--- /dev/null
+From 39547d600a13713e15429f49768e54c3173c828d Mon Sep 17 00:00:00 2001
+From: Karl Tomlinson <xmail@karlt.net>
+Date: Mon, 18 Feb 2013 01:25:34 +0000
+Subject: MakeBigReq: don't move the last word, already handled by Data32
+
+MakeBigReq inserts a length field after the first 4 bytes of the request
+(after req->length), pushing everything else back by 4 bytes.
+
+The current memmove moves everything but the first 4 bytes back.
+If a request aligns to the end of the buffer pointer when MakeBigReq is
+invoked for that request, this runs over the buffer.
+Instead, we need to memmove minus the first 4 bytes (which aren't moved),
+minus the last 4 bytes (so we still align to the previous tail).
+
+The 4 bytes that fell out are already handled with Data32, which will
+handle the buffermax correctly.
+
+The case where req->length = 1 was already not functional.
+
+Reported by Abhishek Arya <inferno@chromium.org>.
+
+https://bugzilla.mozilla.org/show_bug.cgi?id=803762
+
+Reviewed-by: Jeff Muizelaar <jmuizelaar@mozilla.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+diff --git a/include/X11/Xlibint.h b/include/X11/Xlibint.h
+index 40965c4..06395b3 100644
+--- a/include/X11/Xlibint.h
++++ b/include/X11/Xlibint.h
+@@ -486,6 +486,14 @@ extern void *_XGetRequest(Display *dpy, CARD8 type, size_t len);
+ req = (xReq *) _XGetRequest(dpy, X_/**/name, SIZEOF(xReq))
+ #endif
+
++/*
++ * MakeBigReq sets the CARD16 "req->length" to 0 and inserts a new CARD32
++ * length, after req->length, before the data in the request. The new length
++ * includes the "n" extra 32-bit words.
++ *
++ * Do not use MakeBigReq if there is no data already in the request.
++ * req->length must already be >= 2.
++ */
+ #ifdef WORD64
+ #define MakeBigReq(req,n) \
+ { \
+@@ -493,7 +501,7 @@ extern void *_XGetRequest(Display *dpy, CARD8 type, size_t len);
+ CARD32 _BRlen = req->length - 1; \
+ req->length = 0; \
+ _BRdat = ((CARD32 *)req)[_BRlen]; \
+- memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
++ memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
+ ((CARD32 *)req)[1] = _BRlen + n + 2; \
+ Data32(dpy, &_BRdat, 4); \
+ }
+@@ -504,13 +512,20 @@ extern void *_XGetRequest(Display *dpy, CARD8 type, size_t len);
+ CARD32 _BRlen = req->length - 1; \
+ req->length = 0; \
+ _BRdat = ((CARD32 *)req)[_BRlen]; \
+- memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
++ memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
+ ((CARD32 *)req)[1] = _BRlen + n + 2; \
+ Data32(dpy, &_BRdat, 4); \
+ }
+ #endif
+ #endif
+
++/*
++ * SetReqLen increases the count of 32-bit words in the request by "n",
++ * or by "badlen" if "n" is too large.
++ *
++ * Do not use SetReqLen if "req" does not already have data after the
++ * xReq header. req->length must already be >= 2.
++ */
+ #ifndef __clang_analyzer__
+ #define SetReqLen(req,n,badlen) \
+ if ((req->length + n) > (unsigned)65535) { \
+--
+cgit v0.10.2
+
--- /dev/null
+From 81c90dc8f0aae3b65730409b1b615b5fa7280ebd Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Fri, 16 Jan 2015 20:08:59 +0100
+Subject: xkb: Don't swap XkbSetGeometry data in the input buffer
+
+The XkbSetGeometry request embeds data which needs to be swapped when the
+server and the client have different endianess.
+
+_XkbSetGeometry() invokes functions that swap these data directly in the
+input buffer.
+
+However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
+(if there is more than one keyboard), thus causing on swapped clients the
+same data to be swapped twice in memory, further causing a server crash
+because the strings lengths on the second time are way off bounds.
