rpms
/
libX11
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import libX11-1.8.7-7.el10

Browse Source
c10-beta imports/c10-beta/libX11-1.8.7-7.el10
MSVSphere Packaging Team 3 months ago
commit c60912afc6
Signed by: sys_gitsync
GPG Key ID: B2B0B9F29E528FE8
14 changed files with 1015 additions and 0 deletions
Show Stats Download Patch File Download Diff File

1
.gitignore vendored
Unescape View File

@ -0,0 +1 @@
SOURCES/libX11-1.8.7.tar.xz

1
.libX11.metadata
Unescape View File

@ -0,0 +1 @@
034271312467ea99699fb8d926118d395e33a663 SOURCES/libX11-1.8.7.tar.xz

52
SOURCES/0001-Fix-deadlock-in-XRebindKeysym.patch
Unescape View File

@ -0,0 +1,52 @@
From 751fbc59c30604980fdd19cb4b333d3cf2eccb24 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Fri, 21 Jun 2024 14:37:24 +0200
Subject: [PATCH] Fix deadlock in XRebindKeysym()
Xlib is now built with threading support enabled from the constructor
by default.
XRebindKeysym() acquires the display lock, then calls:
| XRebindKeysym()
| LockDisplay()
| ComputeMaskFromKeytrans()
| -> XkbKeysymToModifiers()
| -> _XkbLoadDpy()
| -> XkbGetMap()
| -> XkbGetUpdatedMap()
| LockDisplay()
And the dead lock:
| Xlib ERROR: XKBGetMap.c line 575 thread 1fc6e580: locking display already
| locked at KeyBind.c line 937
To avoid the issue, call ComputeMaskFromKeytrans() from outside the display
lock.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Closes: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/216
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/256>
---
src/KeyBind.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/KeyBind.c b/src/KeyBind.c
index a8181b91..a5e22131 100644
--- a/src/KeyBind.c
+++ b/src/KeyBind.c
@@ -958,8 +958,9 @@ XRebindKeysym (
memcpy ((char *) p->modifiers, (char *) mlist, (size_t) nb);
p->key = keysym;
p->mlen = nm;
- ComputeMaskFromKeytrans(dpy, p);
UnlockDisplay(dpy);
+ ComputeMaskFromKeytrans(dpy, p);
+
return 0;
}
--
2.45.2

49
SOURCES/0001-Fix-use-of-uninitialized-variable-in-_XimTriggerNoti.patch
Unescape View File

@ -0,0 +1,49 @@
From 4f5541193dd5a004ed5ea44c12fc25e227113c9b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
Date: Tue, 30 Apr 2024 16:37:21 +0200
Subject: [PATCH 1/6] Fix use of uninitialized variable in _XimTriggerNotify
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
`_XimRead()` is being called with `reply` as target buffer instead of
using `preply`, accessing uninitialized memory a few lines later.
This error has been found by a static analysis tool. This is the report:
Error: UNINIT (CWE-457):
libX11-1.8.7/modules/im/ximcp/imDefLkup.c:561: alloc_fn:
Calling "malloc" which returns uninitialized memory.
libX11-1.8.7/modules/im/ximcp/imDefLkup.c:561: assign:
Assigning: "preply" = "malloc((size_t)((len == 0) ? 1 : len))",
which points to uninitialized data.
libX11-1.8.7/modules/im/ximcp/imDefLkup.c:573: uninit_use:
Using uninitialized value "*((CARD8 *)preply)".
# 571| }
# 572| buf_s = (CARD16 *)((char *)preply + XIM_HEADER_SIZE);
# 573|-> if (*((CARD8 *)preply) == XIM_ERROR) {
# 574| _XimProcError(im, 0, (XPointer)&buf_s[3]);
# 575| if(reply != preply)
Signed-off-by: José Expósito <jexposit@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
---
modules/im/ximcp/imDefLkup.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/im/ximcp/imDefLkup.c b/modules/im/ximcp/imDefLkup.c
index 2e53ab23..8ccaee26 100644
--- a/modules/im/ximcp/imDefLkup.c
+++ b/modules/im/ximcp/imDefLkup.c
@@ -635,7 +635,7 @@ _XimTriggerNotify(
} else {
buf_size = len;
preply = Xmalloc(len);
- ret_code = _XimRead(im, &len, (XPointer)reply, buf_size,
+ ret_code = _XimRead(im, &len, preply, buf_size,
_XimTriggerNotifyCheck, (XPointer)ic);
if(ret_code != XIM_TRUE) {
Xfree(preply);
--
2.45.2

