commit 9481d76d85b43cb6b04524aefe9c8c2f7303b922 Author: MSVSphere Packaging Team Date: Fri Mar 29 15:52:28 2024 +0300 import libX11-1.6.8-8.el8 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8264060 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/libX11-1.6.8.tar.bz2 diff --git a/.libX11.metadata b/.libX11.metadata new file mode 100644 index 0000000..ff15fb1 --- /dev/null +++ b/.libX11.metadata @@ -0,0 +1 @@ +f1ea96fe472a981d378b4f2eec90dcd063f9a407 SOURCES/libX11-1.6.8.tar.bz2 diff --git a/SOURCES/0001-Avoid-recursing-through-_XError-due-to-sequence-adju.patch b/SOURCES/0001-Avoid-recursing-through-_XError-due-to-sequence-adju.patch new file mode 100644 index 0000000..7135626 --- /dev/null +++ b/SOURCES/0001-Avoid-recursing-through-_XError-due-to-sequence-adju.patch @@ -0,0 +1,166 @@ +From 8c92ef59890c6d6e2be456658d3b9c145eda8629 Mon Sep 17 00:00:00 2001 +From: Keith Packard +Date: Sat, 7 Nov 2020 22:22:47 -0800 +Subject: [PATCH libX11] Avoid recursing through _XError due to sequence + adjustment + +This patch is based on research done by Dmitry Osipenko to uncover the +cause of a large class of Xlib lockups. + +_XError must unlock and re-lock the display around the call to the +user error handler function. When re-locking the display, two +functions are called to ensure that the display is ready to generate a request: + + _XIDHandler(dpy); + _XSeqSyncFunction(dpy); + +The first ensures that there is at least one XID available to use +(possibly calling _xcb_generate_id to do so). The second makes sure a +reply is received at least every 65535 requests to keep sequence +numbers in sync (possibly generating a GetInputFocus request and +synchronously awaiting the reply). + +If the second of these does generate a GetInputFocus request and wait +for the reply, then a pending error will cause recursion into _XError, +which deadlocks the display. + +One seemingly easy fix is to have _XError avoid those calls by +invoking InternalLockDisplay instead of LockDisplay. That function +does everything that LockDisplay does *except* call those final two +functions which may end up receiving an error. + +However, that doesn't protect the system from applications which call +some legal Xlib function from within their error handler. Any Xlib +function which cannot generate protocol or wait for events is valid, +including many which invoke LockDisplay. + +What we need to do is make LockDisplay skip these two function calls +precisely when it is called from within the _XError context for the +same display. + +This patch accomplishes this by creating a list of threads in the +display which are in _XError, and then having LockDisplay check the +current thread against those list elements. + +Inspired-by: Dmitry Osipenko +Signed-off-by: Keith Packard +Tested-by: Dmitry Osipenko +Reviewed-by: Dmitry Osipenko +(cherry picked from commit 30ccef3a48029bf4fc31d4abda2d2778d0ad6277) +--- + include/X11/Xlibint.h | 2 ++ + src/OpenDis.c | 1 + + src/XlibInt.c | 10 ++++++++++ + src/locking.c | 12 ++++++++++++ + src/locking.h | 12 ++++++++++++ + 5 files changed, 37 insertions(+) + +diff --git a/include/X11/Xlibint.h b/include/X11/Xlibint.h +index 6b95bcf7..09078e3f 100644 +--- a/include/X11/Xlibint.h ++++ b/include/X11/Xlibint.h +@@ -202,6 +202,8 @@ struct _XDisplay + unsigned long last_request_read_upper32bit; + unsigned long request_upper32bit; + #endif ++ ++ struct _XErrorThreadInfo *error_threads; + }; + + #define XAllocIDs(dpy,ids,n) (*(dpy)->idlist_alloc)(dpy,ids,n) +diff --git a/src/OpenDis.c b/src/OpenDis.c +index 82723578..85901168 100644 +--- a/src/OpenDis.c ++++ b/src/OpenDis.c +@@ -201,6 +201,7 @@ XOpenDisplay ( + X_DPY_SET_LAST_REQUEST_READ(dpy, 0); + dpy->default_screen = iscreen; /* Value returned by ConnectDisplay */ + dpy->last_req = (char *)&_dummy_request; ++ dpy->error_threads = NULL; + + /* Initialize the display lock */ + if (InitDisplayLock(dpy) != 0) { +diff --git a/src/XlibInt.c b/src/XlibInt.c +index 4e45e62b..8771b791 100644 +--- a/src/XlibInt.c ++++ b/src/XlibInt.c +@@ -1482,6 +1482,11 @@ int _XError ( + if (_XErrorFunction != NULL) { + int rtn_val; + #ifdef XTHREADS ++ struct _XErrorThreadInfo thread_info = { ++ .error_thread = xthread_self(), ++ .next = dpy->error_threads ++ }, **prev; ++ dpy->error_threads = &thread_info; + if (dpy->lock) + (*dpy->lock->user_lock_display)(dpy); + UnlockDisplay(dpy); +@@ -1491,6 +1496,11 @@ int _XError ( + LockDisplay(dpy); + if (dpy->lock) + (*dpy->lock->user_unlock_display)(dpy); ++ ++ /* unlink thread_info from the list */ ++ for (prev = &dpy->error_threads; *prev != &thread_info; prev = &(*prev)->next) ++ ; ++ *prev = thread_info.next; + #endif + return rtn_val; + } else { +diff --git a/src/locking.c b/src/locking.c +index 9f4fe067..bcadc857 100644 +--- a/src/locking.c ++++ b/src/locking.c +@@ -453,6 +453,9 @@ static void _XLockDisplay( + XTHREADS_FILE_LINE_ARGS + ) + { ++#ifdef XTHREADS ++ struct _XErrorThreadInfo *ti; ++#endif + #ifdef XTHREADS_WARN + _XLockDisplayWarn(dpy, file, line); + #else +@@ -460,6 +463,15 @@ static void _XLockDisplay( + #endif + if (dpy->lock->locking_level > 0) + _XDisplayLockWait(dpy); ++#ifdef XTHREADS ++ /* ++ * Skip the two function calls below which may generate requests ++ * when LockDisplay is called from within _XError. ++ */ ++ for (ti = dpy->error_threads; ti; ti = ti->next) ++ if (ti->error_thread == xthread_self()) ++ return; ++#endif + _XIDHandler(dpy); + _XSeqSyncFunction(dpy); + } +diff --git a/src/locking.h b/src/locking.h +index 5251a60c..59fc866e 100644 +--- a/src/locking.h ++++ b/src/locking.h +@@ -149,6 +149,18 @@ typedef struct _LockInfoRec { + xmutex_t lock; + } LockInfoRec; + ++/* A list of threads currently invoking error handlers on this display ++ * LockDisplay operates