+
+To allow _XkbSetGeometry() to run reliably more than once with swapped
+clients, do not swap the data in the buffer, use variables instead.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 15c7f34..b9a3ac4 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -4961,14 +4961,13 @@ static char *
+ _GetCountedString(char **wire_inout, Bool swap)
+ {
+ char *wire, *str;
+- CARD16 len, *plen;
++ CARD16 len;
+
+ wire = *wire_inout;
+- plen = (CARD16 *) wire;
++ len = *(CARD16 *) wire;
+ if (swap) {
+- swaps(plen);
++ swaps(&len);
+ }
+- len = *plen;
+ str = malloc(len + 1);
+ if (str) {
+ memcpy(str, &wire[2], len);
+@@ -4985,25 +4984,28 @@ _CheckSetDoodad(char **wire_inout,
+ {
+ char *wire;
+ xkbDoodadWireDesc *dWire;
++ xkbAnyDoodadWireDesc any;
++ xkbTextDoodadWireDesc text;
+ XkbDoodadPtr doodad;
+
+ dWire = (xkbDoodadWireDesc *) (*wire_inout);
++ any = dWire->any;
+ wire = (char *) &dWire[1];
+ if (client->swapped) {
+- swapl(&dWire->any.name);
+- swaps(&dWire->any.top);
+- swaps(&dWire->any.left);
+- swaps(&dWire->any.angle);
++ swapl(&any.name);
++ swaps(&any.top);
++ swaps(&any.left);
++ swaps(&any.angle);
+ }
+ CHK_ATOM_ONLY(dWire->any.name);
+- doodad = XkbAddGeomDoodad(geom, section, dWire->any.name);
++ doodad = XkbAddGeomDoodad(geom, section, any.name);
+ if (!doodad)
+ return BadAlloc;
+ doodad->any.type = dWire->any.type;
+ doodad->any.priority = dWire->any.priority;
+- doodad->any.top = dWire->any.top;
+- doodad->any.left = dWire->any.left;
+- doodad->any.angle = dWire->any.angle;
++ doodad->any.top = any.top;
++ doodad->any.left = any.left;
++ doodad->any.angle = any.angle;
+ switch (doodad->any.type) {
+ case XkbOutlineDoodad:
+ case XkbSolidDoodad:
+@@ -5026,12 +5028,13 @@ _CheckSetDoodad(char **wire_inout,
+ dWire->text.colorNdx);
+ return BadMatch;
+ }
++ text = dWire->text;
+ if (client->swapped) {
+- swaps(&dWire->text.width);
+- swaps(&dWire->text.height);
++ swaps(&text.width);
++ swaps(&text.height);
+ }
+- doodad->text.width = dWire->text.width;
+- doodad->text.height = dWire->text.height;
++ doodad->text.width = text.width;
++ doodad->text.height = text.height;
+ doodad->text.color_ndx = dWire->text.colorNdx;
+ doodad->text.text = _GetCountedString(&wire, client->swapped);
+ doodad->text.font = _GetCountedString(&wire, client->swapped);
+--
+cgit v0.10.2
+
+From 20079c36cf7d377938ca5478447d8b9045cb7d43 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Fri, 16 Jan 2015 08:44:45 +0100
+Subject: xkb: Check strings length against request size
+
+Ensure that the given strings length in an XkbSetGeometry request remain
+within the limits of the size of the request.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index b9a3ac4..f3988f9 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -4957,25 +4957,29 @@ ProcXkbGetGeometry(ClientPtr client)
+
+ /***====================================================================***/
+
+-static char *
+-_GetCountedString(char **wire_inout, Bool swap)
++static Status
++_GetCountedString(char **wire_inout, ClientPtr client, char **str)
+ {
+- char *wire, *str;
++ char *wire, *next;
+ CARD16 len;
+
+ wire = *wire_inout;
+ len = *(CARD16 *) wire;
+- if (swap) {
++ if (client->swapped) {
+ swaps(&len);
+ }
+- str = malloc(len + 1);
+- if (str) {
+- memcpy(str, &wire[2], len);
+- str[len] = '\0';
+- }
+- wire += XkbPaddedSize(len + 2);
+- *wire_inout = wire;
+- return str;
++ next = wire + XkbPaddedSize(len + 2);
++ /* Check we're still within the size of the request */
++ if (client->req_len <
++ bytes_to_int32(next - (char *) client->requestBuffer))
++ return BadValue;
++ *str = malloc(len + 1);
++ if (!*str)
++ return BadAlloc;
++ memcpy(*str, &wire[2], len);
++ *(*str + len) = '\0';
++ *wire_inout = next;
++ return Success;
+ }
+
+ static Status
