rpms
/
libX11
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import libX11-1.6.8-8.el8

Browse Source
c8-beta imports/c8-beta/libX11-1.6.8-8.el8
MSVSphere Packaging Team 11 months ago
commit 9481d76d85
15 changed files with 1416 additions and 0 deletions
Show Stats Download Patch File Download Diff File

1
.gitignore vendored
Unescape View File

@ -0,0 +1 @@
SOURCES/libX11-1.6.8.tar.bz2

1
.libX11.metadata
Unescape View File

@ -0,0 +1 @@
f1ea96fe472a981d378b4f2eec90dcd063f9a407 SOURCES/libX11-1.6.8.tar.bz2

166
SOURCES/0001-Avoid-recursing-through-_XError-due-to-sequence-adju.patch
Unescape View File

@ -0,0 +1,166 @@
From 8c92ef59890c6d6e2be456658d3b9c145eda8629 Mon Sep 17 00:00:00 2001
From: Keith Packard <keithp@keithp.com>
Date: Sat, 7 Nov 2020 22:22:47 -0800
Subject: [PATCH libX11] Avoid recursing through _XError due to sequence
adjustment
This patch is based on research done by Dmitry Osipenko to uncover the
cause of a large class of Xlib lockups.
_XError must unlock and re-lock the display around the call to the
user error handler function. When re-locking the display, two
functions are called to ensure that the display is ready to generate a request:
_XIDHandler(dpy);
_XSeqSyncFunction(dpy);
The first ensures that there is at least one XID available to use
(possibly calling _xcb_generate_id to do so). The second makes sure a
reply is received at least every 65535 requests to keep sequence
numbers in sync (possibly generating a GetInputFocus request and
synchronously awaiting the reply).
If the second of these does generate a GetInputFocus request and wait
for the reply, then a pending error will cause recursion into _XError,
which deadlocks the display.
One seemingly easy fix is to have _XError avoid those calls by
invoking InternalLockDisplay instead of LockDisplay. That function
does everything that LockDisplay does *except* call those final two
functions which may end up receiving an error.
However, that doesn't protect the system from applications which call
some legal Xlib function from within their error handler. Any Xlib
function which cannot generate protocol or wait for events is valid,
including many which invoke LockDisplay.
What we need to do is make LockDisplay skip these two function calls
precisely when it is called from within the _XError context for the
same display.
This patch accomplishes this by creating a list of threads in the
display which are in _XError, and then having LockDisplay check the
current thread against those list elements.
Inspired-by: Dmitry Osipenko <digetx@gmail.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Tested-by: Dmitry Osipenko <digetx@gmail.com>
Reviewed-by: Dmitry Osipenko <digetx@gmail.com>
(cherry picked from commit 30ccef3a48029bf4fc31d4abda2d2778d0ad6277)
---
include/X11/Xlibint.h | 2 ++
src/OpenDis.c | 1 +
src/XlibInt.c | 10 ++++++++++
src/locking.c | 12 ++++++++++++
src/locking.h | 12 ++++++++++++
5 files changed, 37 insertions(+)
diff --git a/include/X11/Xlibint.h b/include/X11/Xlibint.h
index 6b95bcf7..09078e3f 100644
--- a/include/X11/Xlibint.h
+++ b/include/X11/Xlibint.h
@@ -202,6 +202,8 @@ struct _XDisplay
unsigned long last_request_read_upper32bit;
unsigned long request_upper32bit;
#endif
+
+ struct _XErrorThreadInfo *error_threads;
};
#define XAllocIDs(dpy,ids,n) (*(dpy)->idlist_alloc)(dpy,ids,n)
diff --git a/src/OpenDis.c b/src/OpenDis.c
index 82723578..85901168 100644
--- a/src/OpenDis.c
+++ b/src/OpenDis.c
@@ -201,6 +201,7 @@ XOpenDisplay (
X_DPY_SET_LAST_REQUEST_READ(dpy, 0);
dpy->default_screen = iscreen; /* Value returned by ConnectDisplay */
dpy->last_req = (char *)&_dummy_request;
+ dpy->error_threads = NULL;
/* Initialize the display lock */
if (InitDisplayLock(dpy) != 0) {
diff --git a/src/XlibInt.c b/src/XlibInt.c
index 4e45e62b..8771b791 100644
--- a/src/XlibInt.c
+++ b/src/XlibInt.c
@@ -1482,6 +1482,11 @@ int _XError (
if (_XErrorFunction != NULL) {
int rtn_val;
#ifdef XTHREADS
+ struct _XErrorThreadInfo thread_info = {
+ .error_thread = xthread_self(),
+ .next = dpy->error_threads
+ }, **prev;
+ dpy->error_threads = &thread_info;
if (dpy->lock)
(*dpy->lock->user_lock_display)(dpy);
UnlockDisplay(dpy);
@@ -1491,6 +1496,11 @@ int _XError (
LockDisplay(dpy);
if (dpy->lock)
(*dpy->lock->user_unlock_display)(dpy);
+
+ /* unlink thread_info from the list */
+ for (prev = &dpy->error_threads; *prev != &thread_info; prev = &(*prev)->next)
+ ;
+ *prev = thread_info.next;
#endif
return rtn_val;
} else {
diff --git a/src/locking.c b/src/locking.c
index 9f4fe067..bcadc857 100644
--- a/src/locking.c
+++ b/src/locking.c
@@ -453,6 +453,9 @@ static void _XLockDisplay(
XTHREADS_FILE_LINE_ARGS
)
{
+#ifdef XTHREADS
+ struct _XErrorThreadInfo *ti;
+#endif
#ifdef XTHREADS_WARN
_XLockDisplayWarn(dpy, file, line);
#else
@@ -460,6 +463,15 @@ static void _XLockDisplay(
#endif
if (dpy->lock->locking_level > 0)
_XDisplayLockWait(dpy);
+#ifdef XTHREADS
+ /*
+ * Skip the two function calls below which may generate requests
+ * when LockDisplay is called from within _XError.
+ */
+ for (ti = dpy->error_threads; ti; ti = ti->next)
+ if (ti->error_thread == xthread_self())
+ return;
+#endif
_XIDHandler(dpy);
_XSeqSyncFunction(dpy);
}
diff --git a/src/locking.h b/src/locking.h
index 5251a60c..59fc866e 100644
--- a/src/locking.h
+++ b/src/locking.h
@@ -149,6 +149,18 @@ typedef struct _LockInfoRec {
xmutex_t lock;
} LockInfoRec;
+/* A list of threads currently invoking error handlers on this display
+ * LockDisplay operates differently for these threads, avoiding
+ * generating any requests or reading any events as that can cause
+ * recursion into the error handling code, which will deadlock the
+ * thread.
+ */
+struct _XErrorThreadInfo
+{
+ struct _XErrorThreadInfo *next;
+ xthread_t error_thread;
+};
+
/* XOpenDis.c */
extern int (*_XInitDisplayLock_fn)(Display *dpy);
extern void (*_XFreeDisplayLock_fn)(Display *dpy);
--
2.43.0