differently for these threads, avoiding ++ * generating any requests or reading any events as that can cause ++ * recursion into the error handling code, which will deadlock the ++ * thread. ++ */ ++struct _XErrorThreadInfo ++{ ++ struct _XErrorThreadInfo *next; ++ xthread_t error_thread; ++}; ++ + /* XOpenDis.c */ + extern int (*_XInitDisplayLock_fn)(Display *dpy); + extern void (*_XFreeDisplayLock_fn)(Display *dpy); +-- +2.43.0 + diff --git a/SOURCES/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch b/SOURCES/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch new file mode 100644 index 0000000..6427fc2 --- /dev/null +++ b/SOURCES/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch @@ -0,0 +1,58 @@ +From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sun, 17 Sep 2023 14:19:40 -0700 +Subject: [PATCH] CVE-2023-43785: out-of-bounds memory access in + _XkbReadKeySyms() + +Make sure we allocate enough memory in the first place, and +also handle error returns from _XkbReadBufferCopyKeySyms() when +it detects out-of-bounds issues. + +Reported-by: Gregory James DUCK +Signed-off-by: Alan Coopersmith +--- + src/xkb/XKBGetMap.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c +index 2891d21e..31199e4a 100644 +--- a/src/xkb/XKBGetMap.c ++++ b/src/xkb/XKBGetMap.c +@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) + if (offset + newMap->nSyms >= map->size_syms) { + register int sz; + +- sz = map->size_syms + 128; ++ sz = offset + newMap->nSyms; ++ sz = ((sz + (unsigned) 128) / 128) * 128; + _XkbResizeArray(map->syms, map->size_syms, sz, KeySym); + if (map->syms == NULL) { + map->size_syms = 0; +@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) + map->size_syms = sz; + } + if (newMap->nSyms > 0) { +- _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], +- newMap->nSyms); ++ if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], ++ newMap->nSyms) == 0) ++ return BadLength; + offset += newMap->nSyms; + } + else { +@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) + newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp); + if (newSyms == NULL) + return BadAlloc; +- if (newMap->nSyms > 0) +- _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms); ++ if (newMap->nSyms > 0) { ++ if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0) ++ return BadLength; ++ } + else + newSyms[0] = NoSymbol; + oldMap->kt_index[0] = newMap->ktIndex[0]; +-- +2.41.0 + diff --git a/SOURCES/0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch b/SOURCES/0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch new file mode 100644 index 0000000..8f6a446 --- /dev/null +++ b/SOURCES/0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch @@ -0,0 +1,37 @@ +From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 7 Sep 2023 15:54:30 -0700 +Subject: [PATCH 1/3] CVE-2023-43786: stack exhaustion from infinite recursion + in PutSubImage() + +When splitting a single line of pixels into chunks to send to the +X server, be sure to take into account the number of bits per pixel, +so we don't just loop forever trying to send more pixels than fit in +the given request size and not breaking them down into a small enough +chunk to fix. + +Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2 +Signed-off-by: Alan Coopersmith +--- + src/PutImage.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/PutImage.c b/src/PutImage.c +index 857ee916..a6db7b42 100644 +--- a/src/PutImage.c ++++ b/src/PutImage.c +@@ -914,8 +914,9 @@ PutSubImage ( + req_width, req_height - SubImageHeight, + dest_bits_per_pixel, dest_scanline_pad); + } else { +- int SubImageWidth = (((Available << 3) / dest_scanline_pad) +- * dest_scanline_pad) - left_pad; ++ int SubImageWidth = ((((Available << 3) / dest_scanline_pad) ++ * dest_scanline_pad) - left_pad) ++ / dest_bits_per_pixel; + + PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y, + (unsigned int) SubImageWidth, 1, +-- +2.41.0 + diff --git a/SOURCES/0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch b/SOURCES/0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch new file mode 100644 index 0000000..3468d6e --- /dev/null +++ b/SOURCES/0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch @@ -0,0 +1,59 @@ +From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001 +From: Yair Mizrahi +Date: Thu, 7 Sep 2023 16:15:32 -0700 +Subject: [PATCH] CVE-2023-43787: Integer overflow in XCreateImage() leading to + a heap overflow + +When the format is `Pixmap` it calculates the size of the image data as: + ROUNDUP((bits_per_pixel * width), image->bitmap_pad); +There is no validation on the `width` of the image, and so this +calculation exceeds the capacity of a 4-byte integer, causing an overflow. + +Signed-off-by: Alan Coopersmith +--- + src/ImUtil.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/src/ImUtil.c b/src/ImUtil.c +index 36f08a03..fbfad33e 100644 +--- a/src/ImUtil.c ++++ b/src/ImUtil.c +@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. + #include + #include + #include ++#include + #include "ImUtil.h" + + static int _XDestroyImage(XImage *); +@@ -361,13 +362,22 @@ XImage *XCreateImage ( + /* + * compute per line accelerator. + */ +- { +- if (format == ZPixmap) ++ if (format == ZPixmap) { ++ if ((INT_MAX / bits_per_pixel) < width) { ++ Xfree(image); ++ return NULL; ++ } ++ + min_bytes_per_line = +- ROUNDUP((bits_per_pixel * width), image->bitmap_pad); +- else ++ ROUNDUP((bits_per_pixel * width), image->bitmap_pad); ++ } else { ++ if ((INT_MAX - offset) < width) { ++ Xfree(image); ++ return NULL; ++ } ++ + min_bytes_per_line = +- ROUNDUP((width + offset), image->bitmap_pad); ++ ROUNDUP((width + offset), image->bitmap_pad); + } + if (image_bytes_per_line == 0) { + image->bytes_per_line = min_bytes_per_line; +-- +2.41.0 + diff --git a/SOURCES/0001-Fix-XTS-regression-in-XCopyColormapAndFree.patch b/SOURCES/0001-Fix-XTS-regression-in-XCopyColormapAndFree.patch new file mode 100644 index 0000000..fd4e5aa --- /dev/null +++ b/SOURCES/0001-Fix-XTS-regression-in-XCopyColormapAndFree.patch @@ -0,0 +1,64 @@ +From a515545065ce6e1924de4bc50aaae7ec9b48cfad Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Wed, 11 Dec 2019 11:53:11 -0500 +Subject: [PATCH libX11] Fix XTS regression in XCopyColormapAndFree +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +XCopyColormapAndFree/5 threw an assertion: + + 520|4 5 00014017 1 2|Assertion XCopyColormapAndFree-5.