packages/libX11
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!12 update to libX11-1.7.0

Browse Source 
From: @shirely16
Reviewed-by: @orange-snn
Signed-off-by: @orange-snn
This commit is contained in:
openeuler-ci-bot 2021-01-29 20:59:15 +08:00 committed by Gitee
commit f85b532733
5 changed files with 8 additions and 334 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

302
CVE-2020-14344.patch
View File

@ -1,302 +0,0 @@
From 9d1ac6f7ddbaa6036d999a2eccd7caaf92d0ea36 Mon Sep 17 00:00:00 2001
Date: Tue, 8 Sep 2020 17:32:53 +0800
Subject: [PATCH] fix CVE-2020-14344
---
modules/im/ximcp/imDefIc.c | 6 +++--
modules/im/ximcp/imDefIm.c | 25 +++++++++++------
modules/im/ximcp/imRmAttr.c | 53 +++++++++++++++++++++++--------------
3 files changed, 54 insertions(+), 30 deletions(-)
diff --git a/modules/im/ximcp/imDefIc.c b/modules/im/ximcp/imDefIc.c
index 7564dba..cf4b8fc 100644
--- a/modules/im/ximcp/imDefIc.c
+++ b/modules/im/ximcp/imDefIc.c
@@ -350,7 +350,7 @@ _XimProtoGetICValues(
+ sizeof(INT16)
+ XIM_PAD(2 + buf_size);
- if (!(buf = Xmalloc(buf_size)))
+ if (!(buf = Xcalloc(buf_size, 1)))
return arg->name;
buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
@@ -708,6 +708,7 @@ _XimProtoSetICValues(
#endif /* XIM_CONNECTABLE */
_XimGetCurrentICValues(ic, &ic_values);
+ memset(tmp_buf, 0, sizeof(tmp_buf32));
buf = tmp_buf;
buf_size = XIM_HEADER_SIZE
+ sizeof(CARD16) + sizeof(CARD16) + sizeof(INT16) + sizeof(CARD16);
@@ -730,7 +731,7 @@ _XimProtoSetICValues(
buf_size += ret_len;
if (buf == tmp_buf) {
- if (!(tmp = Xmalloc(buf_size + data_len))) {
+ if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
return tmp_name;
}
memcpy(tmp, buf, buf_size);
@@ -740,6 +741,7 @@ _XimProtoSetICValues(
Xfree(buf);
return tmp_name;
}
+ memset(&tmp[buf_size], 0, data_len);
buf = tmp;
}
}
diff --git a/modules/im/ximcp/imDefIm.c b/modules/im/ximcp/imDefIm.c
index cf922e4..bd43513 100644
--- a/modules/im/ximcp/imDefIm.c
+++ b/modules/im/ximcp/imDefIm.c
@@ -62,6 +62,7 @@ PERFORMANCE OF THIS SOFTWARE.
#include "XimTrInt.h"
#include "Ximint.h"
+#include <limits.h>
int
_XimCheckDataSize(
@@ -807,12 +808,16 @@ _XimOpen(
int buf_size;
int ret_code;
char *locale_name;
+ size_t locale_len;
locale_name = im->private.proto.locale_name;
- len = strlen(locale_name);
- buf_b[0] = (BYTE)len; /* length of locale name */
- (void)strcpy((char *)&buf_b[1], locale_name); /* locale name */
- len += sizeof(BYTE); /* sizeof length */
+ locale_len = strlen(locale_name);
+ if (locale_len > UCHAR_MAX)
+ return False;
+ memset(buf32, 0, sizeof(buf32));
+ buf_b[0] = (BYTE)locale_len; /* length of locale name */
+ memcpy(&buf_b[1], locale_name, locale_len); /* locale name */
+ len = (INT16)(locale_len + sizeof(BYTE)); /* sizeof length */
XIM_SET_PAD(buf_b, len); /* pad */
_XimSetHeader((XPointer)buf, XIM_OPEN, 0, &len);
@@ -1287,6 +1292,7 @@ _XimProtoSetIMValues(
#endif /* XIM_CONNECTABLE */
_XimGetCurrentIMValues(im, &im_values);
+ memset(tmp_buf, 0, sizeof(tmp_buf32));
buf = tmp_buf;
buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);
data_len = BUFSIZE - buf_size;
@@ -1307,7 +1313,7 @@ _XimProtoSetIMValues(
buf_size += ret_len;
if (buf == tmp_buf) {
- if (!(tmp = Xmalloc(buf_size + data_len))) {
+ if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
return arg->name;
}
memcpy(tmp, buf, buf_size);
@@ -1317,6 +1323,7 @@ _XimProtoSetIMValues(
Xfree(buf);
return arg->name;
}
+ memset(&tmp[buf_size], 0, data_len);
buf = tmp;
}
}
@@ -1458,7 +1465,7 @@ _XimProtoGetIMValues(
+ sizeof(INT16)
+ XIM_PAD(buf_size);
- if (!(buf = Xmalloc(buf_size)))
+ if (!(buf = Xcalloc(buf_size, 1)))
return arg->name;
buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
@@ -1720,7 +1727,7 @@ _XimEncodingNegotiation(
+ sizeof(CARD16)
+ detail_len;
- if (!(buf = Xmalloc(XIM_HEADER_SIZE + len)))
+ if (!(buf = Xcalloc(XIM_HEADER_SIZE + len, 1)))
goto free_detail_ptr;
buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
@@ -1816,6 +1823,7 @@ _XimSendSavedIMValues(
int ret_code;