58
SOURCES/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch
Unescape View File

@ -0,0 +1,58 @@
From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 17 Sep 2023 14:19:40 -0700
Subject: [PATCH] CVE-2023-43785: out-of-bounds memory access in
_XkbReadKeySyms()
Make sure we allocate enough memory in the first place, and
also handle error returns from _XkbReadBufferCopyKeySyms() when
it detects out-of-bounds issues.
Reported-by: Gregory James DUCK <gjduck@gmail.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/xkb/XKBGetMap.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
index 2891d21e..31199e4a 100644
--- a/src/xkb/XKBGetMap.c
+++ b/src/xkb/XKBGetMap.c
@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
if (offset + newMap->nSyms >= map->size_syms) {
register int sz;
- sz = map->size_syms + 128;
+ sz = offset + newMap->nSyms;
+ sz = ((sz + (unsigned) 128) / 128) * 128;
_XkbResizeArray(map->syms, map->size_syms, sz, KeySym);
if (map->syms == NULL) {
map->size_syms = 0;
@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
map->size_syms = sz;
}
if (newMap->nSyms > 0) {
- _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
- newMap->nSyms);
+ if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
+ newMap->nSyms) == 0)
+ return BadLength;
offset += newMap->nSyms;
}
else {
@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp);
if (newSyms == NULL)
return BadAlloc;
- if (newMap->nSyms > 0)
- _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms);
+ if (newMap->nSyms > 0) {
+ if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0)
+ return BadLength;
+ }
else
newSyms[0] = NoSymbol;
oldMap->kt_index[0] = newMap->ktIndex[0];
--
2.41.0

37
SOURCES/0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch
Unescape View File

@ -0,0 +1,37 @@
From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Thu, 7 Sep 2023 15:54:30 -0700
Subject: [PATCH 1/3] CVE-2023-43786: stack exhaustion from infinite recursion
in PutSubImage()
When splitting a single line of pixels into chunks to send to the
X server, be sure to take into account the number of bits per pixel,
so we don't just loop forever trying to send more pixels than fit in
the given request size and not breaking them down into a small enough
chunk to fix.
Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/PutImage.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/PutImage.c b/src/PutImage.c
index 857ee916..a6db7b42 100644
--- a/src/PutImage.c
+++ b/src/PutImage.c
@@ -914,8 +914,9 @@ PutSubImage (
req_width, req_height - SubImageHeight,
dest_bits_per_pixel, dest_scanline_pad);
} else {
- int SubImageWidth = (((Available << 3) / dest_scanline_pad)
- * dest_scanline_pad) - left_pad;
+ int SubImageWidth = ((((Available << 3) / dest_scanline_pad)
+ * dest_scanline_pad) - left_pad)
+ / dest_bits_per_pixel;
PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y,
(unsigned int) SubImageWidth, 1,
--
2.41.0

59
SOURCES/0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch
Unescape View File

@ -0,0 +1,59 @@
From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001
From: Yair Mizrahi <yairm@jfrog.com>
Date: Thu, 7 Sep 2023 16:15:32 -0700
Subject: [PATCH] CVE-2023-43787: Integer overflow in XCreateImage() leading to
a heap overflow
When the format is `Pixmap` it calculates the size of the image data as:
ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
There is no validation on the `width` of the image, and so this
calculation exceeds the capacity of a 4-byte integer, causing an overflow.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/ImUtil.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/src/ImUtil.c b/src/ImUtil.c
index 36f08a03..fbfad33e 100644
--- a/src/ImUtil.c
+++ b/src/ImUtil.c
@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
#include <X11/Xlibint.h>
#include <X11/Xutil.h>
#include <stdio.h>
+#include <limits.h>
#include "ImUtil.h"
static int _XDestroyImage(XImage *);
@@ -361,13 +362,22 @@ XImage *XCreateImage (
/*
* compute per line accelerator.
*/
- {
- if (format == ZPixmap)
+ if (format == ZPixmap) {
+ if ((INT_MAX / bits_per_pixel) < width) {
+ Xfree(image);
+ return NULL;
+ }
+
min_bytes_per_line =
- ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
- else
+ ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
+ } else {
+ if ((INT_MAX - offset) < width) {
+ Xfree(image);
+ return NULL;
+ }
+
min_bytes_per_line =
- ROUNDUP((width + offset), image->bitmap_pad);
+ ROUNDUP((width + offset), image->bitmap_pad);
}
if (image_bytes_per_line == 0) {
image->bytes_per_line = min_bytes_per_line;
--
2.41.0

