Added patches for the following upstream CVEs: 2013-7439, 2015-0255, 2015-1802, 2015-1803, 2015-1804. Also updated the versions of gnutls, libtasn1, and libjpeg-turbo used to build static libraries to their latest respective upstream versions.tags/v1.5.90
@@ -0,0 +1,80 @@ | |||
From 39547d600a13713e15429f49768e54c3173c828d Mon Sep 17 00:00:00 2001 | |||
From: Karl Tomlinson <xmail@karlt.net> | |||
Date: Mon, 18 Feb 2013 01:25:34 +0000 | |||
Subject: MakeBigReq: don't move the last word, already handled by Data32 | |||
MakeBigReq inserts a length field after the first 4 bytes of the request | |||
(after req->length), pushing everything else back by 4 bytes. | |||
The current memmove moves everything but the first 4 bytes back. | |||
If a request aligns to the end of the buffer pointer when MakeBigReq is | |||
invoked for that request, this runs over the buffer. | |||
Instead, we need to memmove minus the first 4 bytes (which aren't moved), | |||
minus the last 4 bytes (so we still align to the previous tail). | |||
The 4 bytes that fell out are already handled with Data32, which will | |||
handle the buffermax correctly. | |||
The case where req->length = 1 was already not functional. | |||
Reported by Abhishek Arya <inferno@chromium.org>. | |||
https://bugzilla.mozilla.org/show_bug.cgi?id=803762 | |||
Reviewed-by: Jeff Muizelaar <jmuizelaar@mozilla.com> | |||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | |||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |||
diff --git a/include/X11/Xlibint.h b/include/X11/Xlibint.h | |||
index 40965c4..06395b3 100644 | |||
--- a/include/X11/Xlibint.h | |||
+++ b/include/X11/Xlibint.h | |||
@@ -486,6 +486,14 @@ extern void *_XGetRequest(Display *dpy, CARD8 type, size_t len); | |||
req = (xReq *) _XGetRequest(dpy, X_/**/name, SIZEOF(xReq)) | |||
#endif | |||
+/* | |||
+ * MakeBigReq sets the CARD16 "req->length" to 0 and inserts a new CARD32 | |||
+ * length, after req->length, before the data in the request. The new length | |||
+ * includes the "n" extra 32-bit words. | |||
+ * | |||
+ * Do not use MakeBigReq if there is no data already in the request. | |||
+ * req->length must already be >= 2. | |||
+ */ | |||
#ifdef WORD64 | |||
#define MakeBigReq(req,n) \ | |||
{ \ | |||
@@ -493,7 +501,7 @@ extern void *_XGetRequest(Display *dpy, CARD8 type, size_t len); | |||
CARD32 _BRlen = req->length - 1; \ | |||
req->length = 0; \ | |||
_BRdat = ((CARD32 *)req)[_BRlen]; \ | |||
- memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \ | |||
+ memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \ | |||
((CARD32 *)req)[1] = _BRlen + n + 2; \ | |||
Data32(dpy, &_BRdat, 4); \ | |||
} | |||
@@ -504,13 +512,20 @@ extern void *_XGetRequest(Display *dpy, CARD8 type, size_t len); | |||
CARD32 _BRlen = req->length - 1; \ | |||
req->length = 0; \ | |||
_BRdat = ((CARD32 *)req)[_BRlen]; \ | |||
- memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \ | |||
+ memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \ | |||
((CARD32 *)req)[1] = _BRlen + n + 2; \ | |||
Data32(dpy, &_BRdat, 4); \ | |||
} | |||
#endif | |||
#endif | |||
+/* | |||
+ * SetReqLen increases the count of 32-bit words in the request by "n", | |||
+ * or by "badlen" if "n" is too large. | |||
+ * | |||
+ * Do not use SetReqLen if "req" does not already have data after the | |||
+ * xReq header. req->length must already be >= 2. | |||
+ */ | |||
#ifndef __clang_analyzer__ | |||
#define SetReqLen(req,n,badlen) \ | |||