(A) + 520|4 5 00014017 1 3|When a colourmap argument does not name a valid colourmap, + 520|4 5 00014017 1 4|then a BadColor error occurs. + 520|4 5 00014017 1 5|METH: Create a bad colourmap by creating and freeing a colourmap. + 520|4 5 00014017 1 6|METH: Call test function using bad colourmap as the colourmap argument. + 520|4 5 00014017 1 7|METH: Verify that a BadColor error occurs. + 520|4 5 00014017 1 8|unexpected signal 6 (SIGABRT) received + 220|4 5 2 15:05:53|UNRESOLVED + 410|4 5 1 15:05:53|IC End + 510|4|system 0: Abandoning testset: caught unexpected signal 11 (SIGSEGV) + +More specifically: + + lt-XCopyColormapAndFree: xcb_io.c:533: _XAllocID: Assertion `ret != inval_id' failed. + +This bug was introduced (by following my advice, d'oh) in: + + commit 99a2cf1aa0b58391078d5d3edf0a7dab18c7745d + Author: Tapani Pälli + Date: Mon May 13 08:29:49 2019 +0300 + + Protect colormap add/removal with display lock + +In that patch we moved the call to _XcmsCopyCmapRecAndFree inside the +display lock. The problem is said routine has side effects, including +trying to implicitly create a colormap in some cases. Since we don't run +the XID handler until SyncHandle() we would see inconsistent internal +xlib state, triggering the above assert. + +Fix this by dropping and re-taking the display lock before calling into +XCMS. +--- + src/CopyCmap.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/CopyCmap.c b/src/CopyCmap.c +index b4954b01..b37aba73 100644 +--- a/src/CopyCmap.c ++++ b/src/CopyCmap.c +@@ -53,6 +53,11 @@ Colormap XCopyColormapAndFree( + mid = req->mid = XAllocID(dpy); + req->srcCmap = src_cmap; + ++ /* re-lock the display to keep XID handling in sync */ ++ UnlockDisplay(dpy); ++ SyncHandle(); ++ LockDisplay(dpy); ++ + #if XCMS + _XcmsCopyCmapRecAndFree(dpy, src_cmap, mid); + #endif +-- +2.23.0 + diff --git a/SOURCES/0001-Fix-an-integer-overflow-in-init_om.patch b/SOURCES/0001-Fix-an-integer-overflow-in-init_om.patch new file mode 100644 index 0000000..cdb3de4 --- /dev/null +++ b/SOURCES/0001-Fix-an-integer-overflow-in-init_om.patch @@ -0,0 +1,37 @@ +From 2c67fab8415a1d32395de87f056bc5f3b37fedb0 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 13 Aug 2020 18:02:58 +0200 +Subject: [PATCH] Fix an integer overflow in init_om() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2020-14363 + +This can lead to a double free later, as reported by Jayden Rivers. + +Signed-off-by: Matthieu Herrb + +(cherry picked from commit acdaaadcb3d85c61fd43669fc5dddf0f8c3f911d) +Signed-off-by: Michel Dänzer +--- + modules/om/generic/omGeneric.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c +index 22f826ec..bcfb9ab8 100644 +--- a/modules/om/generic/omGeneric.c ++++ b/modules/om/generic/omGeneric.c +@@ -1908,7 +1908,8 @@ init_om( + char **required_list; + XOrientation *orientation; + char **value, buf[BUFSIZ], *bufptr; +- int count = 0, num = 0, length = 0; ++ int count = 0, num = 0; ++ unsigned int length = 0; + + _XlcGetResource(lcd, "XLC_FONTSET", "on_demand_loading", &value, &count); + if (count > 0 && _XlcCompareISOLatin1(*value, "True") == 0) +-- +2.28.0 + diff --git a/SOURCES/0001-Fix-poll_for_response-race-condition.patch b/SOURCES/0001-Fix-poll_for_response-race-condition.patch new file mode 100644 index 0000000..77b4d26 --- /dev/null +++ b/SOURCES/0001-Fix-poll_for_response-race-condition.patch @@ -0,0 +1,63 @@ +From 77f8517710a724fa1f29de8ad806692782f962bd Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Wed, 29 Jan 2020 09:06:54 +0000 +Subject: [PATCH libX11] Fix poll_for_response race condition + +In poll_for_response is it possible that event replies are skipped +and a more up to date message reply is returned. +This will cause next poll_for_event call to fail aborting the program. + +This was proved using some slow ssh tunnel or using some program +to slow down server replies (I used a combination of xtrace and strace). + +How the race happens: +- program enters into poll_for_response; +- poll_for_event is called but the server didn't still send the reply; +- pending_requests is not NULL because we send a request (see call + to append_pending_request in _XSend); +- xcb_poll_for_reply64 is called from poll_for_response; +- xcb_poll_for_reply64 will read from server, at this point + server reply with an event (say sequence N) and the reply to our + last request (say sequence N+1); +- xcb_poll_for_reply64 returns the reply for the request we asked; +- last_request_read is set to N+1 sequence in poll_for_response; +- poll_for_response returns the response to the request; +- poll_for_event is called (for instance from another poll_for_response); +- event with sequence N is retrieved; +- the N sequence is widen, however, as the "new" number computed from + last_request_read is less than N the number is widened to N + 2^32 + (assuming last_request_read is still contained in 32 bit); +- poll_for_event enters the nested if statement as req is NULL; +- we compare the widen N (which now does not fit into 32 bit) with + request (which fits into 32 bit) hitting the throw_thread_fail_assert. + +I propose to change the widen to not go too far from the wide number +instead of supposing the result is always bigger than the wide number +passed. + +Signed-off-by: Frediano Ziglio +--- + src/xcb_io.