64
SOURCES/0001-Fix-XTS-regression-in-XCopyColormapAndFree.patch
Unescape View File

@ -0,0 +1,64 @@
From a515545065ce6e1924de4bc50aaae7ec9b48cfad Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Wed, 11 Dec 2019 11:53:11 -0500
Subject: [PATCH libX11] Fix XTS regression in XCopyColormapAndFree
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
XCopyColormapAndFree/5 threw an assertion:
520|4 5 00014017 1 2|Assertion XCopyColormapAndFree-5.(A)
520|4 5 00014017 1 3|When a colourmap argument does not name a valid colourmap,
520|4 5 00014017 1 4|then a BadColor error occurs.
520|4 5 00014017 1 5|METH: Create a bad colourmap by creating and freeing a colourmap.
520|4 5 00014017 1 6|METH: Call test function using bad colourmap as the colourmap argument.
520|4 5 00014017 1 7|METH: Verify that a BadColor error occurs.
520|4 5 00014017 1 8|unexpected signal 6 (SIGABRT) received
220|4 5 2 15:05:53|UNRESOLVED
410|4 5 1 15:05:53|IC End
510|4|system 0: Abandoning testset: caught unexpected signal 11 (SIGSEGV)
More specifically:
lt-XCopyColormapAndFree: xcb_io.c:533: _XAllocID: Assertion `ret != inval_id' failed.
This bug was introduced (by following my advice, d'oh) in:
commit 99a2cf1aa0b58391078d5d3edf0a7dab18c7745d
Author: Tapani Pälli <tapani.palli@intel.com>
Date: Mon May 13 08:29:49 2019 +0300
Protect colormap add/removal with display lock
In that patch we moved the call to _XcmsCopyCmapRecAndFree inside the
display lock. The problem is said routine has side effects, including
trying to implicitly create a colormap in some cases. Since we don't run
the XID handler until SyncHandle() we would see inconsistent internal
xlib state, triggering the above assert.
Fix this by dropping and re-taking the display lock before calling into
XCMS.
---
src/CopyCmap.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/CopyCmap.c b/src/CopyCmap.c
index b4954b01..b37aba73 100644
--- a/src/CopyCmap.c
+++ b/src/CopyCmap.c
@@ -53,6 +53,11 @@ Colormap XCopyColormapAndFree(
mid = req->mid = XAllocID(dpy);
req->srcCmap = src_cmap;
+ /* re-lock the display to keep XID handling in sync */
+ UnlockDisplay(dpy);
+ SyncHandle();
+ LockDisplay(dpy);
+
#if XCMS
_XcmsCopyCmapRecAndFree(dpy, src_cmap, mid);
#endif
--
2.23.0

37
SOURCES/0001-Fix-an-integer-overflow-in-init_om.patch
Unescape View File

@ -0,0 +1,37 @@
From 2c67fab8415a1d32395de87f056bc5f3b37fedb0 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Thu, 13 Aug 2020 18:02:58 +0200
Subject: [PATCH] Fix an integer overflow in init_om()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2020-14363
This can lead to a double free later, as reported by Jayden Rivers.
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
(cherry picked from commit acdaaadcb3d85c61fd43669fc5dddf0f8c3f911d)
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
---
modules/om/generic/omGeneric.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c
index 22f826ec..bcfb9ab8 100644
--- a/modules/om/generic/omGeneric.c
+++ b/modules/om/generic/omGeneric.c
@@ -1908,7 +1908,8 @@ init_om(
char **required_list;
XOrientation *orientation;
char **value, buf[BUFSIZ], *bufptr;
- int count = 0, num = 0, length = 0;
+ int count = 0, num = 0;
+ unsigned int length = 0;
_XlcGetResource(lcd, "XLC_FONTSET", "on_demand_loading", &value, &count);
if (count > 0 && _XlcCompareISOLatin1(*value, "True") == 0)
--
2.28.0

63
SOURCES/0001-Fix-poll_for_response-race-condition.patch
Unescape View File

@ -0,0 +1,63 @@
From 77f8517710a724fa1f29de8ad806692782f962bd Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Wed, 29 Jan 2020 09:06:54 +0000
Subject: [PATCH libX11] Fix poll_for_response race condition
In poll_for_response is it possible that event replies are skipped
and a more up to date message reply is returned.
This will cause next poll_for_event call to fail aborting the program.
This was proved using some slow ssh tunnel or using some program
to slow down server replies (I used a combination of xtrace and strace).
How the race happens:
- program enters into poll_for_response;
- poll_for_event is called but the server didn't still send the reply;
- pending_requests is not NULL because we send a request (see call
to append_pending_request in _XSend);
- xcb_poll_for_reply64 is called from poll_for_response;
- xcb_poll_for_reply64 will read from server, at this point
server reply with an event (say sequence N) and the reply to our
last request (say sequence N+1);
- xcb_poll_for_reply64 returns the reply for the request we asked;
- last_request_read is set to N+1 sequence in poll_for_response;
- poll_for_response returns the response to the request;
- poll_for_event is called (for instance from another poll_for_response);
- event with sequence N is retrieved;
- the N sequence is widen, however, as the "new" number computed from
last_request_read is less than N the number is widened to N + 2^32
(assuming last_request_read is still contained in 32 bit);
- poll_for_event enters the nested if statement as req is NULL;
- we compare the widen N (which now does not fit into 32 bit) with
request (which fits into 32 bit) hitting the throw_thread_fail_assert.
I propose to change the widen to not go too far from the wide number
instead of supposing the result is always bigger than the wide number
passed.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
---
src/xcb_io.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/xcb_io.c b/src/xcb_io.c
index 6a12d150..2aacbda3 100644
--- a/src/xcb_io.c
+++ b/src/xcb_io.c
@@ -201,12 +201,10 @@ static int handle_error(Display *dpy, xError *err, Bool in_XReply)
}
/* Widen a 32-bit sequence number into a 64bit (uint64_t) sequence number.
- * Treating the comparison as a 1 and shifting it avoids a conditional branch.
*/
static void widen(uint64_t *wide, unsigned int narrow)
{
- uint64_t new = (*wide & ~((uint64_t)0xFFFFFFFFUL)) | narrow;
- *wide = new + (((uint64_t)(new < *wide)) << 32);
+ *wide += (int32_t) (narrow - *wide);
}
/* Thread-safety rules:
--
2.23.0