34
SOURCES/0001-Revert-Fix-XTS-regression-in-XCopyColormapAndFree.patch
Unescape View File

@ -0,0 +1,34 @@
From 5dfedaf4aa1a032ea6cb4e871abd2e065f798129 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Thu, 6 Jun 2024 16:25:26 +0200
Subject: [PATCH 1/3] Revert "Fix XTS regression in XCopyColormapAndFree"
This change was to fix the next change that we are to revert as well.
This reverts commit 68c72a7341b114277ab232f2499ee3bd035af8a0.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/254>
---
src/CopyCmap.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/src/CopyCmap.c b/src/CopyCmap.c
index b37aba73..b4954b01 100644
--- a/src/CopyCmap.c
+++ b/src/CopyCmap.c
@@ -53,11 +53,6 @@ Colormap XCopyColormapAndFree(
mid = req->mid = XAllocID(dpy);
req->srcCmap = src_cmap;
- /* re-lock the display to keep XID handling in sync */
- UnlockDisplay(dpy);
- SyncHandle();
- LockDisplay(dpy);
-
#if XCMS
_XcmsCopyCmapRecAndFree(dpy, src_cmap, mid);
#endif
--
2.45.2

49
SOURCES/0002-Fix-use-of-uninitialized-variable-in-_XimExtension.patch
Unescape View File

@ -0,0 +1,49 @@
From eaad761e24722b1743d3edee3383294bfb4947d6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
Date: Tue, 30 Apr 2024 16:41:40 +0200
Subject: [PATCH 2/6] Fix use of uninitialized variable in _XimExtension
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
`_XimRead()` is being called with `reply` as target buffer instead of
using `preply`, accessing uninitialized memory a few lines later.
This error has been found by a static analysis tool. This is the report:
Error: UNINIT (CWE-457):
libX11-1.8.7/modules/im/ximcp/imExten.c:468: alloc_fn:
Calling "malloc" which returns uninitialized memory.
libX11-1.8.7/modules/im/ximcp/imExten.c:468: assign:
Assigning: "preply" = "malloc((size_t)((buf_size == 0) ? 1 : buf_size))",
which points to uninitialized data.
libX11-1.8.7/modules/im/ximcp/imExten.c:479: uninit_use:
Using uninitialized value "*((CARD8 *)preply)".
# 477| return False;
# 478| buf_s = (CARD16 *)((char *)preply + XIM_HEADER_SIZE);
# 479|-> if (*((CARD8 *)preply) == XIM_ERROR) {
# 480| _XimProcError(im, 0, (XPointer)&buf_s[3]);
# 481| if(reply != preply)
Signed-off-by: José Expósito <jexposit@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
---
modules/im/ximcp/imExten.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/im/ximcp/imExten.c b/modules/im/ximcp/imExten.c
index c2e48a89..a25f00d0 100644
--- a/modules/im/ximcp/imExten.c
+++ b/modules/im/ximcp/imExten.c
@@ -466,7 +466,7 @@ _XimExtension(
} else {
buf_size = len;
preply = Xmalloc(buf_size);
- ret_code = _XimRead(im, &len, reply, buf_size,
+ ret_code = _XimRead(im, &len, preply, buf_size,
_XimQueryExtensionCheck, 0);
if(ret_code != XIM_TRUE) {
Xfree(preply);
--
2.45.2

92
SOURCES/0002-Revert-Protect-colormap-add-removal-with-display-loc.patch
Unescape View File

@ -0,0 +1,92 @@
From 739fce4c12c7aa39112353d80c8a3bf25bdd5274 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Fri, 7 Jun 2024 09:07:39 +0200
Subject: [PATCH 2/3] Revert "Protect colormap add/removal with display lock"
That commit 99a2cf1aa was moving the calls to the _Xcms*CmapRec*()
family of functions within a display lock to make the XCMS colormap
functions thread safe.
Unfortunately, that causes a deadlock in XCopyColormapAndFree(), because
_XcmsCopyCmapRecAndFree() calls CmapRecForColormap() which calls
XGetVisualInfo() which also tries to acquire the display lock.
So, instead of moving the entire functions within the display lock,
let's try to make the functions themselves thread safe in the following
commit, and revert this change which causes a deadlock.
This reverts commit 99a2cf1aa0b58391078d5d3edf0a7dab18c7745d.
Fixes: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/215
See-also: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/94
Reviewed-by: Adam Jackson <ajax@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/254>
---
src/CopyCmap.c | 6 +++---
src/CrCmap.c | 6 +++---
src/FreeCmap.c | 6 +++---
3 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/CopyCmap.c b/src/CopyCmap.c
index b4954b01..5444550c 100644
--- a/src/CopyCmap.c
+++ b/src/CopyCmap.c
@@ -53,12 +53,12 @@ Colormap XCopyColormapAndFree(
mid = req->mid = XAllocID(dpy);
req->srcCmap = src_cmap;
+ UnlockDisplay(dpy);
+ SyncHandle();
+
#if XCMS
_XcmsCopyCmapRecAndFree(dpy, src_cmap, mid);
#endif
- UnlockDisplay(dpy);
- SyncHandle();
-
return(mid);
}
diff --git a/src/CrCmap.c b/src/CrCmap.c
index 1b18a15b..9904c7dd 100644
--- a/src/CrCmap.c
+++ b/src/CrCmap.c
@@ -48,12 +48,12 @@ Colormap XCreateColormap(
if (visual == CopyFromParent) req->visual = CopyFromParent;
else req->visual = visual->visualid;
+ UnlockDisplay(dpy);
+ SyncHandle();
+
#ifdef XCMS
_XcmsAddCmapRec(dpy, mid, w, visual);
#endif
- UnlockDisplay(dpy);
- SyncHandle();
-
return(mid);
}
diff --git a/src/FreeCmap.c b/src/FreeCmap.c
index 68496dd8..e2b76fa6 100644
--- a/src/FreeCmap.c
+++ b/src/FreeCmap.c
@@ -41,12 +41,12 @@ XFreeColormap(
LockDisplay(dpy);
GetResReq(FreeColormap, cmap, req);
+ UnlockDisplay(dpy);
+ SyncHandle();
+
#ifdef XCMS
_XcmsDeleteCmapRec(dpy, cmap);
#endif
- UnlockDisplay(dpy);
- SyncHandle();
-
return 1;
}
--
2.45.2