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/src/xcb_io.c b/src/xcb_io.c +index 6a12d150..2aacbda3 100644 +--- a/src/xcb_io.c ++++ b/src/xcb_io.c +@@ -201,12 +201,10 @@ static int handle_error(Display *dpy, xError *err, Bool in_XReply) + } + + /* Widen a 32-bit sequence number into a 64bit (uint64_t) sequence number. +- * Treating the comparison as a 1 and shifting it avoids a conditional branch. + */ + static void widen(uint64_t *wide, unsigned int narrow) + { +- uint64_t new = (*wide & ~((uint64_t)0xFFFFFFFFUL)) | narrow; +- *wide = new + (((uint64_t)(new < *wide)) << 32); ++ *wide += (int32_t) (narrow - *wide); + } + + /* Thread-safety rules: +-- +2.23.0 + diff --git a/SOURCES/0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch b/SOURCES/0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch new file mode 100644 index 0000000..014bdc0 --- /dev/null +++ b/SOURCES/0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch @@ -0,0 +1,108 @@ +From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 10 Jun 2023 16:30:07 -0700 +Subject: [PATCH libX11] InitExt.c: Add bounds checks for extension request, + event, & error codes + +Fixes CVE-2023-3138: X servers could return values from XQueryExtension +that would cause Xlib to write entries out-of-bounds of the arrays to +store them, though this would only overwrite other parts of the Display +struct, not outside the bounds allocated for that structure. + +Reported-by: Gregory James DUCK +Signed-off-by: Alan Coopersmith +--- + src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 42 insertions(+) + +diff --git a/src/InitExt.c b/src/InitExt.c +index 4de46f15..afc00a6b 100644 +--- a/src/InitExt.c ++++ b/src/InitExt.c +@@ -33,6 +33,18 @@ from The Open Group. + #include + #include + ++/* The X11 protocol spec reserves events 64 through 127 for extensions */ ++#ifndef LastExtensionEvent ++#define LastExtensionEvent 127 ++#endif ++ ++/* The X11 protocol spec reserves requests 128 through 255 for extensions */ ++#ifndef LastExtensionRequest ++#define FirstExtensionRequest 128 ++#define LastExtensionRequest 255 ++#endif ++ ++ + /* + * This routine is used to link a extension in so it will be called + * at appropriate times. +@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent( + WireToEventType proc) /* routine to call when converting event */ + { + register WireToEventType oldproc; ++ if (event_number < 0 || ++ event_number > LastExtensionEvent) { ++ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", ++ event_number); ++ return (WireToEventType)_XUnknownWireEvent; ++ } + if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent; + LockDisplay (dpy); + oldproc = dpy->event_vec[event_number]; +@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie( + ) + { + WireToEventCookieType oldproc; ++ if (extension < FirstExtensionRequest || ++ extension > LastExtensionRequest) { ++ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", ++ extension); ++ return (WireToEventCookieType)_XUnknownWireEventCookie; ++ } + if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie; + LockDisplay (dpy); + oldproc = dpy->generic_event_vec[extension & 0x7F]; +@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie( + ) + { + CopyEventCookieType oldproc; ++ if (extension < FirstExtensionRequest || ++ extension > LastExtensionRequest) { ++ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", ++ extension); ++ return (CopyEventCookieType)_XUnknownCopyEventCookie; ++ } + if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie; + LockDisplay (dpy); + oldproc = dpy->generic_event_copy_vec[extension & 0x7F]; +@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire( + EventToWireType proc) /* routine to call when converting event */ + { + register EventToWireType oldproc; ++ if (event_number < 0 || ++ event_number > LastExtensionEvent) { ++ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", ++ event_number); ++ return (EventToWireType)_XUnknownNativeEvent; ++ } + if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent; + LockDisplay (dpy); + oldproc = dpy->wire_vec[event_number]; +@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError( + WireToErrorType proc) /* routine to call when converting error */ + { + register WireToErrorType oldproc = NULL; ++ if (error_number < 0 || ++ error_number > LastExtensionError) { ++ fprintf(stderr, "Xlib: ignoring invalid extension error %d\n", ++ error_number); ++ return (WireToErrorType)_XDefaultWireError; ++ } + if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError; + LockDisplay (dpy); + if (!dpy->error_vec) { +-- +2.41.0 + diff --git a/SOURCES/0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch b/SOURCES/0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch new file mode 100644 index 0000000..27b5912 --- /dev/null +++ b/SOURCES/0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch @@ -0,0 +1,41 @@ +From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 7 Sep 2023 15:55:04 -0700 +Subject: [PATCH 2/3] XPutImage: clip images to maximum height & width allowed + by protocol + +The PutImage request specifies height & width of the image as CARD16 +(unsigned 16-bit integer), same as the maximum dimensions of an X11 +Drawable, which the image is being copied to. + +Signed-off-by: Alan Coopersmith +--- + src/PutImage.