108
SOURCES/0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
Unescape View File

@ -0,0 +1,108 @@
From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 10 Jun 2023 16:30:07 -0700
Subject: [PATCH libX11] InitExt.c: Add bounds checks for extension request,
event, & error codes
Fixes CVE-2023-3138: X servers could return values from XQueryExtension
that would cause Xlib to write entries out-of-bounds of the arrays to
store them, though this would only overwrite other parts of the Display
struct, not outside the bounds allocated for that structure.
Reported-by: Gregory James DUCK <gjduck@gmail.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 42 insertions(+)
diff --git a/src/InitExt.c b/src/InitExt.c
index 4de46f15..afc00a6b 100644
--- a/src/InitExt.c
+++ b/src/InitExt.c
@@ -33,6 +33,18 @@ from The Open Group.
#include <X11/Xos.h>
#include <stdio.h>
+/* The X11 protocol spec reserves events 64 through 127 for extensions */
+#ifndef LastExtensionEvent
+#define LastExtensionEvent 127
+#endif
+
+/* The X11 protocol spec reserves requests 128 through 255 for extensions */
+#ifndef LastExtensionRequest
+#define FirstExtensionRequest 128
+#define LastExtensionRequest 255
+#endif
+
+
/*
* This routine is used to link a extension in so it will be called
* at appropriate times.
@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent(
WireToEventType proc) /* routine to call when converting event */
{
register WireToEventType oldproc;
+ if (event_number < 0 ||
+ event_number > LastExtensionEvent) {
+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
+ event_number);
+ return (WireToEventType)_XUnknownWireEvent;
+ }
if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent;
LockDisplay (dpy);
oldproc = dpy->event_vec[event_number];
@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie(
)
{
WireToEventCookieType oldproc;
+ if (extension < FirstExtensionRequest ||
+ extension > LastExtensionRequest) {
+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
+ extension);
+ return (WireToEventCookieType)_XUnknownWireEventCookie;
+ }
if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie;
LockDisplay (dpy);
oldproc = dpy->generic_event_vec[extension & 0x7F];
@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie(
)
{
CopyEventCookieType oldproc;
+ if (extension < FirstExtensionRequest ||
+ extension > LastExtensionRequest) {
+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
+ extension);
+ return (CopyEventCookieType)_XUnknownCopyEventCookie;
+ }
if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie;
LockDisplay (dpy);
oldproc = dpy->generic_event_copy_vec[extension & 0x7F];
@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire(
EventToWireType proc) /* routine to call when converting event */
{
register EventToWireType oldproc;
+ if (event_number < 0 ||
+ event_number > LastExtensionEvent) {
+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
+ event_number);
+ return (EventToWireType)_XUnknownNativeEvent;
+ }
if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent;
LockDisplay (dpy);
oldproc = dpy->wire_vec[event_number];
@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError(
WireToErrorType proc) /* routine to call when converting error */
{
register WireToErrorType oldproc = NULL;
+ if (error_number < 0 ||
+ error_number > LastExtensionError) {
+ fprintf(stderr, "Xlib: ignoring invalid extension error %d\n",
+ error_number);
+ return (WireToErrorType)_XDefaultWireError;
+ }
if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError;
LockDisplay (dpy);
if (!dpy->error_vec) {
--
2.41.0

41
SOURCES/0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch
Unescape View File

@ -0,0 +1,41 @@
From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Thu, 7 Sep 2023 15:55:04 -0700
Subject: [PATCH 2/3] XPutImage: clip images to maximum height & width allowed
by protocol
The PutImage request specifies height & width of the image as CARD16
(unsigned 16-bit integer), same as the maximum dimensions of an X11
Drawable, which the image is being copied to.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/PutImage.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/PutImage.c b/src/PutImage.c
index a6db7b42..ba411e36 100644
--- a/src/PutImage.c
+++ b/src/PutImage.c
@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
#include "Xlibint.h"
#include "Xutil.h"
#include <stdio.h>
+#include <limits.h>
#include "Cr.h"
#include "ImUtil.h"
#include "reallocarray.h"
@@ -962,6 +963,10 @@ XPutImage (
height = image->height - req_yoffset;
if ((width <= 0) || (height <= 0))
return 0;
+ if (width > USHRT_MAX)
+ width = USHRT_MAX;
+ if (height > USHRT_MAX)
+ height = USHRT_MAX;
if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) {
dest_bits_per_pixel = 1;
--
2.41.0

47
SOURCES/0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch
Unescape View File

@ -0,0 +1,47 @@
From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Thu, 7 Sep 2023 16:12:27 -0700
Subject: [PATCH 3/3] XCreatePixmap: trigger BadValue error for out-of-range
dimensions
The CreatePixmap request specifies height & width of the image as CARD16
(unsigned 16-bit integer), so if either is larger than that, set it to 0
so the X server returns a BadValue error as the protocol requires.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/CrPixmap.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/CrPixmap.c b/src/CrPixmap.c
index cdf31207..3cb2ca6d 100644
--- a/src/CrPixmap.c
+++ b/src/CrPixmap.c
@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
#include <config.h>
#endif
#include "Xlibint.h"
+#include <limits.h>
#ifdef USE_DYNAMIC_XCURSOR
void
@@ -47,6 +48,16 @@ Pixmap XCreatePixmap (
Pixmap pid;
register xCreatePixmapReq *req;
+ /*
+ * Force a BadValue X Error if the requested dimensions are larger
+ * than the X11 protocol has room for, since that's how callers expect
+ * to get notified of errors.
+ */
+ if (width > USHRT_MAX)
+ width = 0;
+ if (height > USHRT_MAX)
+ height = 0;
+
LockDisplay(dpy);
GetReq(CreatePixmap, req);
req->drawable = d;
--
2.41.0