47
SOURCES/0003-Fix-use-of-uninitialized-variable-in-_XimEncodeICATT.patch
Unescape View File

@ -0,0 +1,47 @@
From 836a8f2cf5e930c8a56b512273fdf9890282ba04 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
Date: Tue, 30 Apr 2024 16:49:26 +0200
Subject: [PATCH 3/6] Fix use of uninitialized variable in
_XimEncodeICATTRIBUTE
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In the `res->resource_size == XimType_NEST` code path, if
`res->xrm_name != pre_quark` and `res->xrm_name != sts_quark`, `len` can
be used uninitialized.
This error has been found by a static analysis tool. This is the report:
Error: UNINIT (CWE-457):
libX11-1.8.7/modules/im/ximcp/imRmAttr.c:1106: var_decl:
Declaring variable "len" without initializer.
libX11-1.8.7/modules/im/ximcp/imRmAttr.c:1179: uninit_use:
Using uninitialized value "len".
# 1177| }
# 1178|
# 1179|-> if (len == 0) {
# 1180| continue;
# 1181| } else if (len < 0) {
Signed-off-by: José Expósito <jexposit@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
---
modules/im/ximcp/imRmAttr.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
index 709e64ab..c56bd62e 100644
--- a/modules/im/ximcp/imRmAttr.c
+++ b/modules/im/ximcp/imRmAttr.c
@@ -1115,6 +1115,7 @@ _XimEncodeICATTRIBUTE(
*ret_len = 0;
for (p = arg; p && p->name; p++) {
+ len = 0;
buf_s = (CARD16 *)buf;
if (!(res = _XimGetResourceListRec(res_list, res_num, p->name))) {
if (_XimSetInnerICAttributes(ic, top, p, mode))
--
2.45.2

92
SOURCES/0003-Make-colormap-private-interfaces-thread-safe.patch
Unescape View File

@ -0,0 +1,92 @@
From 1472048b7a02d1b7fc25cfeda761db23fba21eac Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Fri, 7 Jun 2024 09:05:55 +0200
Subject: [PATCH 3/3] Make colormap private interfaces thread safe.
Protect access to the dpy structure by a display lock, so that these can
be called outside of a global display lock.
That allows the XCMS colormap functions to be thread safe without having
the whole functions within a display lock, to avoid deadlocks.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
See-also: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/215
See-also: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/94
Reviewed-by: Adam Jackson <ajax@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/254>
---
src/xcms/cmsCmap.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/src/xcms/cmsCmap.c b/src/xcms/cmsCmap.c
index c7087ecb..4b229477 100644
--- a/src/xcms/cmsCmap.c
+++ b/src/xcms/cmsCmap.c
@@ -87,12 +87,17 @@ CmapRecForColormap(
_XAsyncHandler async;
_XAsyncErrorState async_state;
+ LockDisplay(dpy);
for (pRec = (XcmsCmapRec *)dpy->cms.clientCmaps; pRec != NULL;
pRec = pRec->pNext) {
if (pRec->cmapID == cmap) {
+ UnlockDisplay(dpy);
+ SyncHandle();
return(pRec);
}
}
+ UnlockDisplay(dpy);
+ SyncHandle();
/*
* Can't find an XcmsCmapRec associated with cmap in our records.
@@ -258,9 +263,12 @@ _XcmsAddCmapRec(
pNew->dpy = dpy;
pNew->windowID = windowID;
pNew->visual = visual;
+ LockDisplay(dpy);
pNew->pNext = (XcmsCmapRec *)dpy->cms.clientCmaps;
dpy->cms.clientCmaps = (XPointer)pNew;
dpy->free_funcs->clientCmaps = _XcmsFreeClientCmaps;
+ UnlockDisplay(dpy);
+ SyncHandle();
/*
* Note, we don't create the XcmsCCC for pNew->ccc here because
@@ -342,6 +350,7 @@ _XcmsDeleteCmapRec(
}
/* search for it in the list */
+ LockDisplay(dpy);
pPrevPtr = (XcmsCmapRec **)&dpy->cms.clientCmaps;
while ((pRec = *pPrevPtr) && (pRec->cmapID != cmap)) {
pPrevPtr = &pRec->pNext;
@@ -354,6 +363,8 @@ _XcmsDeleteCmapRec(
*pPrevPtr = pRec->pNext;
Xfree(pRec);
}
+ UnlockDisplay(dpy);
+ SyncHandle();
}
@@ -378,6 +389,7 @@ _XcmsFreeClientCmaps(
{
XcmsCmapRec *pRecNext, *pRecFree;
+ LockDisplay(dpy);
pRecNext = (XcmsCmapRec *)dpy->cms.clientCmaps;
while (pRecNext != NULL) {
pRecFree = pRecNext;
@@ -390,6 +402,8 @@ _XcmsFreeClientCmaps(
Xfree(pRecFree);
}
dpy->cms.clientCmaps = (XPointer)NULL;
+ UnlockDisplay(dpy);
+ SyncHandle();
}
--
2.45.2