if ((req->length + n) > (unsigned)65535) { \ | |||
-- | |||
cgit v0.10.2 | |||
@@ -0,0 +1,240 @@ | |||
From 81c90dc8f0aae3b65730409b1b615b5fa7280ebd Mon Sep 17 00:00:00 2001 | |||
From: Olivier Fourdan <ofourdan@redhat.com> | |||
Date: Fri, 16 Jan 2015 20:08:59 +0100 | |||
Subject: xkb: Don't swap XkbSetGeometry data in the input buffer | |||
The XkbSetGeometry request embeds data which needs to be swapped when the | |||
server and the client have different endianess. | |||
_XkbSetGeometry() invokes functions that swap these data directly in the | |||
input buffer. | |||
However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once | |||
(if there is more than one keyboard), thus causing on swapped clients the | |||
same data to be swapped twice in memory, further causing a server crash | |||
because the strings lengths on the second time are way off bounds. | |||
To allow _XkbSetGeometry() to run reliably more than once with swapped | |||
clients, do not swap the data in the buffer, use variables instead. | |||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> | |||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | |||
diff --git a/xkb/xkb.c b/xkb/xkb.c | |||
index 15c7f34..b9a3ac4 100644 | |||
--- a/xkb/xkb.c | |||
+++ b/xkb/xkb.c | |||
@@ -4961,14 +4961,13 @@ static char * | |||
_GetCountedString(char **wire_inout, Bool swap) | |||
{ | |||
char *wire, *str; | |||
- CARD16 len, *plen; | |||
+ CARD16 len; | |||
wire = *wire_inout; | |||
- plen = (CARD16 *) wire; | |||
+ len = *(CARD16 *) wire; | |||
if (swap) { | |||
- swaps(plen); | |||
+ swaps(&len); | |||
} | |||
- len = *plen; | |||
str = malloc(len + 1); | |||
if (str) { | |||
memcpy(str, &wire[2], len); | |||
@@ -4985,25 +4984,28 @@ _CheckSetDoodad(char **wire_inout, | |||
{ | |||
char *wire; | |||
xkbDoodadWireDesc *dWire; | |||
+ xkbAnyDoodadWireDesc any; | |||
+ xkbTextDoodadWireDesc text; | |||
XkbDoodadPtr doodad; | |||
dWire = (xkbDoodadWireDesc *) (*wire_inout); | |||
+ any = dWire->any; | |||
wire = (char *) &dWire[1]; | |||
if (client->swapped) { | |||
- swapl(&dWire->any.name); | |||
- swaps(&dWire->any.top); | |||
- swaps(&dWire->any.left); | |||
- swaps(&dWire->any.angle); | |||
+ swapl(&any.name); | |||
+ swaps(&any.top); | |||
+ swaps(&any.left); | |||
+ swaps(&any.angle); | |||
} | |||
CHK_ATOM_ONLY(dWire->any.name); | |||
- doodad = XkbAddGeomDoodad(geom, section, dWire->any.name); | |||
+ doodad = XkbAddGeomDoodad(geom, section, any.name); | |||
if (!doodad) | |||
return BadAlloc; | |||
doodad->any.type = dWire->any.type; | |||
doodad->any.priority = dWire->any.priority; | |||
- doodad->any.top = dWire->any.top; | |||
- doodad->any.left = dWire->any.left; | |||
- doodad->any.angle = dWire->any.angle; | |||
+ doodad->any.top = any.top; | |||
+ doodad->any.left = any.left; | |||
+ doodad->any.angle = any.angle; | |||
switch (doodad->any.type) { | |||
case XkbOutlineDoodad: | |||
case XkbSolidDoodad: | |||
@@ -5026,12 +5028,13 @@ _CheckSetDoodad(char **wire_inout, | |||
dWire->text.colorNdx); | |||
return BadMatch; | |||
} | |||
+ text = dWire->text; | |||
if (client->swapped) { | |||
- swaps(&dWire->text.width); | |||
- swaps(&dWire->text.height); | |||
+ swaps(&text.width); | |||
+ swaps(&text.height); | |||
} | |||
- doodad->text.width = dWire->text.width; | |||
- doodad->text.height = dWire->text.height; | |||
+ doodad->text.width = text.width; | |||
+ doodad->text.height = text.height; | |||
doodad->text.color_ndx = dWire->text.colorNdx; | |||