_XimGetCurrentIMValues(im, &im_values);
+ memset(tmp_buf, 0, sizeof(tmp_buf32));
buf = tmp_buf;
buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);
data_len = BUFSIZE - buf_size;
@@ -1838,7 +1846,7 @@ _XimSendSavedIMValues(
buf_size += ret_len;
if (buf == tmp_buf) {
- if (!(tmp = Xmalloc(buf_size + data_len))) {
+ if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
return False;
}
memcpy(tmp, buf, buf_size);
@@ -1848,6 +1856,7 @@ _XimSendSavedIMValues(
Xfree(buf);
return False;
}
+ memset(&tmp[buf_size], 0, data_len);
buf = tmp;
}
}
diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
index 9d4e462..cf491ea 100644
--- a/modules/im/ximcp/imRmAttr.c
+++ b/modules/im/ximcp/imRmAttr.c
@@ -29,6 +29,7 @@ PERFORMANCE OF THIS SOFTWARE.
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
#include "Xlibint.h"
#include "Xlcint.h"
#include "Ximint.h"
@@ -214,7 +215,7 @@ _XimAttributeToValue(
Xic ic,
XIMResourceList res,
CARD16 *data,
- INT16 data_len,
+ CARD16 data_len,
XPointer value,
BITMASK32 mode)
{
@@ -250,18 +251,23 @@ _XimAttributeToValue(
case XimType_XIMStyles:
{
- INT16 num = data[0];
+ CARD16 num = data[0];
register CARD32 *style_list = (CARD32 *)&data[2];
XIMStyle *style;
XIMStyles *rep;
register int i;
char *p;
- int alloc_len;
+ unsigned int alloc_len;
if (!(value))
return False;
-
+ if (num > (USHRT_MAX / sizeof(XIMStyle)))
+ return False;
+ if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len)
+ return False;
alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num;
+ if (alloc_len < sizeof(XIMStyles))
+ return False;
if (!(p = Xmalloc(alloc_len)))
return False;
@@ -313,7 +319,7 @@ _XimAttributeToValue(
case XimType_XFontSet:
{
- INT16 len = data[0];
+ CARD16 len = data[0];
char *base_name;
XFontSet rep = (XFontSet)NULL;
char **missing_list = NULL;
@@ -324,11 +330,12 @@ _XimAttributeToValue(
return False;
if (!ic)
return False;
-
+ if (len > data_len)
+ return False;
if (!(base_name = Xmalloc(len + 1)))
return False;
- (void)strncpy(base_name, (char *)&data[1], (int)len);
+ (void)strncpy(base_name, (char *)&data[1], (size_t)len);
base_name[len] = '\0';
if (mode & XIM_PREEDIT_ATTR) {
@@ -357,19 +364,24 @@ _XimAttributeToValue(
case XimType_XIMHotKeyTriggers:
{
- INT32 num = *((CARD32 *)data);
+ CARD32 num = *((CARD32 *)data);
register CARD32 *key_list = (CARD32 *)&data[2];
XIMHotKeyTrigger *key;
XIMHotKeyTriggers *rep;
register int i;
char *p;
- int alloc_len;
+ unsigned int alloc_len;
if (!(value))
return False;
-
+ if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger)))
+ return False;
+ if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len)
+ return False;
alloc_len = sizeof(XIMHotKeyTriggers)
+ sizeof(XIMHotKeyTrigger) * num;
+ if (alloc_len < sizeof(XIMHotKeyTriggers))
+ return False;
if (!(p = Xmalloc(alloc_len)))
return False;
@@ -1378,13 +1390,13 @@ _XimEncodeSavedICATTRIBUTE(
static unsigned int
_XimCountNumberOfAttr(
- INT16 total,
- CARD16 *attr,
- int *names_len)
+ CARD16 total,
+ CARD16 *attr,
+ unsigned int *names_len)
{
unsigned int n;
- INT16 len;
- INT16 min_len = sizeof(CARD16) /* sizeof attribute ID */
+ CARD16 len;
+ CARD16 min_len = sizeof(CARD16) /* sizeof attribute ID */
+ sizeof(CARD16) /* sizeof type of value */
+ sizeof(INT16); /* sizeof length of attribute */
@@ -1392,6 +1404,9 @@ _XimCountNumberOfAttr(
*names_len = 0;
while (total > min_len) {
len = attr[2];
+ if (len >= (total - min_len)) {
+ return 0;
+ }
*names_len += (len + 1);
len += (min_len + XIM_PAD(len + 2));
total -= len;
@@ -1406,17 +1421,15 @@ _XimGetAttributeID(
Xim im,
CARD16 *buf)
{
- unsigned int n;
+ unsigned int n, names_len, values_len;
XIMResourceList res;
char *names;
- int names_len;
XPointer tmp;
XIMValuesList *values_list;
char **values;
- int values_len;
register int i;
- INT16 len;
- INT16 min_len = sizeof(CARD16) /* sizeof attribute ID */
+ CARD16 len;
+ CARD16 min_len = sizeof(CARD16) /* sizeof attribute ID */
+ sizeof(CARD16) /* sizeof type of value */
+ sizeof(INT16); /* sizeof length of attr */
/*
--
2.23.0

