangeLog new/libXfont-1.5.3/ChangeLog
--- old/libXfont-1.5.2/ChangeLog 2016-08-31 22:19:58.000000000 +0200
+++ new/libXfont-1.5.3/ChangeLog 2017-10-19 22:50:17.000000000 +0200
@@ -1,3 +1,37 @@
+commit f581c2346d025d5b15926db9e58f254173fb58dc
+Author: Matt Turner
+Date: Thu Oct 19 13:45:58 2017 -0700
+
+ libXfont 1.5.3
+
+ Signed-off-by: Matt Turner
+
+commit 3b08934dca75e4c559db7d83797bc3d365c2a50a
+Author: Michal Srb
+Date: Thu Jul 20 17:05:23 2017 +0200
+
+ pcfGetProperties: Check string boundaries (CVE-2017-13722)
+
+ Without the checks a malformed PCF file can cause the library to make
+ atom from random heap memory that was behind the `strings` buffer.
+ This may crash the process or leak information.
+
+ Signed-off-by: Julien Cristau
+ (cherry picked from commit 672bb944311392e2415b39c0d63b1e1902905bcd)
+
+commit a2a5fa591762b430037e33f1df55b460550ab406
+Author: Michal Srb
+Date: Thu Jul 20 13:38:53 2017 +0200
+
+ Check for end of string in PatternMatch (CVE-2017-13720)
+
+ If a pattern contains '?' character, any character in the string is skipped,
+ even if it is '\0'. The rest of the matching then reads invalid memory.
+
+ Reviewed-by: Peter Hutterer
+ Signed-off-by: Julien Cristau
+ (cherry picked from commit d1e670a4a8704b8708e493ab6155589bcd570608)
+
commit 8cce9834b2e74dccad94ca0adf79ae5585e37d48
Author: Adam Jackson
Date: Wed Aug 31 16:19:11 2016 -0400
@@ -16,21 +50,21 @@
Found by clang's Address Sanitizer
- crac.num_auths = set_font_authorizations(&authorizations, &authlen,
- client);
- /* Work around bug in xfs versions up through modular release 1.0.8
- which rejects CreateAC packets with num_auths = 0 & authlen < 4 */
- if (crac.num_auths == 0) {
- authorizations = padding;
- authlen = 4;
- } else {
- authlen = (authlen + 3) & ~0x3;
- }
- crac.length = (sizeof (fsCreateACReq) + authlen) >> 2;
- crac.acid = cur->acid;
- _fs_add_req_log(conn, FS_CreateAC);
- _fs_write(conn, (char *) &crac, sizeof (fsCreateACReq));
- _fs_write(conn, authorizations, authlen);
+ crac.num_auths = set_font_authorizations(&authorizations, &authlen,
+ client);
+ /* Work around bug in xfs versions up through modular release 1.0.8
+ which rejects CreateAC packets with num_auths = 0 & authlen < 4 */
+ if (crac.num_auths == 0) {
+ authorizations = padding;
+ authlen = 4;
+ } else {
+ authlen = (authlen + 3) & ~0x3;
+ }
+ crac.length = (sizeof (fsCreateACReq) + authlen) >> 2;
+ crac.acid = cur->acid;
+ _fs_add_req_log(conn, FS_CreateAC);
+ _fs_write(conn, (char *) &crac, sizeof (fsCreateACReq));
+ _fs_write(conn, authorizations, authlen);
In the case in the report, set_font_authorizations setup authorizations as a
34 byte buffer (and authlen set to 34 as one would expect). The following
@@ -1375,7 +1409,7 @@
Conflicts:
- ChangeLog
+ ChangeLog
Signed-off-by: Yaakov Selkowitz
@@ -2188,7 +2222,7 @@
This patch adds a new FPE type, which will match font path elements of the
form
- catalogue:<dir>
+ catalogue:<dir>
The dir specified after the catalogue: prefix will be scanned for symlinks
and each symlink destination will be added as a local fontfile FPE.