62
SOURCES/0004-XKBMAlloc-Check-that-needed-is-0-in-XkbResizeKeyActi.patch
Unescape View File

@ -0,0 +1,62 @@
From af1312d2873d2ce49b18708a5029895aed477392 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
Date: Tue, 30 Apr 2024 17:37:39 +0200
Subject: [PATCH 4/6] XKBMAlloc: Check that needed is >= 0 in
XkbResizeKeyActions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Passing a negative value in `needed` to the `XkbResizeKeyActions()`
function can create a `newActs` array of an unespected size.
Check the value and return if it is invalid.
This error has been found by a static analysis tool. This is the report:
Error: OVERRUN (CWE-119):
libX11-1.8.7/src/xkb/XKBMAlloc.c:811: cond_const:
Checking "xkb->server->size_acts == 0" implies that
"xkb->server->size_acts" is 0 on the true branch.
libX11-1.8.7/src/xkb/XKBMAlloc.c:811: buffer_alloc:
"calloc" allocates 8 bytes dictated by parameters
"(size_t)((xkb->server->size_acts == 0) ? 1 : xkb->server->size_acts)"
and "8UL".
libX11-1.8.7/src/xkb/XKBMAlloc.c:811: var_assign:
Assigning: "newActs" = "calloc((size_t)((xkb->server->size_acts == 0) ? 1 : xkb->server->size_acts), 8UL)".
libX11-1.8.7/src/xkb/XKBMAlloc.c:815: assignment:
Assigning: "nActs" = "1".
libX11-1.8.7/src/xkb/XKBMAlloc.c:829: cond_at_least:
Checking "nCopy > 0" implies that "nCopy" is at least 1 on the
true branch.
libX11-1.8.7/src/xkb/XKBMAlloc.c:830: overrun-buffer-arg:
Overrunning buffer pointed to by "&newActs[nActs]" of 8 bytes by
passing it to a function which accesses it at byte offset 15
using argument "nCopy * 8UL" (which evaluates to 8).
# 828|
# 829| if (nCopy > 0)
# 830|-> memcpy(&newActs[nActs], XkbKeyActionsPtr(xkb, i),
# 831| nCopy * sizeof(XkbAction));
# 832| if (nCopy < nKeyActs)
Signed-off-by: José Expósito <jexposit@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
---
src/xkb/XKBMAlloc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/xkb/XKBMAlloc.c b/src/xkb/XKBMAlloc.c
index 8b3be303..0563a688 100644
--- a/src/xkb/XKBMAlloc.c
+++ b/src/xkb/XKBMAlloc.c
@@ -795,7 +795,7 @@ XkbResizeKeyActions(XkbDescPtr xkb, int key, int needed)
register int i, nActs;
XkbAction *newActs;
- if (needed == 0) {
+ if (needed <= 0) {
xkb->server->key_acts[key] = 0;
return NULL;
}
--
2.45.2

