Hello community,
here is the log from the commit of package libXfont for openSUSE:Factory checked in at 2014-01-08 20:35:45
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libXfont (Old)
and /work/SRC/openSUSE:Factory/.libXfont.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libXfont"
Changes:
--------
--- /work/SRC/openSUSE:Factory/libXfont/libXfont.changes 2013-08-19 13:29:58.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.libXfont.new/libXfont.changes 2014-01-08 20:35:46.000000000 +0100
@@ -1,0 +2,8 @@
+Wed Jan 8 09:51:40 UTC 2014 - sndirsch@suse.com
+
+- Update to version 1.4.7
+ This release includes the fix for CVE-2013-6462, as well as
+ other security hardening and code cleanups, and makes libXfont
+ compatible with libXtrans 1.3 on Solaris. (bnc#854915)
+
+-------------------------------------------------------------------
Old:
----
libXfont-1.4.6.tar.bz2
New:
----
libXfont-1.4.7.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libXfont.spec ++++++
--- /var/tmp/diff_new_pack.in6fqZ/_old 2014-01-08 20:35:47.000000000 +0100
+++ /var/tmp/diff_new_pack.in6fqZ/_new 2014-01-08 20:35:47.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package libXfont
#
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
Name: libXfont
%define lname libXfont1
-Version: 1.4.6
+Version: 1.4.7
Release: 0
Summary: X font handling library for server and utilities
License: MIT
++++++ libXfont-1.4.6.tar.bz2 -> libXfont-1.4.7.tar.bz2 ++++++
++++ 4318 lines of diff (skipped)
++++ retrying with extended exclude list
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfont-1.4.6/ChangeLog new/libXfont-1.4.7/ChangeLog
--- old/libXfont-1.4.6/ChangeLog 2013-07-22 01:58:01.000000000 +0200
+++ new/libXfont-1.4.7/ChangeLog 2014-01-07 17:27:27.000000000 +0100
@@ -1,3 +1,129 @@
+commit 30110063857ff9a5f93f6d8d13f535c9b6e59e2a
+Author: Alan Coopersmith
+Date: Tue Jan 7 08:22:31 2014 -0800
+
+ libXfont 1.4.7
+
+ Signed-off-by: Alan Coopersmith
+
+commit 2a84680376bafd74609c6ef3e38befcb8467d814
+Author: Alan Coopersmith
+Date: Mon Dec 23 19:01:11 2013 -0800
+
+ Limit additional sscanf strings to fit buffer sizes
+
+ None of these could currently result in buffer overflow, as the input
+ and output buffers were the same size, but adding limits helps ensure
+ we keep it that way, if we ever resize any of these in the future.
+
+ Fixes cppcheck warnings:
+ [lib/libXfont/src/bitmap/bdfread.c:547]: (warning)
+ scanf without field width limits can crash with huge input data.
+ [lib/libXfont/src/bitmap/bdfread.c:553]: (warning)
+ scanf without field width limits can crash with huge input data.
+ [lib/libXfont/src/bitmap/bdfread.c:636]: (warning)
+ scanf without field width limits can crash with huge input data.
+
+ Signed-off-by: Alan Coopersmith
+ Reviewed-by: Matthieu Herrb
+ Reviewed-by: Jeremy Huddleston Sequoia
+
+commit 4d024ac10f964f6bd372ae0dd14f02772a6e5f63
+Author: Alan Coopersmith
+Date: Mon Dec 23 18:34:02 2013 -0800
+
+ CVE-2013-6462: unlimited sscanf overflows stack buffer in bdfReadCharacters()
+
+ Fixes cppcheck warning:
+ [lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
+ scanf without field width limits can crash with huge input data.
+
+ Signed-off-by: Alan Coopersmith
+ Reviewed-by: Matthieu Herrb
+ Reviewed-by: Jeremy Huddleston Sequoia
+
+commit fdcf9a9be6a5d453659beadec5d1a1fdbab9afaf
+Author: Alan Coopersmith
+Date: Fri Dec 27 11:01:35 2013 -0800
+
+ Add AC_USE_SYSTEM_EXTENSIONS to expose non-standard extensions
+
+ Required on Solaris to expose definitions in system headers that
+ are not defined in the XPG standards now that xtrans 1.3 defines
+ _XOPEN_SOURCE to 600 on Solaris.