doodad->text.text = _GetCountedString(&wire, client->swapped); | |||
doodad->text.font = _GetCountedString(&wire, client->swapped); | |||
-- | |||
cgit v0.10.2 | |||
From 20079c36cf7d377938ca5478447d8b9045cb7d43 Mon Sep 17 00:00:00 2001 | |||
From: Olivier Fourdan <ofourdan@redhat.com> | |||
Date: Fri, 16 Jan 2015 08:44:45 +0100 | |||
Subject: xkb: Check strings length against request size | |||
Ensure that the given strings length in an XkbSetGeometry request remain | |||
within the limits of the size of the request. | |||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> | |||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | |||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | |||
diff --git a/xkb/xkb.c b/xkb/xkb.c | |||
index b9a3ac4..f3988f9 100644 | |||
--- a/xkb/xkb.c | |||
+++ b/xkb/xkb.c | |||
@@ -4957,25 +4957,29 @@ ProcXkbGetGeometry(ClientPtr client) | |||
/***====================================================================***/ | |||
-static char * | |||
-_GetCountedString(char **wire_inout, Bool swap) | |||
+static Status | |||
+_GetCountedString(char **wire_inout, ClientPtr client, char **str) | |||
{ | |||
- char *wire, *str; | |||
+ char *wire, *next; | |||
CARD16 len; | |||
wire = *wire_inout; | |||
len = *(CARD16 *) wire; | |||
- if (swap) { | |||
+ if (client->swapped) { | |||
swaps(&len); | |||
} | |||
- str = malloc(len + 1); | |||
- if (str) { | |||
- memcpy(str, &wire[2], len); | |||
- str[len] = '\0'; | |||
- } | |||
- wire += XkbPaddedSize(len + 2); | |||
- *wire_inout = wire; | |||
- return str; | |||
+ next = wire + XkbPaddedSize(len + 2); | |||
+ /* Check we're still within the size of the request */ | |||
+ if (client->req_len < | |||
+ bytes_to_int32(next - (char *) client->requestBuffer)) | |||
+ return BadValue; | |||
+ *str = malloc(len + 1); | |||
+ if (!*str) | |||
+ return BadAlloc; | |||
+ memcpy(*str, &wire[2], len); | |||
+ *(*str + len) = '\0'; | |||
+ *wire_inout = next; | |||
+ return Success; | |||
} | |||
static Status | |||
@@ -4987,6 +4991,7 @@ _CheckSetDoodad(char **wire_inout, | |||
xkbAnyDoodadWireDesc any; | |||
xkbTextDoodadWireDesc text; | |||
XkbDoodadPtr doodad; | |||
+ Status status; | |||
dWire = (xkbDoodadWireDesc *) (*wire_inout); | |||
any = dWire->any; | |||
@@ -5036,8 +5041,14 @@ _CheckSetDoodad(char **wire_inout, | |||
doodad->text.width = text.width; | |||
doodad->text.height = text.height; | |||
doodad->text.color_ndx = dWire->text.colorNdx; | |||
- doodad->text.text = _GetCountedString(&wire, client->swapped); | |||
- doodad->text.font = _GetCountedString(&wire, client->swapped); | |||
+ status = _GetCountedString(&wire, client, &doodad->text.text); | |||
+ if (status != Success) | |||
+ return status; | |||
+ status = _GetCountedString(&wire, client, &doodad->text.font); | |||
+ if (status != Success) { | |||
+ free (doodad->text.text); | |||
+ return status; | |||
+ } | |||
break; | |||
case XkbIndicatorDoodad: | |||
if (dWire->indicator.onColorNdx >= geom->num_colors) { | |||
@@ -5072,7 +5083,9 @@ _CheckSetDoodad(char **wire_inout, | |||
} | |||
doodad->logo.color_ndx = dWire->logo.colorNdx; | |||
doodad->logo.shape_ndx = dWire->logo.shapeNdx; | |||
- doodad->logo.logo_name = _GetCountedString(&wire, client->swapped); | |||
+ status = _GetCountedString(&wire, client, &doodad->logo.logo_name); | |||
+ if (status != Success) | |||
+ return status; | |||
break; | |||
default: | |||
client->errorValue = _XkbErrCode2(0x4F, dWire->any.type); | |||