411
SOURCES/CVE-2021-31535.patch
Unescape View File

@ -0,0 +1,411 @@
From 2714e4478c1262c94de6295cce605c14572968d3 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Fri, 19 Feb 2021 15:30:39 +0100
Subject: [PATCH libX11] Reject string longer than USHRT_MAX before sending
them on the wire
The X protocol uses CARD16 values to represent the length so
this would overflow.
CVE-2021-31535
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
[mustard: backported 10 1.6.8 by merging the warning fixes from
upstream commimt 84427130 first - ajax]
---
src/Font.c | 10 ++++++----
src/FontInfo.c | 5 ++++-
src/FontNames.c | 5 ++++-
src/GetColor.c | 6 +++++-
src/LoadFont.c | 6 +++++-
src/LookupCol.c | 6 ++++--
src/ParseCol.c | 7 +++++--
src/QuExt.c | 7 ++++++-
src/SetFPath.c | 12 +++++++++---
src/SetHints.c | 9 ++++++++-
src/StNColor.c | 5 ++++-
src/StName.c | 11 ++++++++---
12 files changed, 68 insertions(+), 21 deletions(-)
diff --git a/src/Font.c b/src/Font.c
index 09d2ae91..1cd89cca 100644
--- a/src/Font.c
+++ b/src/Font.c
@@ -102,12 +102,14 @@ XFontStruct *XLoadQueryFont(
XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy);
#endif
+ if (strlen(name) >= USHRT_MAX)
+ return NULL;
if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0))
return font_result;
LockDisplay(dpy);
GetReq(OpenFont, req);
seq = dpy->request; /* Can't use extended sequence number here */
- nbytes = req->nbytes = name ? strlen(name) : 0;
+ nbytes = req->nbytes = (CARD16) (name ? strlen(name) : 0);
req->fid = fid = XAllocID(dpy);
req->length += (nbytes+3)>>2;
Data (dpy, name, nbytes);
@@ -662,8 +664,8 @@ int _XF86LoadQueryLocaleFont(
if (!name)
return 0;
- l = strlen(name);
- if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-')
+ l = (int) strlen(name);
+ if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX)
return 0;
charset = NULL;
/* next three lines stolen from _XkbGetCharset() */
@@ -679,7 +681,7 @@ int _XF86LoadQueryLocaleFont(
return 0;
if (_XlcNCompareISOLatin1(name + l - 2 - (p - charset), charset, p - charset))
return 0;
- if (strlen(p + 1) + l - 1 >= sizeof(buf) - 1)
+ if (strlen(p + 1) + (size_t) l - 1 >= sizeof(buf) - 1)
return 0;
strcpy(buf, name);
strcpy(buf + l - 1, p + 1);
diff --git a/src/FontInfo.c b/src/FontInfo.c
index f870e431..6644b3fa 100644
--- a/src/FontInfo.c
+++ b/src/FontInfo.c
@@ -58,10 +58,13 @@ XFontStruct **info) /* RETURN */
register xListFontsReq *req;
int j;
+ if (strlen(pattern) >= USHRT_MAX)
+ return NULL;
+
LockDisplay(dpy);
GetReq(ListFontsWithInfo, req);
req->maxNames = maxNames;
- nbytes = req->nbytes = pattern ? strlen (pattern) : 0;
+ nbytes = req->nbytes = pattern ? (CARD16) strlen (pattern) : 0;
req->length += (nbytes + 3) >> 2;
_XSend (dpy, pattern, nbytes);
/* use _XSend instead of Data, since subsequent _XReply will flush buffer */
diff --git a/src/FontNames.c b/src/FontNames.c
index b78792d6..458d80c9 100644
--- a/src/FontNames.c
+++ b/src/FontNames.c
@@ -51,10 +51,13 @@ int *actualCount) /* RETURN */
register xListFontsReq *req;
unsigned long rlen = 0;
+ if (strlen(pattern) >= USHRT_MAX)
+ return NULL;
+
LockDisplay(dpy);
GetReq(ListFonts, req);
req->maxNames = maxNames;
- nbytes = req->nbytes = pattern ? strlen (pattern) : 0;
+ nbytes = req->nbytes = pattern ? (CARD16) strlen (pattern) : 0;
req->length += (nbytes + 3) >> 2;
_XSend (dpy, pattern, nbytes);
/* use _XSend instead of Data, since following _XReply will flush buffer */
diff --git a/src/GetColor.c b/src/GetColor.c
index cd0eb9f6..c8178067 100644
--- a/src/GetColor.c
+++ b/src/GetColor.c
@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
#include <stdio.h>
#include "Xlibint.h"
#include "Xcmsint.h"
@@ -48,6 +49,9 @@ XColor *exact_def) /* RETURN */
XcmsColor cmsColor_exact;
Status ret;
+ if (strlen(colorname) >= USHRT_MAX)
+ return (0);
+
#ifdef XCMS
/*
* Let's Attempt to use Xcms and i18n approach to Parse Color
@@ -83,7 +87,7 @@ XColor *exact_def) /* RETURN */
GetReq(AllocNamedColor, req);
req->cmap = cmap;
- nbytes = req->nbytes = strlen(colorname);
+ nbytes = req->nbytes = (CARD16) strlen(colorname);
req->length += (nbytes + 3) >> 2; /* round up to mult of 4 */
_XSend(dpy, colorname, nbytes);
diff --git a/src/LoadFont.c b/src/LoadFont.c
index f547976b..3996436f 100644
--- a/src/LoadFont.c
+++ b/src/LoadFont.c
@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
#include "Xlibint.h"
Font
@@ -38,12 +39,15 @@ XLoadFont (
Font fid;
register xOpenFontReq *req;
+ if (strlen(name) >= USHRT_MAX)
+ return (0);
+
if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid))
return fid;
LockDisplay(dpy);
GetReq(OpenFont, req);
- nbytes = req->nbytes = name ? strlen(name) : 0;
+ nbytes = req->nbytes = name ? (CARD16) strlen(name) : 0;
req->fid = fid = XAllocID(dpy);
req->length += (nbytes+3)>>2;
Data (dpy, name, nbytes);
diff --git a/src/LookupCol.c b/src/LookupCol.c
index f7f969f5..cd9b1368 100644
--- a/src/LookupCol.c
+++ b/src/LookupCol.c
@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
#include <stdio.h>
#include "Xlibint.h"
#include "Xcmsint.h"
@@ -46,6 +47,9 @@ XLookupColor (
XcmsCCC ccc;
XcmsColor cmsColor_exact;
+ n = (int) strlen (spec);
+ if (n >= USHRT_MAX)
+ return 0;
#ifdef XCMS
/*
* Let's Attempt to use Xcms and i18n approach to Parse Color
@@ -77,8 +81,6 @@ XLookupColor (
* Xcms and i18n methods failed, so lets pass it to the server
* for parsing.
*/
-