+@@ -4987,6 +4991,7 @@ _CheckSetDoodad(char **wire_inout,
+ xkbAnyDoodadWireDesc any;
+ xkbTextDoodadWireDesc text;
+ XkbDoodadPtr doodad;
++ Status status;
+
+ dWire = (xkbDoodadWireDesc *) (*wire_inout);
+ any = dWire->any;
+@@ -5036,8 +5041,14 @@ _CheckSetDoodad(char **wire_inout,
+ doodad->text.width = text.width;
+ doodad->text.height = text.height;
+ doodad->text.color_ndx = dWire->text.colorNdx;
+- doodad->text.text = _GetCountedString(&wire, client->swapped);
+- doodad->text.font = _GetCountedString(&wire, client->swapped);
++ status = _GetCountedString(&wire, client, &doodad->text.text);
++ if (status != Success)
++ return status;
++ status = _GetCountedString(&wire, client, &doodad->text.font);
++ if (status != Success) {
++ free (doodad->text.text);
++ return status;
++ }
+ break;
+ case XkbIndicatorDoodad:
+ if (dWire->indicator.onColorNdx >= geom->num_colors) {
+@@ -5072,7 +5083,9 @@ _CheckSetDoodad(char **wire_inout,
+ }
+ doodad->logo.color_ndx = dWire->logo.colorNdx;
+ doodad->logo.shape_ndx = dWire->logo.shapeNdx;
+- doodad->logo.logo_name = _GetCountedString(&wire, client->swapped);
++ status = _GetCountedString(&wire, client, &doodad->logo.logo_name);
++ if (status != Success)
++ return status;
+ break;
+ default:
+ client->errorValue = _XkbErrCode2(0x4F, dWire->any.type);
+@@ -5304,18 +5317,20 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client)
+ char *wire;
+
+ wire = (char *) &req[1];
+- geom->label_font = _GetCountedString(&wire, client->swapped);
++ status = _GetCountedString(&wire, client, &geom->label_font);
++ if (status != Success)
++ return status;
+
+ for (i = 0; i < req->nProperties; i++) {
+ char *name, *val;
+
+- name = _GetCountedString(&wire, client->swapped);
+- if (!name)
+- return BadAlloc;
+- val = _GetCountedString(&wire, client->swapped);
+- if (!val) {
++ status = _GetCountedString(&wire, client, &name);
++ if (status != Success)
++ return status;
++ status = _GetCountedString(&wire, client, &val);
++ if (status != Success) {
+ free(name);
+- return BadAlloc;
++ return status;
+ }
+ if (XkbAddGeomProperty(geom, name, val) == NULL) {
+ free(name);
+@@ -5349,9 +5364,9 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client)
+ for (i = 0; i < req->nColors; i++) {
+ char *name;
+
+- name = _GetCountedString(&wire, client->swapped);
+- if (!name)
+- return BadAlloc;
++ status = _GetCountedString(&wire, client, &name);
++ if (status != Success)
++ return status;
+ if (!XkbAddGeomColor(geom, name, geom->num_colors)) {
+ free(name);
+ return BadAlloc;
+--
+cgit v0.10.2
+
--- /dev/null
+From 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 6 Feb 2015 15:50:45 -0800
+Subject: bdfReadProperties: property count needs range check [CVE-2015-1802]
+
+Avoid integer overflow or underflow when allocating memory arrays
+by multiplying the number of properties reported for a BDF font.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
+index 914a024..6387908 100644
+--- a/src/bitmap/bdfread.c
++++ b/src/bitmap/bdfread.c
+@@ -604,7 +604,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState)
+ bdfError("missing 'STARTPROPERTIES'\n");
+ return (FALSE);
+ }
+- if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) {
++ if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) ||
++ (nProps <= 0) ||
++ (nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) {
+ bdfError("bad 'STARTPROPERTIES'\n");
+ return (FALSE);
+ }
+--
+cgit v0.10.2
+
--- /dev/null
+From 78c2e3d70d29698244f70164428bd2868c0ab34c Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 6 Feb 2015 15:54:00 -0800
+Subject: bdfReadCharacters: bailout if a char's bitmap cannot be read
+ [CVE-2015-1803]
+
+Previously would charge on ahead with a NULL pointer in ci->bits, and
+then crash later in FontCharInkMetrics() trying to access the bits.