@@ -5304,18 +5317,20 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client) | |||
char *wire; | |||
wire = (char *) &req[1]; | |||
- geom->label_font = _GetCountedString(&wire, client->swapped); | |||
+ status = _GetCountedString(&wire, client, &geom->label_font); | |||
+ if (status != Success) | |||
+ return status; | |||
for (i = 0; i < req->nProperties; i++) { | |||
char *name, *val; | |||
- name = _GetCountedString(&wire, client->swapped); | |||
- if (!name) | |||
- return BadAlloc; | |||
- val = _GetCountedString(&wire, client->swapped); | |||
- if (!val) { | |||
+ status = _GetCountedString(&wire, client, &name); | |||
+ if (status != Success) | |||
+ return status; | |||
+ status = _GetCountedString(&wire, client, &val); | |||
+ if (status != Success) { | |||
free(name); | |||
- return BadAlloc; | |||
+ return status; | |||
} | |||
if (XkbAddGeomProperty(geom, name, val) == NULL) { | |||
free(name); | |||
@@ -5349,9 +5364,9 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client) | |||
for (i = 0; i < req->nColors; i++) { | |||
char *name; | |||
- name = _GetCountedString(&wire, client->swapped); | |||
- if (!name) | |||
- return BadAlloc; | |||
+ status = _GetCountedString(&wire, client, &name); | |||
+ if (status != Success) | |||
+ return status; | |||
if (!XkbAddGeomColor(geom, name, geom->num_colors)) { | |||
free(name); | |||
return BadAlloc; | |||
-- | |||
cgit v0.10.2 | |||
@@ -0,0 +1,30 @@ | |||
From 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e Mon Sep 17 00:00:00 2001 | |||
From: Alan Coopersmith <alan.coopersmith@oracle.com> | |||
Date: Fri, 6 Feb 2015 15:50:45 -0800 | |||
Subject: bdfReadProperties: property count needs range check [CVE-2015-1802] | |||
Avoid integer overflow or underflow when allocating memory arrays | |||
by multiplying the number of properties reported for a BDF font. | |||
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> | |||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |||
Reviewed-by: Julien Cristau <jcristau@debian.org> | |||
diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c | |||
index 914a024..6387908 100644 | |||
--- a/src/bitmap/bdfread.c | |||
+++ b/src/bitmap/bdfread.c | |||
@@ -604,7 +604,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState) | |||
bdfError("missing 'STARTPROPERTIES'\n"); | |||
return (FALSE); | |||
} | |||
- if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) { | |||
+ if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) || | |||
+ (nProps <= 0) || | |||
+ (nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) { | |||
bdfError("bad 'STARTPROPERTIES'\n"); | |||
return (FALSE); | |||
} | |||
-- | |||
cgit v0.10.2 | |||
@@ -0,0 +1,33 @@ | |||
From 78c2e3d70d29698244f70164428bd2868c0ab34c Mon Sep 17 00:00:00 2001 | |||
From: Alan Coopersmith <alan.coopersmith@oracle.com> | |||
Date: Fri, 6 Feb 2015 15:54:00 -0800 | |||
Subject: bdfReadCharacters: bailout if a char's bitmap cannot be read | |||
[CVE-2015-1803] | |||
Previously would charge on ahead with a NULL pointer in ci->bits, and | |||
then crash later in FontCharInkMetrics() trying to access the bits. | |||
Found with afl-1.23b. | |||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |||
Reviewed-by: Julien Cristau <jcristau@debian.org> | |||
diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c | |||
index 6387908..1b29b81 100644 | |||
--- a/src/bitmap/bdfread.c | |||
+++ b/src/bitmap/bdfread.c | |||