28
CVE-2020-14363.patch
View File

@ -1,28 +0,0 @@
From acdaaadcb3d85c61fd43669fc5dddf0f8c3f911d Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Thu, 13 Aug 2020 18:02:58 +0200
Subject: [PATCH] Fix an integer overflow in init_om()
CVE-2020-14363
This can lead to a double free later, as reported by Jayden Rivers.
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/acdaaadcb3d85c61fd43669fc5dddf0f8c3f911d
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
---
modules/om/generic/omGeneric.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c
index c44acb88..406cec93 100644
--- a/modules/om/generic/omGeneric.c
+++ b/modules/om/generic/omGeneric.c
@@ -1908,7 +1908,8 @@ init_om(
char **required_list;
XOrientation *orientation;
char **value, buf[BUFSIZ], *bufptr;
- int count = 0, num = 0, length = 0;
+ int count = 0, num = 0;
+ unsigned int length = 0;
_XlcGetResource(lcd, "XLC_FONTSET", "on_demand_loading", &value, &count);
if (count > 0 && _XlcCompareISOLatin1(*value, "True") == 0)
--
GitLab

BIN
libX11-1.6.9.tar.bz2
View File

Binary file not shown.

BIN
libX11-1.7.0.tar.bz2 Normal file
View File

Binary file not shown.

12
libX11.spec
View File

@ -1,14 +1,12 @@
Name: libX11 Name: libX11
Version: 1.6.9 Version: 1.7.0
Release: 4 Release: 1
Summary: Core X11 protocol client library Summary: Core X11 protocol client library
License: MIT License: MIT
URL: http://www.x.org URL: http://www.x.org
Source0: https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.tar.bz2 Source0: https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.tar.bz2
Patch1: dont-forward-keycode-0.patch Patch1: dont-forward-keycode-0.patch
Patch2: CVE-2020-14344.patch
Patch3: CVE-2020-14363.patch
BuildRequires: xorg-x11-util-macros >= 1.11 xorg-x11-proto-devel perl-Pod-Usage libXau-devel BuildRequires: xorg-x11-util-macros >= 1.11 xorg-x11-proto-devel perl-Pod-Usage libXau-devel
BuildRequires: libxcb-devel >= 1.2 libXdmcp-devel xorg-x11-xtrans-devel >= 1.0.3-4 BuildRequires: libxcb-devel >= 1.2 libXdmcp-devel xorg-x11-xtrans-devel >= 1.0.3-4
@ -75,6 +73,12 @@ make %{?_smp_mflags} check
%{_mandir}/*/* %{_mandir}/*/*
%changelog %changelog
* Thu Jan 28 2021 hanhui <hanhui15@huawei.com> - 1.7.0-1
- Type: enhancement
- ID: NA
- SUG: NA
- DESC: update to 1.7.0
* Fri Sep 30 2020 chengguipeng<chenguipeng1@huawei.com> - 1.6.9-4 * Fri Sep 30 2020 chengguipeng<chenguipeng1@huawei.com> - 1.6.9-4
- Type:bugfix - Type:bugfix
- Id:NA - Id:NA