+
+Found with afl-1.23b.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
+index 6387908..1b29b81 100644
+--- a/src/bitmap/bdfread.c
++++ b/src/bitmap/bdfread.c
+@@ -458,7 +458,10 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
+ ci->metrics.descent = -bb;
+ ci->metrics.characterWidth = wx;
+ ci->bits = NULL;
+- bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes);
++ if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) {
++ bdfError("could not read bitmap for character '%s'\n", charName);
++ goto BAILOUT;
++ }
+ ci++;
+ ndx++;
+ } else
+--
+cgit v0.10.2
+
--- /dev/null
+From 2351c83a77a478b49cba6beb2ad386835e264744 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 6 Mar 2015 22:54:58 -0800
+Subject: bdfReadCharacters: ensure metrics fit into xCharInfo struct
+ [CVE-2015-1804]
+
+We use 32-bit ints to read from the bdf file, but then try to stick
+into a 16-bit int in the xCharInfo struct, so make sure they won't
+overflow that range.
+
+Found by afl-1.24b.
+
+v2: Verify that additions won't overflow 32-bit int range either.
+v3: As Julien correctly observes, the previous check for bh & bw not
+ being < 0 reduces the number of cases we need to check for overflow.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
+index 1b29b81..a0ace8f 100644
+--- a/src/bitmap/bdfread.c
++++ b/src/bitmap/bdfread.c
+@@ -62,8 +62,16 @@ from The Open Group.
+
+ #if HAVE_STDINT_H
+ #include <stdint.h>
+-#elif !defined(INT32_MAX)
+-#define INT32_MAX 0x7fffffff
++#else
++# ifndef INT32_MAX
++# define INT32_MAX 0x7fffffff
++# endif
++# ifndef INT16_MAX
++# define INT16_MAX 0x7fff
++# endif
++# ifndef INT16_MIN
++# define INT16_MIN (0 - 0x8000)
++# endif
+ #endif
+
+ #define INDICES 256
+@@ -417,6 +425,12 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
+ bdfError("DWIDTH y value must be zero\n");
+ goto BAILOUT;
+ }
++ /* xCharInfo metrics are stored as INT16 */
++ if ((wx < 0) || (wx > INT16_MAX)) {
++ bdfError("character '%s' has out of range width, %d\n",
++ charName, wx);
++ goto BAILOUT;
++ }
+ line = bdfGetLine(file, lineBuf, BDFLINELEN);
+ if ((!line) || (sscanf((char *) line, "BBX %d %d %d %d", &bw, &bh, &bl, &bb) != 4)) {
+ bdfError("bad 'BBX'\n");
+@@ -427,6 +441,14 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
+ charName, bw, bh);
+ goto BAILOUT;
+ }
++ /* xCharInfo metrics are read as int, but stored as INT16 */
++ if ((bl > INT16_MAX) || (bl < INT16_MIN) ||
++ (bb > INT16_MAX) || (bb < INT16_MIN) ||
++ (bw > (INT16_MAX - bl)) || (bh > (INT16_MAX - bb))) {
++ bdfError("character '%s' has out of range metrics, %d %d %d %d\n",
++ charName, bl, (bl+bw), (bh+bb), -bb);
++ goto BAILOUT;
++ }
+ line = bdfGetLine(file, lineBuf, BDFLINELEN);
+ if ((line) && (bdfIsPrefix(line, "ATTRIBUTES"))) {
+ for (p = line + strlen("ATTRIBUTES ");
+--
+cgit v0.10.2
+
Source6: vncviewer.desktop
Source9: FindX11.cmake
Source11: http://fltk.org/pub/fltk/1.3.3/fltk-1.3.3-source.tar.gz