@@ -458,7 +458,10 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, | |||
ci->metrics.descent = -bb; | |||
ci->metrics.characterWidth = wx; | |||
ci->bits = NULL; | |||
- bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes); | |||
+ if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) { | |||
+ bdfError("could not read bitmap for character '%s'\n", charName); | |||
+ goto BAILOUT; | |||
+ } | |||
ci++; | |||
ndx++; | |||
} else | |||
-- | |||
cgit v0.10.2 | |||
@@ -0,0 +1,73 @@ | |||
From 2351c83a77a478b49cba6beb2ad386835e264744 Mon Sep 17 00:00:00 2001 | |||
From: Alan Coopersmith <alan.coopersmith@oracle.com> | |||
Date: Fri, 6 Mar 2015 22:54:58 -0800 | |||
Subject: bdfReadCharacters: ensure metrics fit into xCharInfo struct | |||
[CVE-2015-1804] | |||
We use 32-bit ints to read from the bdf file, but then try to stick | |||
into a 16-bit int in the xCharInfo struct, so make sure they won't | |||
overflow that range. | |||
Found by afl-1.24b. | |||
v2: Verify that additions won't overflow 32-bit int range either. | |||
v3: As Julien correctly observes, the previous check for bh & bw not | |||
being < 0 reduces the number of cases we need to check for overflow. | |||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |||
Reviewed-by: Julien Cristau <jcristau@debian.org> | |||
diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c | |||
index 1b29b81..a0ace8f 100644 | |||
--- a/src/bitmap/bdfread.c | |||
+++ b/src/bitmap/bdfread.c | |||
@@ -62,8 +62,16 @@ from The Open Group. | |||
#if HAVE_STDINT_H | |||
#include <stdint.h> | |||
-#elif !defined(INT32_MAX) | |||
-#define INT32_MAX 0x7fffffff | |||
+#else | |||
+# ifndef INT32_MAX | |||
+# define INT32_MAX 0x7fffffff | |||
+# endif | |||
+# ifndef INT16_MAX | |||
+# define INT16_MAX 0x7fff | |||
+# endif | |||
+# ifndef INT16_MIN | |||
+# define INT16_MIN (0 - 0x8000) | |||
+# endif | |||
#endif | |||
#define INDICES 256 | |||
@@ -417,6 +425,12 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, | |||
bdfError("DWIDTH y value must be zero\n"); | |||
goto BAILOUT; | |||
} | |||
+ /* xCharInfo metrics are stored as INT16 */ | |||
+ if ((wx < 0) || (wx > INT16_MAX)) { | |||
+ bdfError("character '%s' has out of range width, %d\n", | |||
+ charName, wx); | |||
+ goto BAILOUT; | |||
+ } | |||
line = bdfGetLine(file, lineBuf, BDFLINELEN); | |||
if ((!line) || (sscanf((char *) line, "BBX %d %d %d %d", &bw, &bh, &bl, &bb) != 4)) { | |||
bdfError("bad 'BBX'\n"); | |||
@@ -427,6 +441,14 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, | |||
charName, bw, bh); | |||
goto BAILOUT; | |||
} | |||
+ /* xCharInfo metrics are read as int, but stored as INT16 */ | |||
+ if ((bl > INT16_MAX) || (bl < INT16_MIN) || | |||
+ (bb > INT16_MAX) || (bb < INT16_MIN) || | |||
+ (bw > (INT16_MAX - bl)) || (bh > (INT16_MAX - bb))) { | |||
+ bdfError("character '%s' has out of range metrics, %d %d %d %d\n", | |||
+ charName, bl, (bl+bw), (bh+bb), -bb); | |||
+ goto BAILOUT; | |||
+ } | |||
line = bdfGetLine(file, lineBuf, BDFLINELEN); | |||
if ((line) && (bdfIsPrefix(line, "ATTRIBUTES"))) { | |||
for (p = line + strlen("ATTRIBUTES "); | |||
-- | |||
cgit v0.10.2 | |||
@@ -19,12 +19,12 @@ Source2: vncserver.sysconfig | |||
Source6: vncviewer.desktop | |||
Source9: FindX11.cmake | |||
Source11: http://fltk.org/pub/fltk/1.3.3/fltk-1.3.3-source.tar.gz | |||
Source12: http://downloads.sourceforge.net/project/libjpeg-turbo/1.3.0/libjpeg-turbo-1.3.0.tar.gz | |||