- n = strlen (spec);
LockDisplay(dpy);
GetReq (LookupColor, req);
req->cmap = cmap;
diff --git a/src/ParseCol.c b/src/ParseCol.c
index e997b1b8..7a84a17b 100644
--- a/src/ParseCol.c
+++ b/src/ParseCol.c
@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
#include <stdio.h>
#include "Xlibint.h"
#include "Xcmsint.h"
@@ -46,7 +47,9 @@ XParseColor (
XcmsColor cmsColor;
if (!spec) return(0);
- n = strlen (spec);
+ n = (int) strlen (spec);
+ if (n >= USHRT_MAX)
+ return(0);
if (*spec == '#') {
/*
* RGB
@@ -119,7 +122,7 @@ XParseColor (
LockDisplay(dpy);
GetReq (LookupColor, req);
req->cmap = cmap;
- req->nbytes = n = strlen(spec);
+ req->nbytes = (CARD16) (n = (int) strlen(spec));
req->length += (n + 3) >> 2;
Data (dpy, spec, (long)n);
if (!_XReply (dpy, (xReply *) &reply, 0, xTrue)) {
diff --git a/src/QuExt.c b/src/QuExt.c
index 4e230e77..4cb99fcf 100644
--- a/src/QuExt.c
+++ b/src/QuExt.c
@@ -27,6 +27,8 @@ in this Software without prior written authorization from The Open Group.
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
+#include <stdbool.h>
#include "Xlibint.h"
Bool
@@ -40,9 +42,12 @@ XQueryExtension(
xQueryExtensionReply rep;
register xQueryExtensionReq *req;
+ if (strlen(name) >= USHRT_MAX)
+ return false;
+
LockDisplay(dpy);
GetReq(QueryExtension, req);
- req->nbytes = name ? strlen(name) : 0;
+ req->nbytes = name ? (CARD16) strlen(name) : 0;
req->length += (req->nbytes+(unsigned)3)>>2;
_XSend(dpy, name, (long)req->nbytes);
(void) _XReply (dpy, (xReply *)&rep, 0, xTrue);
diff --git a/src/SetFPath.c b/src/SetFPath.c
index 60aaef01..13fce49e 100644
--- a/src/SetFPath.c
+++ b/src/SetFPath.c
@@ -26,6 +26,7 @@ in this Software without prior written authorization from The Open Group.
#ifdef HAVE_CONFIG_H
#include <config.h>
+#include <limits.h>
#endif
#include "Xlibint.h"
@@ -48,7 +49,12 @@ XSetFontPath (
GetReq (SetFontPath, req);
req->nFonts = ndirs;
for (i = 0; i < ndirs; i++) {
- n += safestrlen (directories[i]) + 1;
+ n = (int) ((size_t) n + (safestrlen (directories[i]) + 1));
+ if (n >= USHRT_MAX) {
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return 0;
+ }
}
nbytes = (n + 3) & ~3;
req->length += nbytes >> 2;
@@ -59,9 +65,9 @@ XSetFontPath (
char *tmp = p;
for (i = 0; i < ndirs; i++) {
- register int length = safestrlen (directories[i]);
+ register int length = (int) safestrlen (directories[i]);
*p = length;
- memcpy (p + 1, directories[i], length);
+ memcpy (p + 1, directories[i], (size_t)length);
p += length + 1;
}
Data (dpy, tmp, nbytes);
diff --git a/src/SetHints.c b/src/SetHints.c
index bc46498a..61cb0684 100644
--- a/src/SetHints.c
+++ b/src/SetHints.c
@@ -49,6 +49,7 @@ SOFTWARE.
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
#include <X11/Xlibint.h>
#include <X11/Xutil.h>
#include "Xatomtype.h"
@@ -214,6 +215,8 @@ XSetCommand (
register char *buf, *bp;
for (i = 0, nbytes = 0; i < argc; i++) {
nbytes += safestrlen(argv[i]) + 1;
+ if (nbytes >= USHRT_MAX)
+ return 1;
}
if ((bp = buf = Xmalloc(nbytes))) {
/* copy arguments into single buffer */
@@ -256,11 +259,13 @@ XSetStandardProperties (
if (name != NULL) XStoreName (dpy, w, name);
+ if (safestrlen(icon_string) >= USHRT_MAX)
+ return 1;
if (icon_string != NULL) {
XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
PropModeReplace,
(_Xconst unsigned char *)icon_string,
- safestrlen(icon_string));
+ (int)safestrlen(icon_string));
}
if (icon_pixmap != None) {
@@ -298,6 +303,8 @@ XSetClassHint(
len_nm = safestrlen(classhint->res_name);
len_cl = safestrlen(classhint->res_class);
+ if (len_nm + len_cl >= USHRT_MAX)
+ return 1;
if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) {
if (len_nm) {
strcpy(s, classhint->res_name);
diff --git a/src/StNColor.c b/src/StNColor.c
index 8b821c3e..16dc9cbc 100644
--- a/src/StNColor.c
+++ b/src/StNColor.c
@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
#include <stdio.h>
#include "Xlibint.h"
#include "Xcmsint.h"
@@ -46,6 +47,8 @@ int flags) /* DoRed, DoGreen, DoBlue */
XcmsColor cmsColor_exact;
XColor scr_def;
+ if (strlen(name) >= USHRT_MAX)
+ return 0;
#ifdef XCMS
/*
* Let's Attempt to use Xcms approach to Parse Color
@@ -76,7 +79,7 @@ int flags) /* DoRed, DoGreen, DoBlue */
req->cmap = cmap;
req->flags = flags;
req->pixel = pixel;
- req->nbytes = nbytes = strlen(name);
+ req->nbytes = (CARD16) (nbytes = (unsigned) strlen(name));
req->length += (nbytes + 3) >> 2; /* round up to multiple of 4 */
Data(dpy, name, (long)nbytes);
UnlockDisplay(dpy);
diff --git a/src/StName.c b/src/StName.c
index b4048bff..04bb3aa6 100644
--- a/src/StName.c
+++ b/src/StName.c
@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
#include <X11/Xlibint.h>
#include <X11/Xatom.h>
@@ -36,9 +37,11 @@ XStoreName (
Window w,
_Xconst char *name)
{
- return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING,
+ if (strlen(name) >= USHRT_MAX)
+ return 0;
+ return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /* */
8, PropModeReplace, (_Xconst unsigned char *)name,
- name ? strlen(name) : 0);
+ name ? (int) strlen(name) : 0);
}
int
@@ -47,7 +50,9 @@ XSetIconName (
Window w,
_Xconst char *icon_name)
{
+ if (strlen(icon_name) >= USHRT_MAX)
+ return 0;
return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
PropModeReplace, (_Xconst unsigned char *)icon_name,
- icon_name ? strlen(icon_name) : 0);
+ icon_name ? (int) strlen(icon_name) : 0);
}
--
2.30.1