-Source12: http://downloads.sourceforge.net/project/libjpeg-turbo/1.3.0/libjpeg-turbo-1.3.0.tar.gz
+Source12: http://downloads.sourceforge.net/project/libjpeg-turbo/1.4.1/libjpeg-turbo-1.4.1.tar.gz
Source13: http://downloads.sourceforge.net/project/libpng/libpng15/older-releases/1.5.10/libpng-1.5.10.tar.bz2
Source14: https://ftp.gnu.org/gnu/gmp/gmp-6.0.0a.tar.bz2
-Source15: http://ftp.gnu.org/gnu/libtasn1/libtasn1-4.2.tar.gz
+Source15: http://ftp.gnu.org/gnu/libtasn1/libtasn1-4.5.tar.gz
Source16: https://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz
-Source17: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.13.tar.xz
+Source17: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.16.tar.xz
Source100: http://www.x.org/releases/X11R7.7/src/everything/bigreqsproto-1.1.2.tar.bz2
Source101: http://www.x.org/releases/X11R7.7/src/everything/compositeproto-0.4.2.tar.bz2
# NOTE:
Source205: https://github.com/dottedmag/libsha1/archive/0.3.tar.gz
-BuildRoot: %{_tmppath}/%{name}-%{version}%{?snap:-%{snap}}-%{release}-root-%(%{__id_u} -n)
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
# xorg requires newer versions of automake, & autoconf than are available with el5. Use el6 versions.
BuildRequires: automake >= 1.11, autoconf >= 2.60, libtool >= 1.4, gettext >= 0.14.4, gettext-devel >= 0.14.4, bison-devel, python26
# https://release.debian.org/proposed-updates/stable_diffs/xorg-server_1.12.4-6+deb7u5.debdiff
Patch10000: 16_CVE-2014-mult.diff
Patch10001: 17_CVE-regressions.diff
+# http://www.x.org/wiki/Development/Security/Advisory-2015-02-10/
+Patch10002: CVE-2015-0255.diff
+# http://www.x.org/wiki/Development/Security/Advisory-2015-03-17/
+Patch10003: CVE-2015-1802.diff
+Patch10004: CVE-2015-1803.diff
+Patch10005: CVE-2015-1804.diff
+# http://lists.x.org/archives/xorg-announce/2015-April/002561.html
+Patch10006: CVE-2013-7439.diff
%description
Virtual Network Computing (VNC) is a remote display system which
tar xjf %SOURCE111
tar xjf %SOURCE112
tar xjf %SOURCE113
+pushd libX11-*
+%patch10006 -p1 -b .CVE-2013-7439
+popd
tar xjf %SOURCE114
tar xjf %SOURCE115
tar xjf %SOURCE116
tar xjf %SOURCE121
tar xjf %SOURCE122
tar xjf %SOURCE123
+pushd libXfont-*
+%patch10003 -p1 -b .CVE-2015-1802
+%patch10004 -p1 -b .CVE-2015-1803
+%patch10005 -p1 -b .CVE-2015-1804
+popd
tar xjf %SOURCE124
tar xjf %SOURCE125
tar xjf %SOURCE126
pushd xorg-server-1*
%patch10000 -p1 -b .CVE-2014-mult
%patch10001 -p1 -b .CVE-regressions
+%patch10002 -p1 -b .CVE-2015-0255
for f in `find . -type f -perm -000`; do
chmod +r "$f"
done
%{_datadir}/icons/hicolor/*/apps/*
%changelog
+* Sun Aug 09 2015 Brian P. Hinz <bphinz@users.sourceforge.net> 1.5.80-7
+- Patch Xorg sources with latest relevant CVE patches.
+- Update libjpeg-turbo, gnutls, libtasn1 to latest upstream versions.
+
* Sat Mar 14 2015 Brian P. Hinz <bphinz@users.sourceforge.net> 1.4.80-6
- Build static libraries to meet new minimum requirements
projects / tigervnc.git / commitdiff