64
SOURCES/0005-Fix-memory-leak-in-_XimProtoSetIMValues.patch
Unescape View File

@ -0,0 +1,64 @@
From f67a87dad40141f50f4da35b28a92a974bfdf7e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
Date: Tue, 30 Apr 2024 18:04:35 +0200
Subject: [PATCH 5/6] Fix memory leak in _XimProtoSetIMValues
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This error has been found by a static analysis tool. This is the report:
Error: RESOURCE_LEAK (CWE-772):
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1316: alloc_fn:
Storage is returned from allocation function "calloc".
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1316: var_assign:
Assigning: "tmp" = storage returned from
"calloc((size_t)((buf_size + data_len == 0) ? 1 : (buf_size + data_len)), 1UL)".
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1319: noescape:
Resource "tmp" is not freed or pointed-to in "memcpy".
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1320: var_assign:
Assigning: "buf" = "tmp".
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1302: var_assign:
Assigning: "data" = "buf".
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1303: noescape:
Resource "data" is not freed or pointed-to in
"_XimEncodeIMATTRIBUTE".
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1333: leaked_storage:
Variable "data" going out of scope leaks the storage it points to.
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1333: leaked_storage:
Variable "buf" going out of scope leaks the storage it points to.
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1333: leaked_storage:
Variable "tmp" going out of scope leaks the storage it points to.
# 1331|
# 1332| if (!total)
# 1333|-> return (char *)NULL;
# 1334|
# 1335| buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
Signed-off-by: José Expósito <jexposit@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
---
modules/im/ximcp/imDefIm.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/modules/im/ximcp/imDefIm.c b/modules/im/ximcp/imDefIm.c
index a12d2970..e3075398 100644
--- a/modules/im/ximcp/imDefIm.c
+++ b/modules/im/ximcp/imDefIm.c
@@ -1327,8 +1327,11 @@ _XimProtoSetIMValues(
}
_XimSetCurrentIMValues(im, &im_values);
- if (!total)
- return (char *)NULL;
+ if (!total) {
+ if (buf != tmp_buf)
+ Xfree(buf);
+ return (char *)NULL;
+ }
buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
buf_s[0] = im->private.proto.imid;
--
2.45.2

57
SOURCES/0006-Fix-buffer-overrun-in-parse_omit_name.patch
Unescape View File

@ -0,0 +1,57 @@
From 97fb5bda3d0777380cd4b964f48771a82ef3f2a7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
Date: Tue, 30 Apr 2024 18:21:08 +0200
Subject: [PATCH 6/6] Fix buffer overrun in parse_omit_name
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When `num_fields == 12`, if the last character of the pattern is '-',
the `buf` array is overrun.
This error has been found by a static analysis tool. This is the report:
Error: OVERRUN (CWE-119):
libX11-1.8.7/modules/om/generic/omGeneric.c:691: cond_at_most:
Checking "length > 255" implies that "length" may be up to 255 on
the false branch.
libX11-1.8.7/modules/om/generic/omGeneric.c:695: alias:
Assigning: "last" = "buf + length - 1". "last" may now point to as
high as byte 254 of "buf" (which consists of 256 bytes).
libX11-1.8.7/modules/om/generic/omGeneric.c:718: ptr_incr:
Incrementing "last". "last" may now point to as high as byte 255
of "buf" (which consists of 256 bytes).
libX11-1.8.7/modules/om/generic/omGeneric.c:720: ptr_incr:
Incrementing "last". "last" may now point to as high as byte 256
of "buf" (which consists of 256 bytes).
libX11-1.8.7/modules/om/generic/omGeneric.c:720: overrun-local:
Overrunning array of 256 bytes at byte offset 256 by
dereferencing pointer "++last".
# 718| *++last = '*';
# 719|
# 720|-> *++last = '-';
# 721| break;
# 722| case 13:
Signed-off-by: José Expósito <jexposit@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
---
modules/om/generic/omGeneric.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c
index 406cec93..370072f3 100644
--- a/modules/om/generic/omGeneric.c
+++ b/modules/om/generic/omGeneric.c
@@ -688,7 +688,7 @@ parse_omit_name(
length = strlen (pattern);
- if (length > XLFD_MAX_LEN)
+ if (length > XLFD_MAX_LEN - 1)
return -1;
strcpy(buf, pattern);
--
2.45.2