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/PutImage.c b/src/PutImage.c +index a6db7b42..ba411e36 100644 +--- a/src/PutImage.c ++++ b/src/PutImage.c +@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. + #include "Xlibint.h" + #include "Xutil.h" + #include ++#include + #include "Cr.h" + #include "ImUtil.h" + #include "reallocarray.h" +@@ -962,6 +963,10 @@ XPutImage ( + height = image->height - req_yoffset; + if ((width <= 0) || (height <= 0)) + return 0; ++ if (width > USHRT_MAX) ++ width = USHRT_MAX; ++ if (height > USHRT_MAX) ++ height = USHRT_MAX; + + if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) { + dest_bits_per_pixel = 1; +-- +2.41.0 + diff --git a/SOURCES/0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch b/SOURCES/0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch new file mode 100644 index 0000000..0900498 --- /dev/null +++ b/SOURCES/0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch @@ -0,0 +1,47 @@ +From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 7 Sep 2023 16:12:27 -0700 +Subject: [PATCH 3/3] XCreatePixmap: trigger BadValue error for out-of-range + dimensions + +The CreatePixmap request specifies height & width of the image as CARD16 +(unsigned 16-bit integer), so if either is larger than that, set it to 0 +so the X server returns a BadValue error as the protocol requires. + +Signed-off-by: Alan Coopersmith +--- + src/CrPixmap.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/CrPixmap.c b/src/CrPixmap.c +index cdf31207..3cb2ca6d 100644 +--- a/src/CrPixmap.c ++++ b/src/CrPixmap.c +@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group. + #include + #endif + #include "Xlibint.h" ++#include + + #ifdef USE_DYNAMIC_XCURSOR + void +@@ -47,6 +48,16 @@ Pixmap XCreatePixmap ( + Pixmap pid; + register xCreatePixmapReq *req; + ++ /* ++ * Force a BadValue X Error if the requested dimensions are larger ++ * than the X11 protocol has room for, since that's how callers expect ++ * to get notified of errors. ++ */ ++ if (width > USHRT_MAX) ++ width = 0; ++ if (height > USHRT_MAX) ++ height = 0; ++ + LockDisplay(dpy); + GetReq(CreatePixmap, req); + req->drawable = d; +-- +2.41.0 + diff --git a/SOURCES/CVE-2021-31535.patch b/SOURCES/CVE-2021-31535.patch new file mode 100644 index 0000000..aa60662 --- /dev/null +++ b/SOURCES/CVE-2021-31535.patch @@ -0,0 +1,411 @@ +From 2714e4478c1262c94de6295cce605c14572968d3 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Fri, 19 Feb 2021 15:30:39 +0100 +Subject: [PATCH libX11] Reject string longer than USHRT_MAX before sending + them on the wire + +The X protocol uses CARD16 values to represent the length so +this would overflow. + +CVE-2021-31535 + +Signed-off-by: Matthieu Herrb + +[mustard: backported 10 1.6.8 by merging the warning fixes from +upstream commimt 84427130 first - ajax] +--- + src/Font.c | 10 ++++++---- + src/FontInfo.c | 5 ++++- + src/FontNames.c | 5 ++++- + src/GetColor.c | 6 +++++- + src/LoadFont.c | 6 +++++- + src/LookupCol.c | 6 ++++-- + src/ParseCol.c | 7 +++++-- + src/QuExt.c | 7 ++++++- + src/SetFPath.c | 12 +++++++++--- + src/SetHints.c | 9 ++++++++- + src/StNColor.c | 5 ++++- + src/StName.c | 11 ++++++++--- + 12 files changed, 68 insertions(+), 21 deletions(-) + +diff --git a/src/Font.c b/src/Font.c +index 09d2ae91..1cd89cca 100644 +--- a/src/Font.c ++++ b/src/Font.c +@@ -102,12 +102,14 @@ XFontStruct *XLoadQueryFont( + XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy); + #endif + ++ if (strlen(name) >= USHRT_MAX) ++ return NULL; + if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0)) + return font_result; + LockDisplay(dpy); + GetReq(OpenFont, req); + seq = dpy->request; /* Can't use extended sequence number here */ +- nbytes = req->nbytes = name ? strlen(name) : 0; ++ nbytes = req->nbytes = (CARD16) (name ? strlen(name) : 0); + req->fid = fid = XAllocID(dpy); + req->length += (nbytes+3)>>2; + Data (dpy, name, nbytes); +@@ -662,8 +664,8 @@ int _XF86LoadQueryLocaleFont( + + if (!name) + return 0; +- l = strlen(name); +- if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-') ++ l = (int) strlen(name); ++ if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX) + return 0; + charset = NULL; + /* next three lines stolen from _XkbGetCharset() */ +@@ -679,7 +681,7 @@ int _XF86LoadQueryLocaleFont( + return 0; + if (_XlcNCompareISOLatin1(name + l - 2 - (p - charset), charset, p - charset)) + return 0; +- if (strlen(p + 1) + l - 1 >= sizeof(buf) - 1) ++ if (strlen(p + 1) + (size_t) l - 1 >= sizeof(buf) - 1) + return 0; + strcpy(buf, name); + strcpy(buf + l - 1, p + 1); +diff --git a/src/FontInfo.c b/src/FontInfo.c +index f870e431..6644b3fa 100644 +--- a/src/FontInfo.c ++++ b/src/FontInfo.c +@@ -58,10 +58,13 @@ XFontStruct **info) /* RETURN */ + register xListFontsReq *req; + int j; + ++ if (strlen(pattern) >= USHRT_MAX) ++ return NULL; ++ + LockDisplay(dpy); + GetReq(ListFontsWithInfo, req); + req->maxNames = maxNames; +- nbytes = req->nbytes = pattern ? strlen (pattern) : 0; ++ nbytes = req->nbytes = pattern ? (CARD16) strlen (pattern) : 0; + req->length += (nbytes + 3) >> 2; + _XSend (dpy, pattern, nbytes); + /* use _XSend instead of Data, since subsequent _XReply will flush buffer */ +diff --git a/src/FontNames.c b/src/FontNames.c +index b78792d6..458d80c9 100644 +--- a/src/FontNames.c ++++ b/src/FontNames.c +@@ -51,10 +51,13 @@ int *actualCount) /* RETURN */ + register xListFontsReq *req; + unsigned long rlen = 0; + ++ if (strlen(pattern) >= USHRT_MAX) ++ return NULL; ++ + LockDisplay(dpy); + GetReq(ListFonts, req); + req->maxNames = maxNames; +- nbytes = req->nbytes = pattern ? strlen (pattern) : 0; ++ nbytes = req->nbytes = pattern ? (CARD16) strlen (pattern) : 0; + req->length += (nbytes + 3) >> 2; + _XSend (dpy, pattern, nbytes); + /* use _XSend instead of Data, since following _XReply will flush buffer */ +diff --git a/src/GetColor.c b/src/GetColor.c +index cd0eb9f6..c8178067 100644 +--- a/src/GetColor.c ++++ b/src/GetColor.