From 78f749dfadcc409d78dec93e9b8245a4eabd7b0e Mon Sep 17 00:00:00 2001 From: "Brian P. Hinz" Date: Sun, 9 Aug 2015 14:07:05 -0400 Subject: [PATCH] Apply recent Xorg CVE patches, update dependencies Added patches for the following upstream CVEs: 2013-7439, 2015-0255, 2015-1802, 2015-1803, 2015-1804. Also updated the versions of gnutls, libtasn1, and libjpeg-turbo used to build static libraries to their latest respective upstream versions. --- .../rpm/el5/SOURCES/CVE-2013-7439.diff | 80 ++++++ .../rpm/el5/SOURCES/CVE-2015-0255.diff | 240 ++++++++++++++++++ .../rpm/el5/SOURCES/CVE-2015-1802.diff | 30 +++ .../rpm/el5/SOURCES/CVE-2015-1803.diff | 33 +++ .../rpm/el5/SOURCES/CVE-2015-1804.diff | 73 ++++++ contrib/packages/rpm/el5/SPECS/tigervnc.spec | 31 ++- 6 files changed, 482 insertions(+), 5 deletions(-) create mode 100644 contrib/packages/rpm/el5/SOURCES/CVE-2013-7439.diff create mode 100644 contrib/packages/rpm/el5/SOURCES/CVE-2015-0255.diff create mode 100644 contrib/packages/rpm/el5/SOURCES/CVE-2015-1802.diff create mode 100644 contrib/packages/rpm/el5/SOURCES/CVE-2015-1803.diff create mode 100644 contrib/packages/rpm/el5/SOURCES/CVE-2015-1804.diff diff --git a/contrib/packages/rpm/el5/SOURCES/CVE-2013-7439.diff b/contrib/packages/rpm/el5/SOURCES/CVE-2013-7439.diff new file mode 100644 index 00000000..1037fa51 --- /dev/null +++ b/contrib/packages/rpm/el5/SOURCES/CVE-2013-7439.diff @@ -0,0 +1,80 @@ +From 39547d600a13713e15429f49768e54c3173c828d Mon Sep 17 00:00:00 2001 +From: Karl Tomlinson +Date: Mon, 18 Feb 2013 01:25:34 +0000 +Subject: MakeBigReq: don't move the last word, already handled by Data32 + +MakeBigReq inserts a length field after the first 4 bytes of the request +(after req->length), pushing everything else back by 4 bytes. + +The current memmove moves everything but the first 4 bytes back. +If a request aligns to the end of the buffer pointer when MakeBigReq is +invoked for that request, this runs over the buffer. +Instead, we need to memmove minus the first 4 bytes (which aren't moved), +minus the last 4 bytes (so we still align to the previous tail). + +The 4 bytes that fell out are already handled with Data32, which will +handle the buffermax correctly. + +The case where req->length = 1 was already not functional. + +Reported by Abhishek Arya . + +https://bugzilla.mozilla.org/show_bug.cgi?id=803762 + +Reviewed-by: Jeff Muizelaar +Reviewed-by: Peter Hutterer +Signed-off-by: Alan Coopersmith + +diff --git a/include/X11/Xlibint.h b/include/X11/Xlibint.h +index 40965c4..06395b3 100644 +--- a/include/X11/Xlibint.h ++++ b/include/X11/Xlibint.h +@@ -486,6 +486,14 @@ extern void *_XGetRequest(Display *dpy, CARD8 type, size_t len); + req = (xReq *) _XGetRequest(dpy, X_/**/name, SIZEOF(xReq)) + #endif + ++/* ++ * MakeBigReq sets the CARD16 "req->length" to 0 and inserts a new CARD32 ++ * length, after req->length, before the data in the request. The new length ++ * includes the "n" extra 32-bit words. ++ * ++ * Do not use MakeBigReq if there is no data already in the request. ++ * req->length must already be >= 2. ++ */ + #ifdef WORD64 + #define MakeBigReq(req,n) \ + { \ +@@ -493,7 +501,7 @@ extern void *_XGetRequest(Display *dpy, CARD8 type, size_t len); + CARD32 _BRlen = req->length - 1; \ + req->length = 0; \ + _BRdat = ((CARD32 *)req)[_BRlen]; \ +- memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \ ++ memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \ + ((CARD32 *)req)[1] = _BRlen + n + 2; \ + Data32(dpy, &_BRdat, 4); \ + } +@@ -504,13 +512,20 @@ extern void *_XGetRequest(Display *dpy, CARD8 type, size_t len); + CARD32 _BRlen = req->length - 1; \ + req->length = 0; \ + _BRdat = ((CARD32 *)req)[_BRlen]; \ +- memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \ ++ memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \ + ((CARD32 *)req)[1] = _BRlen + n + 2; \ + Data32(dpy, &_BRdat, 4); \ + } + #endif + #endif + ++/* ++ * SetReqLen increases the count of 32-bit words in the request by "n", ++ * or by "badlen" if "n" is too large. ++ * ++ * Do not use SetReqLen if "req" does not already have data after the ++ * xReq header. req->length must already be >= 2. ++ */ + #ifndef __clang_analyzer__ + #define SetReqLen(req,n,badlen) \ + if ((req->length + n) > (unsigned)65535) { \ +-- +cgit v0.10.2 + diff --git a/contrib/packages/rpm/el5/SOURCES/CVE-2015-0255.diff b/contrib/packages/rpm/el5/SOURCES/CVE-2015-0255.diff new file mode 100644 index 00000000..32e56812 --- /dev/null +++ b/contrib/packages/rpm/el5/SOURCES/CVE-2015-0255.diff @@ -0,0 +1,240 @@ +From 81c90dc8f0aae3b65730409b1b615b5fa7280ebd Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Fri, 16 Jan 2015 20:08:59 +0100 +Subject: xkb: Don't swap XkbSetGeometry data in the input buffer + +The XkbSetGeometry request embeds data which needs to be swapped when the +server and the client have different endianess. + +_XkbSetGeometry() invokes functions that swap these data directly in the +input buffer. + +However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once +(if there is more than one keyboard), thus causing on swapped clients the +same data to be swapped twice in memory, further causing a server crash +because the strings lengths on the second time are way off bounds. + +To allow _XkbSetGeometry() to run reliably more than once with swapped +clients, do not swap the data in the buffer, use variables instead. + +Signed-off-by: Olivier Fourdan +Signed-off-by: Peter Hutterer + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 15c7f34..b9a3ac4 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -4961,14 +4961,13 @@ static char * + _GetCountedString(char **wire_inout, Bool swap) + { + char *wire, *str; +- CARD16 len, *plen; ++ CARD16 len; + + wire = *wire_inout; +- plen = (CARD16 *) wire; ++ len = *(CARD16 *) wire; + if (swap) { +- swaps(plen); ++ swaps(&len); + } +- len = *plen; + str = malloc(len + 1); + if (str) { + memcpy(str, &wire[2], len); +@@ -4985,25 +4984,28 @@ _CheckSetDoodad(char **wire_inout, + { + char *wire; + xkbDoodadWireDesc *dWire; ++ xkbAnyDoodadWireDesc any; ++ xkbTextDoodadWireDesc text; + XkbDoodadPtr doodad; + + dWire = (xkbDoodadWireDesc *) (*wire_inout); ++ any = dWire->any; + wire = (char *) &dWire[1]; + if (client->swapped) { +- swapl(&dWire->any.name); +- swaps(&dWire->any.top); +- swaps(&dWire->any.left); +- swaps(&dWire->any.angle); ++ swapl(&any.name); ++ swaps(&any.top); ++ swaps(&any.left); ++ swaps(&any.angle); + } + CHK_ATOM_ONLY(dWire->any.name); +- doodad = XkbAddGeomDoodad(geom, section, dWire->any.name); ++ doodad = XkbAddGeomDoodad(geom, section, any.name); + if (!doodad) + return BadAlloc; + doodad->any.type = dWire->any.type; + doodad->any.priority = dWire->any.priority; +- doodad->any.top = dWire->any.top; +- doodad->any.left = dWire->any.left; +- doodad->any.angle = dWire->any.angle; ++ doodad->any.top = any.top; ++ doodad->any.left = any.left; ++ doodad->any.angle = any.angle; + switch (doodad->any.type) { + case XkbOutlineDoodad: + case XkbSolidDoodad: +@@ -5026,12 +5028,13 @@ _CheckSetDoodad(char **wire_inout, + dWire->text.colorNdx); + return BadMatch; + } ++ text = dWire->text; + if (client->swapped) { +- swaps(&dWire->text.width); +- swaps(&dWire->text.height); ++ swaps(&text.width); ++ swaps(&text.height); + } +- doodad->text.width = dWire->text.width; +- doodad->text.height = dWire->text.height; ++ doodad->text.width = text.width; ++ doodad->text.height = text.height; + doodad->text.color_ndx = dWire->text.colorNdx; + doodad->text.text = _GetCountedString(&wire, client->swapped); + doodad->text.font = _GetCountedString(&wire, client->swapped); +-- +cgit v0.10.2 + +From 20079c36cf7d377938ca5478447d8b9045cb7d43 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Fri, 16 Jan 2015 08:44:45 +0100 +Subject: xkb: Check strings length against request size + +Ensure that the given strings length in an XkbSetGeometry request remain +within the limits of the size of the request. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Signed-off-by: Peter Hutterer + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index b9a3ac4..f3988f9 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -4957,25 +4957,29 @@ ProcXkbGetGeometry(ClientPtr client) + + /***====================================================================***/ + +-static char * +-_GetCountedString(char **wire_inout, Bool swap) ++static Status ++_GetCountedString(char **wire_inout, ClientPtr client, char **str) + { +- char *wire, *str; ++ char *wire, *next; + CARD16 len; + + wire = *wire_inout; + len = *(CARD16 *) wire; +- if (swap) { ++ if (client->swapped) { + swaps(&len); + } +- str = malloc(len + 1); +- if (str) { +- memcpy(str, &wire[2], len); +- str[len] = '\0'; +- } +- wire += XkbPaddedSize(len + 2); +- *wire_inout = wire; +- return str; ++ next = wire + XkbPaddedSize(len + 2); ++ /* Check we're still within the size of the request */ ++ if (client->req_len < ++ bytes_to_int32(next - (char *) client->requestBuffer)) ++ return BadValue; ++ *str = malloc(len + 1); ++ if (!*str) ++ return BadAlloc; ++ memcpy(*str, &wire[2], len); ++ *(*str + len) = '\0'; ++ *wire_inout = next; ++ return Success; + } + + static Status +@@ -4987,6 +4991,7 @@ _CheckSetDoodad(char **wire_inout, + xkbAnyDoodadWireDesc any; + xkbTextDoodadWireDesc text; + XkbDoodadPtr doodad; ++ Status status; + + dWire = (xkbDoodadWireDesc *) (*wire_inout); + any = dWire->any; +@@ -5036,8 +5041,14 @@ _CheckSetDoodad(char **wire_inout, + doodad->text.width = text.width; + doodad->text.height = text.height; + doodad->text.color_ndx = dWire->text.colorNdx; +- doodad->text.text = _GetCountedString(&wire, client->swapped); +- doodad->text.font = _GetCountedString(&wire, client->swapped); ++ status = _GetCountedString(&wire, client, &doodad->text.text); ++ if (status != Success) ++ return status; ++ status = _GetCountedString(&wire, client, &doodad->text.font); ++ if (status != Success) { ++ free (doodad->text.text); ++ return status; ++ } + break; + case XkbIndicatorDoodad: + if (dWire->indicator.onColorNdx >= geom->num_colors) { +@@ -5072,7 +5083,9 @@ _CheckSetDoodad(char **wire_inout, + } + doodad->logo.color_ndx = dWire->logo.colorNdx; + doodad->logo.shape_ndx = dWire->logo.shapeNdx; +- doodad->logo.logo_name = _GetCountedString(&wire, client->swapped); ++ status = _GetCountedString(&wire, client, &doodad->logo.logo_name); ++ if (status != Success) ++ return status; + break; + default: + client->errorValue = _XkbErrCode2(0x4F, dWire->any.type); +@@ -5304,18 +5317,20 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client) + char *wire; + + wire = (char *) &req[1]; +- geom->label_font = _GetCountedString(&wire, client->swapped); ++ status = _GetCountedString(&wire, client, &geom->label_font); ++ if (status != Success) ++ return status; + + for (i = 0; i < req->nProperties; i++) { + char *name, *val; + +- name = _GetCountedString(&wire, client->swapped); +- if (!name) +- return BadAlloc; +- val = _GetCountedString(&wire, client->swapped); +- if (!val) { ++ status = _GetCountedString(&wire, client, &name); ++ if (status != Success) ++ return status; ++ status = _GetCountedString(&wire, client, &val); ++ if (status != Success) { + free(name); +- return BadAlloc; ++ return status; + } + if (XkbAddGeomProperty(geom, name, val) == NULL) { + free(name); +@@ -5349,9 +5364,9 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client) + for (i = 0; i < req->nColors; i++) { + char *name; + +- name = _GetCountedString(&wire, client->swapped); +- if (!name) +- return BadAlloc; ++ status = _GetCountedString(&wire, client, &name); ++ if (status != Success) ++ return status; + if (!XkbAddGeomColor(geom, name, geom->num_colors)) { + free(name); + return BadAlloc; +-- +cgit v0.10.2 + diff --git a/contrib/packages/rpm/el5/SOURCES/CVE-2015-1802.diff b/contrib/packages/rpm/el5/SOURCES/CVE-2015-1802.diff new file mode 100644 index 00000000..1d873336 --- /dev/null +++ b/contrib/packages/rpm/el5/SOURCES/CVE-2015-1802.diff @@ -0,0 +1,30 @@ +From 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 6 Feb 2015 15:50:45 -0800 +Subject: bdfReadProperties: property count needs range check [CVE-2015-1802] + +Avoid integer overflow or underflow when allocating memory arrays +by multiplying the number of properties reported for a BDF font. + +Reported-by: Ilja Van Sprundel +Signed-off-by: Alan Coopersmith +Reviewed-by: Julien Cristau + +diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c +index 914a024..6387908 100644 +--- a/src/bitmap/bdfread.c ++++ b/src/bitmap/bdfread.c +@@ -604,7 +604,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState) + bdfError("missing 'STARTPROPERTIES'\n"); + return (FALSE); + } +- if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) { ++ if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) || ++ (nProps <= 0) || ++ (nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) { + bdfError("bad 'STARTPROPERTIES'\n"); + return (FALSE); + } +-- +cgit v0.10.2 + diff --git a/contrib/packages/rpm/el5/SOURCES/CVE-2015-1803.diff b/contrib/packages/rpm/el5/SOURCES/CVE-2015-1803.diff new file mode 100644 index 00000000..22d2d5b7 --- /dev/null +++ b/contrib/packages/rpm/el5/SOURCES/CVE-2015-1803.diff @@ -0,0 +1,33 @@ +From 78c2e3d70d29698244f70164428bd2868c0ab34c Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 6 Feb 2015 15:54:00 -0800 +Subject: bdfReadCharacters: bailout if a char's bitmap cannot be read + [CVE-2015-1803] + +Previously would charge on ahead with a NULL pointer in ci->bits, and +then crash later in FontCharInkMetrics() trying to access the bits. + +Found with afl-1.23b. + +Signed-off-by: Alan Coopersmith +Reviewed-by: Julien Cristau + +diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c +index 6387908..1b29b81 100644 +--- a/src/bitmap/bdfread.c ++++ b/src/bitmap/bdfread.c +@@ -458,7 +458,10 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, + ci->metrics.descent = -bb; + ci->metrics.characterWidth = wx; + ci->bits = NULL; +- bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes); ++ if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) { ++ bdfError("could not read bitmap for character '%s'\n", charName); ++ goto BAILOUT; ++ } + ci++; + ndx++; + } else +-- +cgit v0.10.2 + diff --git a/contrib/packages/rpm/el5/SOURCES/CVE-2015-1804.diff b/contrib/packages/rpm/el5/SOURCES/CVE-2015-1804.diff new file mode 100644 index 00000000..dd8d5be4 --- /dev/null +++ b/contrib/packages/rpm/el5/SOURCES/CVE-2015-1804.diff @@ -0,0 +1,73 @@ +From 2351c83a77a478b49cba6beb2ad386835e264744 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 6 Mar 2015 22:54:58 -0800 +Subject: bdfReadCharacters: ensure metrics fit into xCharInfo struct + [CVE-2015-1804] + +We use 32-bit ints to read from the bdf file, but then try to stick +into a 16-bit int in the xCharInfo struct, so make sure they won't +overflow that range. + +Found by afl-1.24b. + +v2: Verify that additions won't overflow 32-bit int range either. +v3: As Julien correctly observes, the previous check for bh & bw not + being < 0 reduces the number of cases we need to check for overflow. + +Signed-off-by: Alan Coopersmith +Reviewed-by: Julien Cristau + +diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c +index 1b29b81..a0ace8f 100644 +--- a/src/bitmap/bdfread.c ++++ b/src/bitmap/bdfread.c +@@ -62,8 +62,16 @@ from The Open Group. + + #if HAVE_STDINT_H + #include +-#elif !defined(INT32_MAX) +-#define INT32_MAX 0x7fffffff ++#else ++# ifndef INT32_MAX ++# define INT32_MAX 0x7fffffff ++# endif ++# ifndef INT16_MAX ++# define INT16_MAX 0x7fff ++# endif ++# ifndef INT16_MIN ++# define INT16_MIN (0 - 0x8000) ++# endif + #endif + + #define INDICES 256 +@@ -417,6 +425,12 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, + bdfError("DWIDTH y value must be zero\n"); + goto BAILOUT; + } ++ /* xCharInfo metrics are stored as INT16 */ ++ if ((wx < 0) || (wx > INT16_MAX)) { ++ bdfError("character '%s' has out of range width, %d\n", ++ charName, wx); ++ goto BAILOUT; ++ } + line = bdfGetLine(file, lineBuf, BDFLINELEN); + if ((!line) || (sscanf((char *) line, "BBX %d %d %d %d", &bw, &bh, &bl, &bb) != 4)) { + bdfError("bad 'BBX'\n"); +@@ -427,6 +441,14 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, + charName, bw, bh); + goto BAILOUT; + } ++ /* xCharInfo metrics are read as int, but stored as INT16 */ ++ if ((bl > INT16_MAX) || (bl < INT16_MIN) || ++ (bb > INT16_MAX) || (bb < INT16_MIN) || ++ (bw > (INT16_MAX - bl)) || (bh > (INT16_MAX - bb))) { ++ bdfError("character '%s' has out of range metrics, %d %d %d %d\n", ++ charName, bl, (bl+bw), (bh+bb), -bb); ++ goto BAILOUT; ++ } + line = bdfGetLine(file, lineBuf, BDFLINELEN); + if ((line) && (bdfIsPrefix(line, "ATTRIBUTES"))) { + for (p = line + strlen("ATTRIBUTES "); +-- +cgit v0.10.2 + diff --git a/contrib/packages/rpm/el5/SPECS/tigervnc.spec b/contrib/packages/rpm/el5/SPECS/tigervnc.spec index a9adc247..94c2fcfc 100644 --- a/contrib/packages/rpm/el5/SPECS/tigervnc.spec +++ b/contrib/packages/rpm/el5/SPECS/tigervnc.spec @@ -5,7 +5,7 @@ Name: tigervnc Version: @VERSION@ -Release: 6%{?snap:.%{snap}}%{?dist} +Release: 7%{?snap:.