53
SOURCES/dont-forward-keycode-0.patch
Unescape View File

@ -0,0 +1,53 @@
diff -up libX11-1.6.3/modules/im/ximcp/imDefFlt.c.jx libX11-1.6.3/modules/im/ximcp/imDefFlt.c
--- libX11-1.6.3/modules/im/ximcp/imDefFlt.c.jx 2015-03-09 18:28:45.000000000 -0400
+++ libX11-1.6.3/modules/im/ximcp/imDefFlt.c 2015-03-10 12:32:31.912149644 -0400
@@ -142,7 +142,7 @@ _XimProtoKeypressFilter(
{
Xim im = (Xim)ic->core.im;
- if (IS_FABRICATED(im)) {
+ if ((ev->keycode == 0) || IS_FABRICATED(im)) {
_XimPendingFilter(ic);
UNMARK_FABRICATED(im);
return NOTFILTERD;
diff -up libX11-1.6.3/modules/im/ximcp/imDefLkup.c.jx libX11-1.6.3/modules/im/ximcp/imDefLkup.c
--- libX11-1.6.3/modules/im/ximcp/imDefLkup.c.jx 2015-03-09 18:28:45.000000000 -0400
+++ libX11-1.6.3/modules/im/ximcp/imDefLkup.c 2015-03-10 12:32:31.911149637 -0400
@@ -332,6 +332,17 @@ _XimForwardEvent(
XEvent *ev,
Bool sync)
{
+ /*
+ * Don't forward a key event which has keycode=0.
+ * keycode=0 is reserved for special purpose to let Xmb/wcLookupString()
+ * functions know that there is a commited string available from IM.
+ */
+ if (((ev->type == KeyPress) || (ev->type == KeyRelease))) {
+ if (((XKeyEvent *)ev)->keycode == 0) {
+ return True;
+ }
+ }
+
#ifdef EXT_FORWARD
if (((ev->type == KeyPress) || (ev->type == KeyRelease)))
if (_XimExtForwardKeyEvent(ic, (XKeyEvent *)ev, sync))
@@ -604,6 +615,19 @@ _XimUnregCommitInfo(
Xfree(info->keysym);
ic->private.proto.commit_info = info->next;
Xfree(info);
+
+ /*
+ * "Commit" uses fabricated flag to process a commited string
+ * from IM engine.
+ * Turn off the fabricated flag here (unregister the commited
+ * information function). Otherwise, next regular key press
+ * event will be ignored at _XimProtoKeypressFilter() and it
+ * will not be passed to IM engine.
+ */
+ if (IS_FABRICATED(ic)) {
+ UNMARK_FABRICATED(ic);
+ }
+
return;
}