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include + #endif ++#include + #include + #include "Xlibint.h" + #include "Xcmsint.h" +@@ -48,6 +49,9 @@ XColor *exact_def) /* RETURN */ + XcmsColor cmsColor_exact; + Status ret; + ++ if (strlen(colorname) >= USHRT_MAX) ++ return (0); ++ + #ifdef XCMS + /* + * Let's Attempt to use Xcms and i18n approach to Parse Color +@@ -83,7 +87,7 @@ XColor *exact_def) /* RETURN */ + GetReq(AllocNamedColor, req); + + req->cmap = cmap; +- nbytes = req->nbytes = strlen(colorname); ++ nbytes = req->nbytes = (CARD16) strlen(colorname); + req->length += (nbytes + 3) >> 2; /* round up to mult of 4 */ + + _XSend(dpy, colorname, nbytes); +diff --git a/src/LoadFont.c b/src/LoadFont.c +index f547976b..3996436f 100644 +--- a/src/LoadFont.c ++++ b/src/LoadFont.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include + #endif ++#include + #include "Xlibint.h" + + Font +@@ -38,12 +39,15 @@ XLoadFont ( + Font fid; + register xOpenFontReq *req; + ++ if (strlen(name) >= USHRT_MAX) ++ return (0); ++ + if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid)) + return fid; + + LockDisplay(dpy); + GetReq(OpenFont, req); +- nbytes = req->nbytes = name ? strlen(name) : 0; ++ nbytes = req->nbytes = name ? (CARD16) strlen(name) : 0; + req->fid = fid = XAllocID(dpy); + req->length += (nbytes+3)>>2; + Data (dpy, name, nbytes); +diff --git a/src/LookupCol.c b/src/LookupCol.c +index f7f969f5..cd9b1368 100644 +--- a/src/LookupCol.c ++++ b/src/LookupCol.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include + #endif ++#include + #include + #include "Xlibint.h" + #include "Xcmsint.h" +@@ -46,6 +47,9 @@ XLookupColor ( + XcmsCCC ccc; + XcmsColor cmsColor_exact; + ++ n = (int) strlen (spec); ++ if (n >= USHRT_MAX) ++ return 0; + #ifdef XCMS + /* + * Let's Attempt to use Xcms and i18n approach to Parse Color +@@ -77,8 +81,6 @@ XLookupColor ( + * Xcms and i18n methods failed, so lets pass it to the server + * for parsing. + */ +- +- n = strlen (spec); + LockDisplay(dpy); + GetReq (LookupColor, req); + req->cmap = cmap; +diff --git a/src/ParseCol.c b/src/ParseCol.c +index e997b1b8..7a84a17b 100644 +--- a/src/ParseCol.c ++++ b/src/ParseCol.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include + #endif ++#include + #include + #include "Xlibint.h" + #include "Xcmsint.h" +@@ -46,7 +47,9 @@ XParseColor ( + XcmsColor cmsColor; + + if (!spec) return(0); +- n = strlen (spec); ++ n = (int) strlen (spec); ++ if (n >= USHRT_MAX) ++ return(0); + if (*spec == '#') { + /* + * RGB +@@ -119,7 +122,7 @@ XParseColor ( + LockDisplay(dpy); + GetReq (LookupColor, req); + req->cmap = cmap; +- req->nbytes = n = strlen(spec); ++ req->nbytes = (CARD16) (n = (int) strlen(spec)); + req->length += (n + 3) >> 2; + Data (dpy, spec, (long)n); + if (!_XReply (dpy, (xReply *) &reply, 0, xTrue)) { +diff --git a/src/QuExt.c b/src/QuExt.c +index 4e230e77..4cb99fcf 100644 +--- a/src/QuExt.c ++++ b/src/QuExt.c +@@ -27,6 +27,8 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include + #endif ++#include ++#include + #include "Xlibint.h" + + Bool +@@ -40,9 +42,12 @@ XQueryExtension( + xQueryExtensionReply rep; + register xQueryExtensionReq *req; + ++ if (strlen(name) >= USHRT_MAX) ++ return false; ++ + LockDisplay(dpy); + GetReq(QueryExtension, req); +- req->nbytes = name ? strlen(name) : 0; ++ req->nbytes = name ? (CARD16) strlen(name) : 0; + req->length += (req->nbytes+(unsigned)3)>>2; + _XSend(dpy, name, (long)req->nbytes); + (void) _XReply (dpy, (xReply *)&rep, 0, xTrue); +diff --git a/src/SetFPath.c b/src/SetFPath.c +index 60aaef01..13fce49e 100644 +--- a/src/SetFPath.c ++++ b/src/SetFPath.c +@@ -26,6 +26,7 @@ in this Software without prior written authorization from The Open Group. + + #ifdef HAVE_CONFIG_H + #include ++#include + #endif + #include "Xlibint.h" + +@@ -48,7 +49,12 @@ XSetFontPath ( + GetReq (SetFontPath, req); + req->nFonts = ndirs; + for (i = 0; i < ndirs; i++) { +- n += safestrlen (directories[i]) + 1; ++ n = (int) ((size_t) n + (safestrlen (directories[i]) + 1)); ++ if (n >= USHRT_MAX) { ++ UnlockDisplay(dpy); ++ SyncHandle(); ++ return 0; ++ } + } + nbytes = (n + 3) & ~3; + req->length += nbytes >> 2; +@@ -59,9 +65,9 @@ XSetFontPath ( + char *tmp = p; + + for (i = 0; i < ndirs; i++) { +- register int length = safestrlen (directories[i]); ++ register int length = (int) safestrlen (directories[i]); + *p = length; +- memcpy (p + 1, directories[i], length); ++ memcpy (p + 1, directories[i], (size_t)length); + p += length + 1; + } + Data (dpy, tmp, nbytes); +diff --git a/src/SetHints.c b/src/SetHints.c +index bc46498a..61cb0684 100644 +--- a/src/SetHints.c ++++ b/src/SetHints.c +@@ -49,6 +49,7 @@ SOFTWARE. + #ifdef HAVE_CONFIG_H + #include + #endif ++#include + #include + #include + #include "Xatomtype.h" +@@ -214,6 +215,8 @@ XSetCommand ( + register char *buf, *bp; + for (i = 0, nbytes = 0; i < argc; i++) { + nbytes += safestrlen(argv[i]) + 1; ++ if (nbytes >= USHRT_MAX) ++ return 1; + } + if ((bp = buf = Xmalloc(nbytes))) { + /* copy arguments into single buffer */ +@@ -256,11 +259,13 @@ XSetStandardProperties ( + + if (name != NULL) XStoreName (dpy, w, name); + ++ if (safestrlen(icon_string) >= USHRT_MAX) ++ return 1; + if (icon_string != NULL) { + XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8, + PropModeReplace, + (_Xconst unsigned char *)icon_string, +- safestrlen(icon_string)); ++ (int)safestrlen(icon_string)); + } + + if (icon_pixmap != None) { +@@ -298,6 +303,8 @@ XSetClassHint( + + len_nm = safestrlen(classhint->res_name); + len_cl = safestrlen(classhint->res_class); ++ if (len_nm + len_cl >= USHRT_MAX) ++ return 1; + if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) { + if (len_nm) { + strcpy(s, classhint->res_name); +diff --git a/src/StNColor.c b/src/StNColor.c +index 8b821c3e..16dc9cbc 100644 +--- a/src/StNColor.c ++++ b/src/StNColor.