53
SOURCES/dont-forward-keycode-0.patch
Unescape View File

@ -0,0 +1,53 @@
diff -up libX11-1.6.3/modules/im/ximcp/imDefFlt.c.jx libX11-1.6.3/modules/im/ximcp/imDefFlt.c
--- libX11-1.6.3/modules/im/ximcp/imDefFlt.c.jx 2015-03-09 18:28:45.000000000 -0400
+++ libX11-1.6.3/modules/im/ximcp/imDefFlt.c 2015-03-10 12:32:31.912149644 -0400
@@ -142,7 +142,7 @@ _XimProtoKeypressFilter(
{
Xim im = (Xim)ic->core.im;
- if (IS_FABRICATED(im)) {
+ if ((ev->keycode == 0) || IS_FABRICATED(im)) {
_XimPendingFilter(ic);
UNMARK_FABRICATED(im);
return NOTFILTERD;
diff -up libX11-1.6.3/modules/im/ximcp/imDefLkup.c.jx libX11-1.6.3/modules/im/ximcp/imDefLkup.c
--- libX11-1.6.3/modules/im/ximcp/imDefLkup.c.jx 2015-03-09 18:28:45.000000000 -0400
+++ libX11-1.6.3/modules/im/ximcp/imDefLkup.c 2015-03-10 12:32:31.911149637 -0400
@@ -332,6 +332,17 @@ _XimForwardEvent(
XEvent *ev,
Bool sync)
{
+ /*
+ * Don't forward a key event which has keycode=0.
+ * keycode=0 is reserved for special purpose to let Xmb/wcLookupString()
+ * functions know that there is a commited string available from IM.
+ */
+ if (((ev->type == KeyPress) || (ev->type == KeyRelease))) {
+ if (((XKeyEvent *)ev)->keycode == 0) {
+ return True;
+ }
+ }
+
#ifdef EXT_FORWARD
if (((ev->type == KeyPress) || (ev->type == KeyRelease)))
if (_XimExtForwardKeyEvent(ic, (XKeyEvent *)ev, sync))
@@ -604,6 +615,19 @@ _XimUnregCommitInfo(
Xfree(info->keysym);
ic->private.proto.commit_info = info->next;
Xfree(info);
+
+ /*
+ * "Commit" uses fabricated flag to process a commited string
+ * from IM engine.
+ * Turn off the fabricated flag here (unregister the commited
+ * information function). Otherwise, next regular key press
+ * event will be ignored at _XimProtoKeypressFilter() and it
+ * will not be passed to IM engine.
+ */
+ if (IS_FABRICATED(ic)) {
+ UNMARK_FABRICATED(ic);
+ }
+
return;
}