362
SPECS/libX11.spec
Unescape View File

@ -0,0 +1,362 @@
%global tarball libX11
#global gitdate 20130524
#global gitversion a3bdd2b09
Summary: Core X11 protocol client library
Name: libX11
Version: 1.8.7
Release: 7%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
License: MIT AND X11
URL: http://www.x.org
%if 0%{?gitdate}
Source0: %{tarball}-%{gitdate}.tar.bz2
Source1: make-git-snapshot.sh
Source2: commitid
%else
Source0: https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.tar.xz
%endif
Patch02: dont-forward-keycode-0.patch
# https://issues.redhat.com/browse/RHEL-40132
Patch03: 0001-Revert-Fix-XTS-regression-in-XCopyColormapAndFree.patch
Patch04: 0002-Revert-Protect-colormap-add-removal-with-display-loc.patch
Patch05: 0003-Make-colormap-private-interfaces-thread-safe.patch
# https://issues.redhat.com/browse/RHEL-34918
Patch06: 0001-Fix-use-of-uninitialized-variable-in-_XimTriggerNoti.patch
Patch07: 0002-Fix-use-of-uninitialized-variable-in-_XimExtension.patch
Patch08: 0003-Fix-use-of-uninitialized-variable-in-_XimEncodeICATT.patch
Patch09: 0004-XKBMAlloc-Check-that-needed-is-0-in-XkbResizeKeyActi.patch
Patch10: 0005-Fix-memory-leak-in-_XimProtoSetIMValues.patch
Patch11: 0006-Fix-buffer-overrun-in-parse_omit_name.patch
# https://issues.redhat.com/browse/RHEL-45855
Patch12: 0001-Fix-deadlock-in-XRebindKeysym.patch
BuildRequires: libtool
BuildRequires: make
BuildRequires: xorg-x11-util-macros >= 1.11
BuildRequires: pkgconfig(xproto) >= 7.0.15
BuildRequires: xorg-x11-xtrans-devel >= 1.0.3-4
BuildRequires: libxcb-devel >= 1.2
BuildRequires: pkgconfig(xau) pkgconfig(xdmcp)
BuildRequires: perl(Pod::Usage)
Requires: %{name}-common >= %{version}-%{release}
%description
Core X11 protocol client library.
%package common
Summary: Common data for libX11
BuildArch: noarch
%description common
libX11 common data
%package devel
Summary: Development files for %{name}
Requires: %{name} = %{version}-%{release}
Requires: %{name}-xcb = %{version}-%{release}
%description devel
X.Org X11 libX11 development package
%package xcb
Summary: XCB interop for libX11
Conflicts: %{name} < %{version}-%{release}
%description xcb
libX11/libxcb interoperability library
%prep
%autosetup -p1 -n %{tarball}-%{?gitdate:%{gitdate}}%{!?gitdate:%{version}}
%build
autoreconf -v --install --force
%configure --disable-silent-rules --disable-static
make %{?_smp_mflags}
%install
make install DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p"
# create/own compose cache dir
mkdir -p $RPM_BUILD_ROOT/var/cache/libX11/compose
# We intentionally don't ship *.la files
find $RPM_BUILD_ROOT -type f -name '*.la' -delete
# FIXME: Don't install Xcms.txt - find out why upstream still ships this.
find $RPM_BUILD_ROOT -name 'Xcms.txt' -delete
# FIXME package these properly
rm -rf $RPM_BUILD_ROOT%{_docdir}
%check
make %{?_smp_mflags} check
%ldconfig_post
%ldconfig_postun
%files
%{_libdir}/libX11.so.6
%{_libdir}/libX11.so.6.4.0
%files xcb
%{_libdir}/libX11-xcb.so.1
%{_libdir}/libX11-xcb.so.1.0.0
%files common
%doc AUTHORS COPYING README.md
%{_datadir}/X11/locale/
%{_datadir}/X11/XErrorDB
%dir /var/cache/libX11
%dir /var/cache/libX11/compose
%files devel
%{_includedir}/X11/ImUtil.h
%{_includedir}/X11/XKBlib.h
%{_includedir}/X11/Xcms.h
%{_includedir}/X11/Xlib.h
%{_includedir}/X11/XlibConf.h
%{_includedir}/X11/Xlibint.h
%{_includedir}/X11/Xlib-xcb.h
%{_includedir}/X11/Xlocale.h
%{_includedir}/X11/Xregion.h
%{_includedir}/X11/Xresource.h
%{_includedir}/X11/Xutil.h
%{_includedir}/X11/cursorfont.h
%{_includedir}/X11/extensions/XKBgeom.h
%{_libdir}/libX11.so
%{_libdir}/libX11-xcb.so
%{_libdir}/pkgconfig/x11.pc
%{_libdir}/pkgconfig/x11-xcb.pc
%{_mandir}/man3/*.3*
%{_mandir}/man5/*.5*
%changelog
* Fri Jul 05 2024 José Expósito <jexposit@redhat.com> - 1.8.7-7
- Fix deadlock in XRebindKeysym()
Resolves: https://issues.redhat.com/browse/RHEL-45855
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.8.7-6
- Bump release for June 2024 mass rebuild
* Thu Jun 20 2024 José Expósito <jexposit@redhat.com> - 1.8.7-5
- Add gating.yaml
* Thu Jun 20 2024 José Expósito <jexposit@redhat.com> - 1.8.7-4
- Fix XTS test XCopyColormapAndFree/5 hangs
Resolves: https://issues.redhat.com/browse/RHEL-40132
- Fix RHEL SAST Automation errors
Resolves: https://issues.redhat.com/browse/RHEL-34918
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.7-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Wed Oct 04 2023 Peter Hutterer <peter.hutterer@redhat.com> - 1.8.7-1
- libX11 1.8.7
- CVE-2023-43785 libX11: out-of-bounds memory access in _XkbReadKeySyms()
- CVE-2023-43786 libX11: stack exhaustion from infinite recursion in
PutSubImage()
- CVE-2023-43787 libX11: integer overflow in XCreateImage() leading to
a heap overflow
- CVE-2023-43788 libXpm: out of bounds read in XpmCreateXpmImageFromBuffer()
- CVE-2023-43789 libXpm: out of bounds read on XPM with corrupted colormap
* Thu Sep 07 2023 José Expósito <jexposit@redhat.com> - 1.8.6-3
- SPDX Migration
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Fri Jun 16 2023 Peter Hutterer <peter.hutterer@redhat.com> - 1.8.6-1
- libX11 1.8.6 (CVE-2023-3138)
* Mon Jun 05 2023 Peter Hutterer <peter.hutterer@redhat.com> 1.8.5-1
- libX11 1.8.5
* Wed Feb 08 2023 Peter Hutterer <peter.hutterer@redhat.com> - 1.8.4-1
- libX11 1.8.4