+
+ Fixes build failures:
+ fserve.c: In function 'fs_block_handler':
+ fserve.c:1210:5: error: 'fd_mask' undeclared (first use in this function)
+ fserve.c:1210:5: note: each undeclared identifier is reported only once for each function it appears in
+ In file included from transport.c:67:0,
+ from fstrans.c:28:
+ Xtranssock.c: In function '_FontTransSocketINETConnect':
+ Xtranssock.c:1421:19: error: 'INET6_ADDRSTRLEN' undeclared (first use in this function)
+ Xtranssock.c:1421:19: note: each undeclared identifier is reported only once for each function it appears in
+
+ Signed-off-by: Alan Coopersmith
+ Reviewed-by: Daniel Stone
+
+commit 0d24378a6f08f5ab594ff552d60cf5f8f74bcb33
+Author: Alan Coopersmith
+Date: Sat Dec 7 20:11:29 2013 -0800
+
+ Don't leak old allocation if realloc fails to enlarge it
+
+ In ftfuncs.c, since the buffer being reallocated is a function local
+ buffer, used to accumulate data for a single run of the function and
+ then freed at the end of the function, we just free the old buffer if
+ realloc fails.
+
+ In atom.c however, the ReverseMap is a static buffer, so we operate in
+ temporary variables until we know we're successful, then update the
+ static variables. If we fail, we leave the old static variables in place,
+ since they contain data about previous atoms we should maintain, not lose.
+
+ Reported by cppcheck:
+ [lib/libXfont/src/FreeType/ftfuncs.c:2122]: (error) Common realloc mistake:
+ 'ranges' nulled but not freed upon failure
+ [lib/libXfont/src/util/atom.c:126]: (error) Common realloc mistake:
+ 'reverseMap' nulled but not freed upon failure
+
+ Signed-off-by: Alan Coopersmith
+ Reviewed-by: Peter Hutterer
+
+commit 5e27c364b174497d427dcecd122d711ef6b9f630
+Author: Julien Cristau
+Date: Mon Aug 12 18:40:27 2013 +0200
+
+ Make serverGeneration unsigned
+
+ Makes the definition match other declarations, and xserver's definition.
+
+ Debian bug#689439
+
+ Reported-by: Michael Tautschnig
+ Signed-off-by: Julien Cristau
+ Reviewed-by: Alan Coopersmith
+ Signed-off-by: Alan Coopersmith
+
+commit 7d34534c050cb4366c7b14bff585c17d6d578f89
+Author: Alan Coopersmith
+Date: Sat Oct 26 00:06:22 2013 -0700
+
+ Replace malloc(strlen)+strcpy/strcat calls with strdup
+
+ Signed-off-by: Alan Coopersmith
+
+commit 8a9fc31628a98e3cdaae6078bb5d92bce06c37ac
+Author: Alan Coopersmith
+Date: Fri Oct 25 23:56:55 2013 -0700
+
+ xstrdup -> strdup
+
+ Missed in xalloc -> malloc etal conversion in 0cdc9b8f850342
+
+ Signed-off-by: Alan Coopersmith
+ Reviewed-by: Jasper St. Pierre
+
commit 8b289e10c5013cdcbf817c06bd929e3ea8339987
Author: Alan Coopersmith
Date: Sun Jul 21 16:53:47 2013 -0700
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfont-1.4.6/config.h.in new/libXfont-1.4.7/config.h.in
--- old/libXfont-1.4.6/config.h.in 2013-07-22 01:54:10.000000000 +0200
+++ new/libXfont-1.4.7/config.h.in 2014-01-07 17:25:24.000000000 +0100
@@ -94,9 +94,6 @@
/* Patch version of this package */
#undef PACKAGE_VERSION_PATCHLEVEL
-/* Define as the return type of signal handlers (`int' or `void'). */
-#undef RETSIGTYPE