270
SPECS/libX11.spec
Unescape View File

@ -0,0 +1,270 @@
%global tarball libX11
#global gitdate 20130524
%global gitversion a3bdd2b09
Summary: Core X11 protocol client library
Name: libX11
Version: 1.6.8
Release: 8%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
License: MIT
Group: System Environment/Libraries
URL: http://www.x.org
%if 0%{?gitdate}
Source0: %{tarball}-%{gitdate}.tar.bz2
Source1: make-git-snapshot.sh
Source2: commitid
%else
Source0: https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.tar.bz2
%endif
Patch2: dont-forward-keycode-0.patch
Patch3: 0001-Fix-XTS-regression-in-XCopyColormapAndFree.patch
Patch4: 0001-Fix-poll_for_response-race-condition.patch
# CVE-2020-14363
Patch5: 0001-Fix-an-integer-overflow-in-init_om.patch
Patch6: CVE-2021-31535.patch
# CVE-2023-3138
Patch7: 0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
# CVE-2023-43785
Patch8: 0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch
# CVE-2023-43786
Patch9: 0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch
Patch10: 0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch
Patch11: 0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch
# CVE-2023-43787
Patch12: 0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch
# RHEL-23452
Patch13: 0001-Avoid-recursing-through-_XError-due-to-sequence-adju.patch
BuildRequires: xorg-x11-util-macros >= 1.11
BuildRequires: pkgconfig(xproto) >= 7.0.15
BuildRequires: xorg-x11-xtrans-devel >= 1.0.3-4
BuildRequires: libxcb-devel >= 1.2
BuildRequires: pkgconfig(xau) pkgconfig(xdmcp)
BuildRequires: perl(Pod::Usage)
Requires: %{name}-common >= %{version}-%{release}
%description
Core X11 protocol client library.
%package common
Summary: Common data for libX11
Group: System Environment/Libraries
BuildArch: noarch
%description common
libX11 common data
%package devel
Summary: Development files for %{name}
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
Requires: %{name}-xcb = %{version}-%{release}
%description devel
X.Org X11 libX11 development package
%package xcb
Summary: XCB interop for libX11
Group: System Environment/Libraries
Conflicts: %{name} < %{version}-%{release}
%description xcb
libX11/libxcb interoperability library
%prep
%setup -q -n %{tarball}-%{?gitdate:%{gitdate}}%{!?gitdate:%{version}}
%patch2 -p1 -b .dont-forward-keycode-0
%patch3 -p1 -b .copycolormapandfree
%patch4 -p1 -b .race
%patch5 -p1 -b .fix-an-integer-overflow-in-init_om
%patch6 -p1 -b .cve-2021-31535
%patch7 -p1 -b .cve-2023-3138
%patch8 -p1 -b .cve-2023-43785
%patch9 -p1 -b .cve-2023-43786
%patch10 -p1 -b .xputimage-clip-images-to-maximum-height-width-allowe
%patch11 -p1 -b .xcreatepixmap-trigger-badvalue-error-for-out-of-rang
%patch12 -p1 -b .cve-2023-43787
%patch13 -p1 -b .rhel-23452
%build
autoreconf -v --install --force
%configure --disable-silent-rules --disable-static
make %{?_smp_mflags}
%install
make install DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p"
# create/own compose cache dir
mkdir -p $RPM_BUILD_ROOT/var/cache/libX11/compose
# We intentionally don't ship *.la files
find $RPM_BUILD_ROOT -type f -name '*.la' -delete
# FIXME: Don't install Xcms.txt - find out why upstream still ships this.
find $RPM_BUILD_ROOT -name 'Xcms.txt' -delete
# FIXME package these properly
rm -rf $RPM_BUILD_ROOT%{_docdir}
%check
make %{?_smp_mflags} check
%ldconfig_post
%ldconfig_postun
%files
%{_libdir}/libX11.so.6
%{_libdir}/libX11.so.6.3.0
%files xcb
%{_libdir}/libX11-xcb.so.1
%{_libdir}/libX11-xcb.so.1.0.0
%files common
%doc AUTHORS COPYING README.md NEWS
%{_datadir}/X11/locale/
%{_datadir}/X11/XErrorDB
%dir /var/cache/libX11
%dir /var/cache/libX11/compose
%files devel
%{_includedir}/X11/ImUtil.h
%{_includedir}/X11/XKBlib.h
%{_includedir}/X11/Xcms.h
%{_includedir}/X11/Xlib.h
%{_includedir}/X11/XlibConf.h
%{_includedir}/X11/Xlibint.h
%{_includedir}/X11/Xlib-xcb.h
%{_includedir}/X11/Xlocale.h
%{_includedir}/X11/Xregion.h
%{_includedir}/X11/Xresource.h
%{_includedir}/X11/Xutil.h
%{_includedir}/X11/cursorfont.h
%{_libdir}/libX11.so
%{_libdir}/libX11-xcb.so
%{_libdir}/pkgconfig/x11.pc
%{_libdir}/pkgconfig/x11-xcb.pc
%{_mandir}/man3/*.3*
%{_mandir}/man5/*.5*
%changelog
* Tue Jan 30 2024 Olivier Fourdan <ofourdan@redhat.com> - 1.6.8-8
- Backport fix for Xlib lockups due to recursive XError (RHEL-23452)
* Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 1.6.8-7
- Fix CVE-2023-43785: out-of-bounds memory access in _XkbReadKeySyms()
- Fix CVE-2023-43786: stack exhaustion from infinite recursion in
PutSubImage()
- Fix CVE-2023-43787: integer overflow in XCreateImage() leading to
a heap overflow
* Wed Jul 05 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.6.8-6
- CVE fix for: CVE-2023-3138
Resolve: rhbz#2213762
* Thu Aug 12 2021 Adam Jackson <ajax@redhat.com> - 1.6.8-5
- Fix CVE-2021-31535 (#1962439)
* Tue Nov 3 2020 Michel Dänzer <mdaenzer@redhat.com> - 1.6.8-4
- Fix CVE-2020-14363 (#1873923)
* Mon Feb 24 2020 Adam Jackson <ajax@redhat.com> - 1.6.8-3
- Fix race condition in poll_for_reponse
* Fri Dec 13 2019 Adam Jackson <ajax@redhat.com> - 1.6.8-2
- Fix assertion on error in XCopyColormapAndFree
* Tue Nov 19 2019 Adam Jackson <ajax@redhat.com> - 1.6.8-1
- libX11 1.6.8
* Tue Oct 09 2018 Adam Jackson <ajax@redhat.com> - 1.6.7-1
- libX11 1.6.7
* Tue Aug 21 2018 Adam Jackson <ajax@redhat.com> - 1.6.6-1
- libX11 1.6.6
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.5-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Jun 29 2018 Adam Jackson <ajax@redhat.com> - 1.6.5-8
- Use ldconfig scriptlet macros
* Fri Mar 23 2018 Peter Hutterer <peter.hutterer@redhat.com> 1.6.5-7
- Fix FTBS caused by fake size in the XimCacheStruct (#1556616)
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.5-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Tue Oct 17 2017 Peter Hutterer <peter.hutterer@redhat.com> 1.6.5-5
- run make check as part of the build (#1502658)
* Tue Aug 01 2017 Adam Jackson <ajax@redhat.com> - 1.6.5-4
- Split libX11-xcb to its own subpackage. This doesn't have much effect at
the moment because x11-xcb.pc still lists both libX11 and libxcb in
Requires, but once that's fixed eg. libEGL should be able to be installed
without libX11.
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Fri May 12 2017 Hans de Goede <hdegoede@redhat.com> - 1.6.5-2
- Rebuild against new xproto to pick up support for new keysyms
* Wed Apr 26 2017 Adam Jackson <ajax@redhat.com> - 1.6.5-1
- libX11 1.6.5
* Thu Feb 16 2017 Rex Dieter <rdieter@fedoraproject.org> - 1.6.4-6
- create/own /var/cache/libx11/compose (#962764)
- %%build: --disable-silent-rules
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.4-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Jan 20 2017 Peter Hutterer <peter.hutterer@redhat.com> 1.6.4-4
- Actually apply the patch from 1.6.4-3
* Mon Jan 09 2017 Peter Hutterer <peter.hutterer@redhat.com> 1.6.4-3
- Fix a bug in the memory leak fix from 1.6.4-2
* Thu Jan 05 2017 Peter Hutterer <peter.hutterer@redhat.com> 1.6.4-2
- Plug a memory leak in XListFonts()
* Wed Oct 05 2016 Adam Jackson <ajax@redhat.com> - 1.6.4-1
- libX11 1.6.4
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Thu Jan 28 2016 Peter Hutterer <peter.hutterer@redhat.com>
- Remove unnecessary defattr
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Tue Mar 10 2015 Adam Jackson <ajax@redhat.com> 1.6.3-1
- libX11 1.6.3
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Mon Jun 30 2014 Adam Jackson <ajax@redhat.com> 1.6.2-1
- libX11 1.6.2 plus a fix for interleaved xcb/xlib usage
- Use >= for the -common Requires
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Tue Jul 30 2013 Peter Hutterer <peter.hutterer@redhat.com> 1.6.1-1
- libX11 1.6.1
* Tue Jun 04 2013 Peter Hutterer <peter.hutterer@redhat.com> 1.6.0-1
- libX11 1.6.0
Write Preview
Loading…
Cancel
Save