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include + #endif ++#include + #include + #include "Xlibint.h" + #include "Xcmsint.h" +@@ -46,6 +47,8 @@ int flags) /* DoRed, DoGreen, DoBlue */ + XcmsColor cmsColor_exact; + XColor scr_def; + ++ if (strlen(name) >= USHRT_MAX) ++ return 0; + #ifdef XCMS + /* + * Let's Attempt to use Xcms approach to Parse Color +@@ -76,7 +79,7 @@ int flags) /* DoRed, DoGreen, DoBlue */ + req->cmap = cmap; + req->flags = flags; + req->pixel = pixel; +- req->nbytes = nbytes = strlen(name); ++ req->nbytes = (CARD16) (nbytes = (unsigned) strlen(name)); + req->length += (nbytes + 3) >> 2; /* round up to multiple of 4 */ + Data(dpy, name, (long)nbytes); + UnlockDisplay(dpy); +diff --git a/src/StName.c b/src/StName.c +index b4048bff..04bb3aa6 100644 +--- a/src/StName.c ++++ b/src/StName.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include + #endif ++#include + #include + #include + +@@ -36,9 +37,11 @@ XStoreName ( + Window w, + _Xconst char *name) + { +- return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, ++ if (strlen(name) >= USHRT_MAX) ++ return 0; ++ return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /* */ + 8, PropModeReplace, (_Xconst unsigned char *)name, +- name ? strlen(name) : 0); ++ name ? (int) strlen(name) : 0); + } + + int +@@ -47,7 +50,9 @@ XSetIconName ( + Window w, + _Xconst char *icon_name) + { ++ if (strlen(icon_name) >= USHRT_MAX) ++ return 0; + return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8, + PropModeReplace, (_Xconst unsigned char *)icon_name, +- icon_name ? strlen(icon_name) : 0); ++ icon_name ? (int) strlen(icon_name) : 0); + } +-- +2.30.1 + diff --git a/SOURCES/dont-forward-keycode-0.patch b/SOURCES/dont-forward-keycode-0.patch new file mode 100644 index 0000000..c16d874 --- /dev/null +++ b/SOURCES/dont-forward-keycode-0.patch @@ -0,0 +1,53 @@ +diff -up libX11-1.6.3/modules/im/ximcp/imDefFlt.c.jx libX11-1.6.3/modules/im/ximcp/imDefFlt.c +--- libX11-1.6.3/modules/im/ximcp/imDefFlt.c.jx 2015-03-09 18:28:45.000000000 -0400 ++++ libX11-1.6.3/modules/im/ximcp/imDefFlt.c 2015-03-10 12:32:31.912149644 -0400 +@@ -142,7 +142,7 @@ _XimProtoKeypressFilter( + { + Xim im = (Xim)ic->core.im; + +- if (IS_FABRICATED(im)) { ++ if ((ev->keycode == 0) || IS_FABRICATED(im)) { + _XimPendingFilter(ic); + UNMARK_FABRICATED(im); + return NOTFILTERD; +diff -up libX11-1.6.3/modules/im/ximcp/imDefLkup.c.jx libX11-1.6.3/modules/im/ximcp/imDefLkup.c +--- libX11-1.6.3/modules/im/ximcp/imDefLkup.c.jx 2015-03-09 18:28:45.000000000 -0400 ++++ libX11-1.6.3/modules/im/ximcp/imDefLkup.c 2015-03-10 12:32:31.911149637 -0400 +@@ -332,6 +332,17 @@ _XimForwardEvent( + XEvent *ev, + Bool sync) + { ++ /* ++ * Don't forward a key event which has keycode=0. ++ * keycode=0 is reserved for special purpose to let Xmb/wcLookupString() ++ * functions know that there is a commited string available from IM. ++ */ ++ if (((ev->type == KeyPress) || (ev->type == KeyRelease))) { ++ if (((XKeyEvent *)ev)->keycode == 0) { ++ return True; ++ } ++ } ++ + #ifdef EXT_FORWARD + if (((ev->type == KeyPress) || (ev->type == KeyRelease))) + if (_XimExtForwardKeyEvent(ic, (XKeyEvent *)ev, sync)) +@@ -604,6 +615,19 @@ _XimUnregCommitInfo( + Xfree(info->keysym); + ic->private.proto.commit_info = info->next; + Xfree(info); ++ ++ /* ++ * "Commit" uses fabricated flag to process a commited string ++ * from IM engine. ++ * Turn off the fabricated flag here (unregister the commited ++ * information function). Otherwise, next regular key press ++ * event will be ignored at _XimProtoKeypressFilter() and it ++ * will not be passed to IM engine. ++ */ ++ if (IS_FABRICATED(ic)) { ++ UNMARK_FABRICATED(ic); ++ } ++ + return; + } + diff --git a/SPECS/libX11.spec b/SPECS/libX11.spec new file mode 100644 index 0000000..fefcf70 --- /dev/null +++ b/SPECS/libX11.spec @@ -0,0 +1,270 @@ +%global tarball libX11 +#global gitdate 20130524 +%global gitversion a3bdd2b09 + +Summary: Core X11 protocol client library +Name: libX11 +Version: 1.6.8 +Release: 8%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist} +License: MIT +Group: System Environment/Libraries +URL: http://www.x.org + +%if 0%{?gitdate} +Source0: %{tarball}-%{gitdate}.tar.bz2 +Source1: make-git-snapshot.sh +Source2: commitid +%else +Source0: https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.tar.bz2 +%endif + +Patch2: dont-forward-keycode-0.patch +Patch3: 0001-Fix-XTS-regression-in-XCopyColormapAndFree.patch +Patch4: 0001-Fix-poll_for_response-race-condition.patch + +# CVE-2020-14363 +Patch5: 0001-Fix-an-integer-overflow-in-init_om.patch +Patch6: CVE-2021-31535.patch +# CVE-2023-3138 +Patch7: 0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch + +# CVE-2023-43785 +Patch8: 0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch + +# CVE-2023-43786 +Patch9: 0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch +Patch10: 0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch +Patch11: 0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch + +# CVE-2023-43787 +Patch12: 0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch + +# RHEL-23452 +Patch13: 0001-Avoid-recursing-through-_XError-due-to-sequence-adju.patch + +BuildRequires: xorg-x11-util-macros >= 1.11 +BuildRequires: pkgconfig(xproto) >= 7.0.15 +BuildRequires: xorg-x11-xtrans-devel >= 1.0.3-4 +BuildRequires: libxcb-devel >= 1.2 +BuildRequires: pkgconfig(xau) pkgconfig(xdmcp) +BuildRequires: perl(Pod::Usage) + +Requires: %{name}-common >= %{version}-%{release} + +%description +Core X11 protocol client library. + +%package common +Summary: Common data for libX11 +Group: System Environment/Libraries +BuildArch: noarch + +%description common +libX11 common data + +%package devel +Summary: Development files for %{name} +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} +Requires: %{name}-xcb = %{version}-%{release} + +%description devel +X.Org X11 libX11 development package + +%package xcb +Summary: XCB interop for libX11 +Group: System Environment/Libraries +Conflicts: %{name} < %{version}-%{release} + +%description xcb +libX11/libxcb interoperability library + +%prep +%setup -q -n %{tarball}-%{?gitdate:%{gitdate}}%{!?gitdate:%{version}} +%patch2 -p1 -b .dont-forward-keycode-0 +%patch3 -p1 -b .copycolormapandfree +%patch4 -p1 -b .race +%patch5 -p1 -b .fix-an-integer-overflow-in-init_om +%patch6 -p1 -b .cve-2021-31535 +%patch7 -p1 -b .cve-2023-3138 +%patch8 -p1 -b .cve-2023-43785 +%patch9 -p1 -b .cve-2023-43786 +%patch10 -p1 -b .xputimage-clip-images-to-maximum-height-width-allowe +%patch11 -p1 -b .xcreatepixmap-trigger-badvalue-error-for-out-of-rang +%patch12 -p1 -b .cve-2023-43787 +%patch13 -p1 -b .rhel-23452 + +%build +autoreconf -v --install --force +%configure --disable-silent-rules --disable-static + +make %{?_smp_mflags} + +%install +make install DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" + +# create/own compose cache dir +mkdir -p $RPM_BUILD_ROOT/var/cache/libX11/compose + +# We intentionally don't ship *.la files +find $RPM_BUILD_ROOT -type f -name '*.la' -delete + +# FIXME: Don't install Xcms.txt - find out why upstream still ships this. +find $RPM_BUILD_ROOT -name 'Xcms.txt' -delete + +# FIXME package these properly +rm -rf $RPM_BUILD_ROOT%{_docdir} + +%check +make %{?_smp_mflags} check + +%ldconfig_post +%ldconfig_postun + +%files +%{_libdir}/libX11.so.6 +%{_libdir}/libX11.so.6.3.0 + +%files xcb +%{_libdir}/libX11-xcb.so.1 +%{_libdir}/libX11-xcb.so.1.0.0 + +%files common +%doc AUTHORS COPYING README.md NEWS +%{_datadir}/X11/locale/ +%{_datadir}/X11/XErrorDB +%dir /var/cache/libX11 +%dir /var/cache/libX11/compose + +%files devel +%{_includedir}/X11/ImUtil.h +%{_includedir}/X11/XKBlib.h +%{_includedir}/X11/Xcms.h +%{_includedir}/X11/Xlib.h +%{_includedir}/X11/XlibConf.h +%{_includedir}/X11/Xlibint.h +%{_includedir}/X11/Xlib-xcb.h +%{_includedir}/X11/Xlocale.h +%{_includedir}/X11/Xregion.h +%{_includedir}/X11/Xresource.h +%{_includedir}/X11/Xutil.h +%{_includedir}/X11/cursorfont.h +%{_libdir}/libX11.so +%{_libdir}/libX11-xcb.so +%{_libdir}/pkgconfig/x11.pc +%{_libdir}/pkgconfig/x11-xcb.pc +%{_mandir}/man3/*.3* +%{_mandir}/man5/*.5* + +%changelog +* Tue Jan 30 2024 Olivier Fourdan - 1.6.8-8 +- Backport fix for Xlib lockups due to recursive XError (RHEL-23452) + +* Wed Oct 11 2023 José Expósito - 1.6.8-7 +- Fix CVE-2023-43785: out-of-bounds memory access in _XkbReadKeySyms() +- Fix CVE-2023-43786: stack exhaustion from infinite recursion in + PutSubImage() +- Fix CVE-2023-43787: integer overflow in XCreateImage() leading to + a heap overflow + +* Wed Jul 05 2023 Olivier Fourdan - 1.6.8-6 +- CVE fix for: CVE-2023-3138 + Resolve: rhbz#2213762 + +* Thu Aug 12 2021 Adam Jackson - 1.6.8-5 +- Fix CVE-2021-31535 (#1962439) + +* Tue Nov 3 2020 Michel Dänzer - 1.6.8-4 +- Fix CVE-2020-14363 (#1873923) + +* Mon Feb 24 2020 Adam Jackson - 1.6.8-3 +- Fix race condition in poll_for_reponse + +* Fri Dec 13 2019 Adam Jackson - 1.6.8-2 +- Fix assertion on error in XCopyColormapAndFree + +* Tue Nov 19 2019 Adam Jackson - 1.6.8-1 +- libX11 1.6.8 + +* Tue Oct 09 2018 Adam Jackson - 1.6.7-1 +- libX11 1.6.7 + +* Tue Aug 21 2018 Adam Jackson - 1.6.6-1 +- libX11 1.6.6 + +* Fri Jul 13 2018 Fedora Release Engineering - 1.6.5-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Jun 29 2018 Adam Jackson - 1.6.5-8 +- Use ldconfig scriptlet macros + +* Fri Mar 23 2018 Peter Hutterer 1.6.5-7 +- Fix FTBS caused by fake size in the XimCacheStruct (#1556616) + +* Wed Feb 07 2018 Fedora Release Engineering - 1.6.5-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Oct 17 2017 Peter Hutterer 1.6.5-5 +- run make check as part of the build (#1502658) + +* Tue Aug 01 2017 Adam Jackson - 1.6.5-4 +- Split libX11-xcb to its own subpackage. This doesn't have much effect at + the moment because x11-xcb.pc still lists both libX11 and libxcb in + Requires, but once that's fixed eg. libEGL should be able to be installed + without libX11. + +* Wed Jul 26 2017 Fedora Release Engineering - 1.6.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri May 12 2017 Hans de Goede - 1.6.5-2 +- Rebuild against new xproto to pick up support for new keysyms + +* Wed Apr 26 2017 Adam Jackson - 1.6.5-1 +- libX11 1.6.5 + +* Thu Feb 16 2017 Rex Dieter - 1.6.4-6 +- create/own /var/cache/libx11/compose (#962764) +- %%build: --disable-silent-rules + +* Fri Feb 10 2017 Fedora Release Engineering - 1.6.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Jan 20 2017 Peter Hutterer 1.6.4-4 +- Actually apply the patch from 1.6.4-3 + +* Mon Jan 09 2017 Peter Hutterer 1.6.4-3 +- Fix a bug in the memory leak fix from 1.6.4-2 + +* Thu Jan 05 2017 Peter Hutterer 1.6.4-2 +- Plug a memory leak in XListFonts() + +* Wed Oct 05 2016 Adam Jackson - 1.6.4-1 +- libX11 1.6.4 + +* Thu Feb 04 2016 Fedora Release Engineering - 1.6.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Jan 28 2016 Peter Hutterer +- Remove unnecessary defattr + +* Wed Jun 17 2015 Fedora Release Engineering - 1.6.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue Mar 10 2015 Adam Jackson 1.6.3-1 +- libX11 1.6.3 + +* Sun Aug 17 2014 Fedora Release Engineering - 1.6.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Mon Jun 30 2014 Adam Jackson 1.6.2-1 +- libX11 1.6.2 plus a fix for interleaved xcb/xlib usage +- Use >= for the -common Requires + +* Sat Jun 07 2014 Fedora Release Engineering - 1.6.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue Jul 30 2013 Peter Hutterer 1.6.1-1 +- libX11 1.6.1 + +* Tue Jun 04 2013 Peter Hutterer 1.6.0-1 +- libX11 1.6.0