-
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
@@ -106,6 +103,28 @@
/* Support UNIX socket connections */
#undef UNIXCONN
+/* Enable extensions on AIX 3, Interix. */
+#ifndef _ALL_SOURCE
+# undef _ALL_SOURCE
+#endif
+/* Enable GNU extensions on systems that have them. */
+#ifndef _GNU_SOURCE
+# undef _GNU_SOURCE
+#endif
+/* Enable threading extensions on Solaris. */
+#ifndef _POSIX_PTHREAD_SEMANTICS
+# undef _POSIX_PTHREAD_SEMANTICS
+#endif
+/* Enable extensions on HP NonStop. */
+#ifndef _TANDEM_SOURCE
+# undef _TANDEM_SOURCE
+#endif
+/* Enable general extensions on Solaris. */
+#ifndef __EXTENSIONS__
+# undef __EXTENSIONS__
+#endif
+
+
/* Version number of package */
#undef VERSION
@@ -138,3 +157,16 @@
/* Support gzip for bitmap fonts */
#undef X_GZIP_FONT_COMPRESSION
+
+/* Define to 1 if on MINIX. */
+#undef _MINIX
+
+/* Define to 2 if the system does not provide POSIX.1 features except with
+ this defined. */
+#undef _POSIX_1_SOURCE
+
+/* Define to 1 if you need to in order for `stat' and other things to work. */
+#undef _POSIX_SOURCE
+
+/* Defined if needed to expose struct msghdr.msg_control */
+#undef _XOPEN_SOURCE
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfont-1.4.6/configure.ac new/libXfont-1.4.7/configure.ac
--- old/libXfont-1.4.6/configure.ac 2013-07-22 01:54:01.000000000 +0200
+++ new/libXfont-1.4.7/configure.ac 2014-01-07 17:25:08.000000000 +0100
@@ -21,7 +21,7 @@
# Initialize Autoconf
AC_PREREQ([2.60])
-AC_INIT([libXfont], [1.4.6],
+AC_INIT([libXfont], [1.4.7],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXfont])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([config.h include/X11/fonts/fontconf.h])
@@ -29,6 +29,11 @@
# Initialize Automake
AM_INIT_AUTOMAKE([foreign dist-bzip2])
+# Set common system defines for POSIX extensions, such as _GNU_SOURCE
+# Must be called before any macros that run the compiler (like
+# AC_PROG_LIBTOOL) to avoid autoconf errors.
+AC_USE_SYSTEM_EXTENSIONS
+
# Initialize libtool
AC_PROG_LIBTOOL
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfont-1.4.6/src/FreeType/ftfuncs.c new/libXfont-1.4.7/src/FreeType/ftfuncs.c
--- old/libXfont-1.4.6/src/FreeType/ftfuncs.c 2013-07-22 01:54:01.000000000 +0200
+++ new/libXfont-1.4.7/src/FreeType/ftfuncs.c 2014-01-07 17:25:08.000000000 +0100
@@ -2050,7 +2050,7 @@
{
int nRanges = 0;
int result = 0;
- fsRange *ranges = NULL;
+ fsRange *ranges = NULL, *oldRanges;
char const *p, *q;
p = q = str;
@@ -2119,10 +2119,13 @@
fflush(stderr);
#endif
nRanges++;
+ oldRanges = ranges;
ranges = realloc(ranges, nRanges*sizeof(*ranges));
- if (NULL == ranges)
+ if (NULL == ranges) {
+ free(oldRanges);
break;
- {
+ }
+ else {
fsRange *r = ranges+nRanges-1;
r->min_char_low = minpoint & 0xff;
@@ -2204,7 +2207,7 @@
strcpy(*dynStrRealFileName+dirLen, p2+1);
capHead = p1;
} else {
- *dynStrRealFileName = xstrdup(fileName);
+ *dynStrRealFileName = strdup(fileName);
if( *dynStrRealFileName == NULL ) {
result = AllocError;
goto quit;
@@ -2289,13 +2292,11 @@
}
}
else{
- *dynStrFTFileName = malloc(strlen(*dynStrRealFileName)+1);