@@ -2198,22 +2232,22 @@
An example configuration:
- 75dpi:unscaled:pri=20 -> /usr/share/X11/fonts/75dpi
- ghostscript:pri=60 -> /usr/share/fonts/default/ghostscript
- misc:unscaled:pri=10 -> /usr/share/X11/fonts/misc
- type1:pri=40 -> /usr/share/X11/fonts/Type1
- type1:pri=50 -> /usr/share/fonts/default/Type1
+ 75dpi:unscaled:pri=20 -> /usr/share/X11/fonts/75dpi
+ ghostscript:pri=60 -> /usr/share/fonts/default/ghostscript
+ misc:unscaled:pri=10 -> /usr/share/X11/fonts/misc
+ type1:pri=40 -> /usr/share/X11/fonts/Type1
+ type1:pri=50 -> /usr/share/fonts/default/Type1
will add /usr/share/X11/fonts/misc as the first FPE with the attribute
'unscaled', second FPE will be /usr/share/X11/fonts/75dpi, also with
the attribute unscaled etc. This is functionally equivalent to setting
the following font path:
- /usr/share/X11/fonts/misc:unscaled,
- /usr/share/X11/fonts/75dpi:unscaled,
- /usr/share/X11/fonts/Type1,
- /usr/share/fonts/default/Type1,
- /usr/share/fonts/default/ghostscript
+ /usr/share/X11/fonts/misc:unscaled,
+ /usr/share/X11/fonts/75dpi:unscaled,
+ /usr/share/X11/fonts/Type1,
+ /usr/share/fonts/default/Type1,
+ /usr/share/fonts/default/ghostscript
The motivation is to let font packages add a symlink to the new font
directory they provide instead of rewriting either the Xorg config file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfont-1.5.2/configure.ac new/libXfont-1.5.3/configure.ac
--- old/libXfont-1.5.2/configure.ac 2016-08-31 22:18:48.000000000 +0200
+++ new/libXfont-1.5.3/configure.ac 2017-10-19 22:50:07.000000000 +0200
@@ -21,7 +21,7 @@
# Initialize Autoconf
AC_PREREQ([2.60])
-AC_INIT([libXfont], [1.5.2],
+AC_INIT([libXfont], [1.5.3],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXfont])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([config.h include/X11/fonts/fontconf.h])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfont-1.5.2/src/bitmap/pcfread.c new/libXfont-1.5.3/src/bitmap/pcfread.c
--- old/libXfont-1.5.2/src/bitmap/pcfread.c 2016-08-31 22:18:36.000000000 +0200
+++ new/libXfont-1.5.3/src/bitmap/pcfread.c 2017-10-19 22:50:07.000000000 +0200
@@ -44,6 +44,7 @@
#include
#include
+#include
void
pcfError(const char* message, ...)
@@ -310,11 +311,19 @@
if (IS_EOF(file)) goto Bail;
position += string_size;
for (i = 0; i < nprops; i++) {
+ if (props[i].name >= string_size) {
+ pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].name, string_size);
+ goto Bail;
+ }
props[i].name = MakeAtom(strings + props[i].name,
- strlen(strings + props[i].name), TRUE);
+ strnlen(strings + props[i].name, string_size - props[i].name), TRUE);
if (isStringProp[i]) {
+ if (props[i].value >= string_size) {
+ pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].value, string_size);
+ goto Bail;
+ }
props[i].value = MakeAtom(strings + props[i].value,
- strlen(strings + props[i].value), TRUE);
+ strnlen(strings + props[i].value, string_size - props[i].value), TRUE);
}
}
free(strings);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfont-1.5.2/src/fontfile/fontdir.c new/libXfont-1.5.3/src/fontfile/fontdir.c
--- old/libXfont-1.5.2/src/fontfile/fontdir.c 2016-08-31 22:18:36.000000000 +0200
+++ new/libXfont-1.5.3/src/fontfile/fontdir.c 2017-10-19 22:50:07.000000000 +0200
@@ -399,8 +399,10 @@
}
}
case '?':
- if (*string++ == XK_minus)
+ if ((t = *string++) == XK_minus)
stringdashes--;
+ if (!t)
+ return 0;
break;
case '\0':
return (*string == '\0');