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Mon Jan 16 2023 Peter Hutterer <peter.hutterer@redhat.com> - 1.8.3-2
- Fix XPutBackEvent() issues (#2161020)
* Fri Jan 06 2023 Peter Hutterer <peter.hutterer@redhat.com> - 1.8.3-1
- libX11 1.8.3
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Jun 16 2022 Peter Hutterer <peter.hutterer@redhat.com> - 1.8.1-1
- libX11 1.8.1
* Mon Apr 04 2022 Peter Hutterer <peter.hutterer@redhat.com> - 1.7.5-1
- libX11 1.7.5
* Thu Mar 31 2022 Peter Hutterer <peter.hutterer@redhat.com> - 1.7.4-1
- libX11 1.7.4
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.3.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Fri Dec 10 2021 Peter Hutterer <peter.hutterer@redhat.com> - 1.7.3.1-1
- libX11 1.7.3.1
* Tue Dec 07 2021 Peter Hutterer <peter.hutterer@redhat.com> - 1.7.3-1
- libX11 1.7.3
- manually add ax_gcc_builtin, it's missing from the tarball
* Tue Jul 27 2021 Peter Hutterer <peter.hutterer@redhat.com> - 1.7.2-3
- Parse the new _EVDEVK symbols
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Wed Jun 09 2021 Peter Hutterer <peter.hutterer@redhat.com> 1.7.2-1
- libX11 1.7.2
* Tue May 18 2021 Adam Jackson <ajax@redhat.com> - 1.7.1-1
- libX11 1.7.1 (CVE-2021-31535)
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Dec 01 2020 Peter Hutterer <peter.hutterer@redhat.com> 1.7.0-2
- libX11 1.7.0 (with the tarball this time)
* Tue Dec 01 2020 Peter Hutterer <peter.hutterer@redhat.com> 1.7.0-1
- libX11 1.7.0
- switch to using the autosetup rpm macro
* Mon Nov 09 2020 Peter Hutterer <peter.hutterer@redhat.com> 1.6.12-3
- Fix a race-condition in poll_for_response (#1758384)
* Thu Nov 5 11:12:56 AEST 2020 Peter Hutterer <peter.hutterer@redhat.com> - 1.6.12-2
- Add BuildRequires for make
* Wed Aug 26 2020 Peter Hutterer <peter.hutterer@redhat.com> 1.6.12-1
- libX11 1.6.12 (CVE-2020-14363, CVE 2020-14344)
* Fri Jul 31 2020 Adam Jackson <ajax@redhat.com> - 1.6.9-5
- Fix server reply validation issue in XIM (CVE 2020-14344)
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.9-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.9-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Wed Dec 11 2019 Peter Hutterer <peter.hutterer@redhat.com> 1.6.9-2
- handle ssharp in XConvertCase
* Wed Oct 09 2019 Adam Jackson <ajax@redhat.com> - 1.6.9-1
- libX11 1.6.9
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Jun 20 2019 Peter Hutterer <peter.hutterer@redhat.com> 1.6.8-2
- rebuild to pick up the new xorgproto keysyms
* Thu Jun 20 2019 Peter Hutterer <peter.hutterer@redhat.com> 1.6.8-1
- libX11 1.6.8
* Thu Mar 21 2019 Adam Jackson <ajax@redhat.com> - 1.6.7-3
- Rebuild for xtrans 1.4.0
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Tue Oct 09 2018 Adam Jackson <ajax@redhat.com> - 1.6.7-1
- libX11 1.6.7
* Tue Aug 21 2018 Adam Jackson <ajax@redhat.com> - 1.6.6-1
- libX11 1.6.6
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.5-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Jun 29 2018 Adam Jackson <ajax@redhat.com> - 1.6.5-8
- Use ldconfig scriptlet macros
* Fri Mar 23 2018 Peter Hutterer <peter.hutterer@redhat.com> 1.6.5-7
- Fix FTBS caused by fake size in the XimCacheStruct (#1556616)
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.5-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Tue Oct 17 2017 Peter Hutterer <peter.hutterer@redhat.com> 1.6.5-5
- run make check as part of the build (#1502658)
* Tue Aug 01 2017 Adam Jackson <ajax@redhat.com> - 1.6.5-4
- Split libX11-xcb to its own subpackage. This doesn't have much effect at
the moment because x11-xcb.pc still lists both libX11 and libxcb in
Requires, but once that's fixed eg. libEGL should be able to be installed
without libX11.
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Fri May 12 2017 Hans de Goede <hdegoede@redhat.com> - 1.6.5-2
- Rebuild against new xproto to pick up support for new keysyms
* Wed Apr 26 2017 Adam Jackson <ajax@redhat.com> - 1.6.5-1
- libX11 1.6.5
* Thu Feb 16 2017 Rex Dieter <rdieter@fedoraproject.org> - 1.6.4-6
- create/own /var/cache/libx11/compose (#962764)
- %%build: --disable-silent-rules
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.4-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Jan 20 2017 Peter Hutterer <peter.hutterer@redhat.com> 1.6.4-4
- Actually apply the patch from 1.6.4-3
* Mon Jan 09 2017 Peter Hutterer <peter.hutterer@redhat.com> 1.6.4-3
- Fix a bug in the memory leak fix from 1.6.4-2
* Thu Jan 05 2017 Peter Hutterer <peter.hutterer@redhat.com> 1.6.4-2
- Plug a memory leak in XListFonts()
* Wed Oct 05 2016 Adam Jackson <ajax@redhat.com> - 1.6.4-1
- libX11 1.6.4
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Thu Jan 28 2016 Peter Hutterer <peter.hutterer@redhat.com>
- Remove unnecessary defattr
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Tue Mar 10 2015 Adam Jackson <ajax@redhat.com> 1.6.3-1
- libX11 1.6.3
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Mon Jun 30 2014 Adam Jackson <ajax@redhat.com> 1.6.2-1
- libX11 1.6.2 plus a fix for interleaved xcb/xlib usage
- Use >= for the -common Requires
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Tue Jul 30 2013 Peter Hutterer <peter.hutterer@redhat.com> 1.6.1-1
- libX11 1.6.1
* Tue Jun 04 2013 Peter Hutterer <peter.hutterer@redhat.com> 1.6.0-1
- libX11 1.6.0
Write Preview
Loading…
Cancel
Save