+ *dynStrFTFileName = strdup(*dynStrRealFileName);
if( *dynStrFTFileName == NULL ){
result = AllocError;
goto quit;
}
- **dynStrFTFileName = '\0';
- strcat(*dynStrFTFileName,*dynStrRealFileName);
}
}
/*
@@ -2549,7 +2550,7 @@
if (SPropRecValList_search_record(&listPropRecVal,
&contRecValue,
"CodeRange")) {
- *dynStrTTCapCodeRange = xstrdup(SPropContainer_value_str(contRecValue));
+ *dynStrTTCapCodeRange = strdup(SPropContainer_value_str(contRecValue));
if( *dynStrTTCapCodeRange == NULL ) {
result = AllocError;
goto quit;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfont-1.4.6/src/FreeType/xttcap.c new/libXfont-1.4.7/src/FreeType/xttcap.c
--- old/libXfont-1.4.6/src/FreeType/xttcap.c 2013-07-22 01:54:01.000000000 +0200
+++ new/libXfont-1.4.7/src/FreeType/xttcap.c 2014-01-07 17:25:08.000000000 +0100
@@ -234,14 +234,13 @@
{
char *p;
- if (NULL == (p = malloc(strlen(strValue)+1))) {
+ if (NULL == (p = strdup(strValue))) {
fprintf(stderr,
"truetype font property : "
"cannot allocate memory.\n");
result = True;
goto quit;
}
- strcpy(p, strValue);
SPropContainer_value_str(&tmpContainerE) = p;
}
break;
@@ -682,24 +681,4 @@
return result;
}
-
-/**************************************************************************
- Functions (xttmisc)
- */
-
-/* strdup clone with using the allocator of X server */
-char *
-XttXstrdup(char const *str)
-{
- char *result;
-
- result = malloc(strlen(str)+1);
-
- if (result)
- strcpy(result, str);
-
- return result;
-}
-
-
/* end of file */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfont-1.4.6/src/FreeType/xttcap.h new/libXfont-1.4.7/src/FreeType/xttcap.h
--- old/libXfont-1.4.6/src/FreeType/xttcap.h 2013-07-22 01:54:01.000000000 +0200
+++ new/libXfont-1.4.7/src/FreeType/xttcap.h 2014-01-07 17:25:08.000000000 +0100
@@ -116,15 +116,6 @@
#define SPropContainer_value_str(contRecVal)\
((contRecVal)->uValue.dynStringValue)
-/******************************************************
- Prototypes (xttmisc)
- */
-
-/* strdup clone */
-char * XttXstrdup(char const *str);
-#undef xstrdup
-#define xstrdup(s) XttXstrdup((char const*)s)
-
#endif /* !def _XTTCAP_H_ */
/* end of file */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfont-1.4.6/src/bitmap/bdfread.c new/libXfont-1.4.7/src/bitmap/bdfread.c
--- old/libXfont-1.4.6/src/bitmap/bdfread.c 2013-07-22 01:54:01.000000000 +0200
+++ new/libXfont-1.4.7/src/bitmap/bdfread.c 2014-01-07 17:25:08.000000000 +0100
@@ -69,6 +69,7 @@
#define INDICES 256
#define MAXENCODING 0xFFFF
#define BDFLINELEN 1024
+#define BDFLINESTR "%1023s" /* scanf specifier to read a BDFLINELEN string */
static Bool bdfPadToTerminal(FontPtr pFont);
extern int bdfFileLineNum;
@@ -338,7 +339,7 @@
char charName[100];
int ignore;
- if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
+ if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {
bdfError("bad character name in BDF file\n");
goto BAILOUT; /* bottom of function, free and return error */
}
@@ -544,13 +545,18 @@
unsigned char lineBuf[BDFLINELEN];
line = bdfGetLine(file, lineBuf, BDFLINELEN);
- if (!line || sscanf((char *) line, "STARTFONT %s", namebuf) != 1 ||