%{snap}}%{?dist} Summary: A TigerVNC remote display system Group: User Interface/Desktops @@ -19,12 +19,12 @@ Source2: vncserver.sysconfig Source6: vncviewer.desktop Source9: FindX11.cmake Source11: http://fltk.org/pub/fltk/1.3.3/fltk-1.3.3-source.tar.gz -Source12: http://downloads.sourceforge.net/project/libjpeg-turbo/1.3.0/libjpeg-turbo-1.3.0.tar.gz +Source12: http://downloads.sourceforge.net/project/libjpeg-turbo/1.4.1/libjpeg-turbo-1.4.1.tar.gz Source13: http://downloads.sourceforge.net/project/libpng/libpng15/older-releases/1.5.10/libpng-1.5.10.tar.bz2 Source14: https://ftp.gnu.org/gnu/gmp/gmp-6.0.0a.tar.bz2 -Source15: http://ftp.gnu.org/gnu/libtasn1/libtasn1-4.2.tar.gz +Source15: http://ftp.gnu.org/gnu/libtasn1/libtasn1-4.5.tar.gz Source16: https://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz -Source17: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.13.tar.xz +Source17: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.16.tar.xz Source100: http://www.x.org/releases/X11R7.7/src/everything/bigreqsproto-1.1.2.tar.bz2 Source101: http://www.x.org/releases/X11R7.7/src/everything/compositeproto-0.4.2.tar.bz2 @@ -105,7 +105,7 @@ Source204: ftp://ftp.freedesktop.org/pub/mesa/older-versions/9.x/9.2.5/MesaLib-9 # NOTE: Source205: https://github.com/dottedmag/libsha1/archive/0.3.tar.gz -BuildRoot: %{_tmppath}/%{name}-%{version}%{?snap:-%{snap}}-%{release}-root-%(%{__id_u} -n) +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) # xorg requires newer versions of automake, & autoconf than are available with el5. Use el6 versions. BuildRequires: automake >= 1.11, autoconf >= 2.60, libtool >= 1.4, gettext >= 0.14.4, gettext-devel >= 0.14.4, bison-devel, python26 @@ -183,6 +183,14 @@ Patch121: freetype-2.3.11-CVE-2012-5669.patch # https://release.debian.org/proposed-updates/stable_diffs/xorg-server_1.12.4-6+deb7u5.debdiff Patch10000: 16_CVE-2014-mult.diff Patch10001: 17_CVE-regressions.diff +# http://www.x.org/wiki/Development/Security/Advisory-2015-02-10/ +Patch10002: CVE-2015-0255.diff +# http://www.x.org/wiki/Development/Security/Advisory-2015-03-17/ +Patch10003: CVE-2015-1802.diff +Patch10004: CVE-2015-1803.diff +Patch10005: CVE-2015-1804.diff +# http://lists.x.org/archives/xorg-announce/2015-April/002561.html +Patch10006: CVE-2013-7439.diff %description Virtual Network Computing (VNC) is a remote display system which @@ -299,6 +307,9 @@ tar xjf %SOURCE110 tar xjf %SOURCE111 tar xjf %SOURCE112 tar xjf %SOURCE113 +pushd libX11-* +%patch10006 -p1 -b .CVE-2013-7439 +popd tar xjf %SOURCE114 tar xjf %SOURCE115 tar xjf %SOURCE116 @@ -309,6 +320,11 @@ tar xjf %SOURCE120 tar xjf %SOURCE121 tar xjf %SOURCE122 tar xjf %SOURCE123 +pushd libXfont-* +%patch10003 -p1 -b .CVE-2015-1802 +%patch10004 -p1 -b .CVE-2015-1803 +%patch10005 -p1 -b .CVE-2015-1804 +popd tar xjf %SOURCE124 tar xjf %SOURCE125 tar xjf %SOURCE126 @@ -391,6 +407,7 @@ tar xjf %SOURCE204 pushd xorg-server-1* %patch10000 -p1 -b .CVE-2014-mult %patch10001 -p1 -b .CVE-regressions +%patch10002 -p1 -b .CVE-2015-0255 for f in `find . -type f -perm -000`; do chmod +r "$f" done @@ -980,6 +997,10 @@ fi %{_datadir}/icons/hicolor/*/apps/* %changelog +* Sun Aug 09 2015 Brian P. Hinz 1.5.80-7 +- Patch Xorg sources with latest relevant CVE patches. +- Update libjpeg-turbo, gnutls, libtasn1 to latest upstream versions. + * Sat Mar 14 2015 Brian P. Hinz 1.4.80-6 - Build static libraries to meet new minimum requirements -- 2.39.5