Source12: http://downloads.sourceforge.net/project/libjpeg-turbo/1.4.1/libjpeg-turbo-1.4.1.tar.gz | |||
Source13: http://downloads.sourceforge.net/project/libpng/libpng15/older-releases/1.5.10/libpng-1.5.10.tar.bz2 | |||
Source14: https://ftp.gnu.org/gnu/gmp/gmp-6.0.0a.tar.bz2 | |||
Source15: http://ftp.gnu.org/gnu/libtasn1/libtasn1-4.2.tar.gz | |||
Source15: http://ftp.gnu.org/gnu/libtasn1/libtasn1-4.5.tar.gz | |||
Source16: https://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz | |||
Source17: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.13.tar.xz | |||
Source17: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.16.tar.xz | |||
Source100: http://www.x.org/releases/X11R7.7/src/everything/bigreqsproto-1.1.2.tar.bz2 | |||
Source101: http://www.x.org/releases/X11R7.7/src/everything/compositeproto-0.4.2.tar.bz2 | |||
@@ -105,7 +105,7 @@ Source204: ftp://ftp.freedesktop.org/pub/mesa/older-versions/9.x/9.2.5/MesaLib-9 | |||
# NOTE: | |||
Source205: https://github.com/dottedmag/libsha1/archive/0.3.tar.gz | |||
BuildRoot: %{_tmppath}/%{name}-%{version}%{?snap:-%{snap}}-%{release}-root-%(%{__id_u} -n) | |||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) | |||
# xorg requires newer versions of automake, & autoconf than are available with el5. Use el6 versions. | |||
BuildRequires: automake >= 1.11, autoconf >= 2.60, libtool >= 1.4, gettext >= 0.14.4, gettext-devel >= 0.14.4, bison-devel, python26 | |||
@@ -183,6 +183,14 @@ Patch121: freetype-2.3.11-CVE-2012-5669.patch | |||
# https://release.debian.org/proposed-updates/stable_diffs/xorg-server_1.12.4-6+deb7u5.debdiff | |||
Patch10000: 16_CVE-2014-mult.diff | |||
Patch10001: 17_CVE-regressions.diff | |||
# http://www.x.org/wiki/Development/Security/Advisory-2015-02-10/ | |||
Patch10002: CVE-2015-0255.diff | |||
# http://www.x.org/wiki/Development/Security/Advisory-2015-03-17/ | |||
Patch10003: CVE-2015-1802.diff | |||
Patch10004: CVE-2015-1803.diff | |||
Patch10005: CVE-2015-1804.diff | |||
# http://lists.x.org/archives/xorg-announce/2015-April/002561.html | |||
Patch10006: CVE-2013-7439.diff | |||
%description | |||
Virtual Network Computing (VNC) is a remote display system which | |||
@@ -299,6 +307,9 @@ tar xjf %SOURCE110 | |||
tar xjf %SOURCE111 | |||
tar xjf %SOURCE112 | |||
tar xjf %SOURCE113 | |||
pushd libX11-* | |||
%patch10006 -p1 -b .CVE-2013-7439 | |||
popd | |||
tar xjf %SOURCE114 | |||
tar xjf %SOURCE115 | |||
tar xjf %SOURCE116 | |||
@@ -309,6 +320,11 @@ tar xjf %SOURCE120 | |||
tar xjf %SOURCE121 | |||
tar xjf %SOURCE122 | |||
tar xjf %SOURCE123 | |||
pushd libXfont-* | |||
%patch10003 -p1 -b .CVE-2015-1802 | |||
%patch10004 -p1 -b .CVE-2015-1803 | |||
%patch10005 -p1 -b .CVE-2015-1804 | |||
popd | |||
tar xjf %SOURCE124 | |||
tar xjf %SOURCE125 | |||
tar xjf %SOURCE126 | |||
@@ -391,6 +407,7 @@ tar xjf %SOURCE204 | |||
pushd xorg-server-1* | |||
%patch10000 -p1 -b .CVE-2014-mult | |||
%patch10001 -p1 -b .CVE-regressions | |||
%patch10002 -p1 -b .CVE-2015-0255 | |||
for f in `find . -type f -perm -000`; do | |||
chmod +r "$f" | |||
done | |||
@@ -980,6 +997,10 @@ fi | |||
%{_datadir}/icons/hicolor/*/apps/* | |||
%changelog | |||
* Sun Aug 09 2015 Brian P. Hinz <bphinz@users.sourceforge.net> 1.5.80-7 | |||
- Patch Xorg sources with latest relevant CVE patches. | |||
- Update libjpeg-turbo, gnutls, libtasn1 to latest upstream versions. | |||
* Sat Mar 14 2015 Brian P. Hinz <bphinz@users.sourceforge.net> 1.4.80-6 | |||
- Build static libraries to meet new minimum requirements | |||