+ if (!line ||
+ sscanf((char *) line, "STARTFONT " BDFLINESTR, namebuf) != 1 ||
!bdfStrEqual(namebuf, "2.1")) {
bdfError("bad 'STARTFONT'\n");
return (FALSE);
}
line = bdfGetLine(file, lineBuf, BDFLINELEN);
- if (!line || sscanf((char *) line, "FONT %[^\n]", pState->fontName) != 1) {
+#if MAXFONTNAMELEN != 1024
+# error "need to adjust sscanf length limit to be MAXFONTNAMELEN - 1"
+#endif
+ if (!line ||
+ sscanf((char *) line, "FONT %1023[^\n]", pState->fontName) != 1) {
bdfError("bad 'FONT'\n");
return (FALSE);
}
@@ -633,7 +639,9 @@
while (*line && isspace(*line))
line++;
- switch (sscanf((char *) line, "%s%s%s", namebuf, secondbuf, thirdbuf)) {
+ switch (sscanf((char *) line,
+ BDFLINESTR BDFLINESTR BDFLINESTR,
+ namebuf, secondbuf, thirdbuf)) {
default:
bdfError("missing '%s' parameter value\n", namebuf);
goto BAILOUT;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfont-1.4.6/src/fontfile/fontdir.c new/libXfont-1.4.7/src/fontfile/fontdir.c
--- old/libXfont-1.4.6/src/fontfile/fontdir.c 2013-07-22 01:54:01.000000000 +0200
+++ new/libXfont-1.4.7/src/fontfile/fontdir.c 2014-01-07 17:25:08.000000000 +0100
@@ -425,17 +425,13 @@
return ndashes;
}
+/* exported in public API in */
char *
FontFileSaveString (char *s)
{
- char *n;
-
- n = malloc (strlen (s) + 1);
- if (!n)
- return 0;
- strcpy (n, s);
- return n;
+ return strdup(s);
}
+#define FontFileSaveString(s) strdup(s)
FontEntryPtr
FontFileFindNameInScalableDir(FontTablePtr table, FontNamePtr pat,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfont-1.4.6/src/util/atom.c new/libXfont-1.4.7/src/util/atom.c
--- old/libXfont-1.4.6/src/util/atom.c 2013-07-22 01:54:01.000000000 +0200
+++ new/libXfont-1.4.7/src/util/atom.c 2014-01-07 17:25:08.000000000 +0100
@@ -118,19 +118,23 @@
static int
ResizeReverseMap (void)
{
- int ret = TRUE;
+ AtomListPtr *newMap;
+ int newMapSize;
+
if (reverseMapSize == 0)
- reverseMapSize = 1000;
+ newMapSize = 1000;
else
- reverseMapSize *= 2;
- reverseMap = realloc (reverseMap, reverseMapSize * sizeof (AtomListPtr));
- if (!reverseMap) {
+ newMapSize = reverseMapSize * 2;
+ newMap = realloc (reverseMap, newMapSize * sizeof (AtomListPtr));
+ if (newMap == NULL) {
fprintf(stderr, "ResizeReverseMap(): Error: Couldn't reallocate"
" reverseMap (%ld)\n",
- reverseMapSize * (unsigned long)sizeof(AtomListPtr));
- ret = FALSE;
+ newMapSize * (unsigned long)sizeof(AtomListPtr));
+ return FALSE;
}
- return ret;
+ reverseMap = newMap;
+ reverseMapSize = newMapSize;
+ return TRUE;
}
static int
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXfont-1.4.6/src/util/miscutil.c new/libXfont-1.4.7/src/util/miscutil.c
--- old/libXfont-1.4.6/src/util/miscutil.c 2013-07-22 01:54:01.000000000 +0200
+++ new/libXfont-1.4.7/src/util/miscutil.c 2014-01-07 17:25:08.000000000 +0100
@@ -47,7 +47,7 @@
#ifndef NO_WEAK_SYMBOLS
/* make sure everything initializes themselves at least once */
-weak long serverGeneration = 1;
+weak unsigned long serverGeneration = 1;
#endif
weak void
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org