From a35532f52df3ba3bc360346938aa90806cad493e Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Thu, 5 Oct 2017 00:34:53 +0200 Subject: [PATCH] gnu: xorg-server: Update to 1.19.4 [fixes CVE-2017-13721, CVE-2017-13723]. The GPG signature for the bz2 tarball is bad, but the checksum matches the signed release announcement, and contents are identical to the good .gz. * gnu/packages/xorg.scm (xorg-server): Update to 1.19.4. [source]: Remove obsolete patches. * gnu/packages/patches/xorg-server-CVE-2017-10971.patch, gnu/packages/patches/xorg-server-CVE-2017-10972.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. --- gnu/local.mk | 2 - .../patches/xorg-server-CVE-2017-10971.patch | 153 ------------------ .../patches/xorg-server-CVE-2017-10972.patch | 35 ---- gnu/packages/xorg.scm | 10 +- 4 files changed, 4 insertions(+), 196 deletions(-) delete mode 100644 gnu/packages/patches/xorg-server-CVE-2017-10971.patch delete mode 100644 gnu/packages/patches/xorg-server-CVE-2017-10972.patch diff --git a/gnu/local.mk b/gnu/local.mk index ad8b02a082..6db176b767 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1124,8 +1124,6 @@ dist_patch_DATA = \ %D%/packages/patches/xinetd-fix-fd-leak.patch \ %D%/packages/patches/xinetd-CVE-2013-4342.patch \ %D%/packages/patches/xmodmap-asprintf.patch \ - %D%/packages/patches/xorg-server-CVE-2017-10971.patch \ - %D%/packages/patches/xorg-server-CVE-2017-10972.patch \ %D%/packages/patches/libyaml-CVE-2014-9130.patch \ %D%/packages/patches/zathura-plugindir-environment-variable.patch \ %D%/packages/patches/zziplib-CVE-2017-5974.patch \ diff --git a/gnu/packages/patches/xorg-server-CVE-2017-10971.patch b/gnu/packages/patches/xorg-server-CVE-2017-10971.patch deleted file mode 100644 index 2696033e58..0000000000 --- a/gnu/packages/patches/xorg-server-CVE-2017-10971.patch +++ /dev/null @@ -1,153 +0,0 @@ -From 215f894965df5fb0bb45b107d84524e700d2073c Mon Sep 17 00:00:00 2001 -From: Michal Srb -Date: Wed, 24 May 2017 15:54:40 +0300 -Subject: dix: Disallow GenericEvent in SendEvent request. - -The SendEvent request holds xEvent which is exactly 32 bytes long, no more, -no less. Both ProcSendEvent and SProcSendEvent verify that the received data -exactly match the request size. However nothing stops the client from passing -in event with xEvent::type = GenericEvent and any value of -xGenericEvent::length. - -In the case of ProcSendEvent, the event will be eventually passed to -WriteEventsToClient which will see that it is Generic event and copy the -arbitrary length from the receive buffer (and possibly past it) and send it to -the other client. This allows clients to copy unitialized heap memory out of X -server or to crash it. - -In case of SProcSendEvent, it will attempt to swap the incoming event by -calling a swapping function from the EventSwapVector array. The swapped event -is written to target buffer, which in this case is local xEvent variable. The -xEvent variable is 32 bytes long, but the swapping functions for GenericEvents -expect that the target buffer has size matching the size of the source -GenericEvent. This allows clients to cause stack buffer overflows. - -Signed-off-by: Michal Srb -Reviewed-by: Peter Hutterer -Signed-off-by: Peter Hutterer - -diff --git a/dix/events.c b/dix/events.c -index 3e3a01e..d3a33ea 100644 ---- a/dix/events.c -+++ b/dix/events.c -@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client) - client->errorValue = stuff->event.u.u.type; - return BadValue; - } -+ /* Generic events can have variable size, but SendEvent request holds -+ exactly 32B of event data. */ -+ if (stuff->event.u.u.type == GenericEvent) { -+ client->errorValue = stuff->event.u.u.type; -+ return BadValue; -+ } - if (stuff->event.u.u.type == ClientMessage && - stuff->event.u.u.detail != 8 && - stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) { -diff --git a/dix/swapreq.c b/dix/swapreq.c -index 719e9b8..6785059 100644 ---- a/dix/swapreq.c -+++ b/dix/swapreq.c -@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client) - swapl(&stuff->destination); - swapl(&stuff->eventMask); - -+ /* Generic events can have variable size, but SendEvent request holds -+ exactly 32B of event data. */ -+ if (stuff->event.u.u.type == GenericEvent) { -+ client->errorValue = stuff->event.u.u.type; -+ return BadValue; -+ } -+ - /* Swap event */ - proc = EventSwapVector[stuff->event.u.u.type & 0177]; - if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */ --- -cgit v0.10.2 - -From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001 -From: Michal Srb -Date: Wed, 24 May 2017 15:54:41 +0300 -Subject: Xi: Verify all events in ProcXSendExtensionEvent. - -The requirement is that events have type in range -EXTENSION_EVENT_BASE..lastEvent, but it was tested -only for first event of all. - -Signed-off-by: Michal Srb -Reviewed-by: Peter Hutterer -Signed-off-by: Peter Hutterer - -diff --git a/Xi/sendexev.c b/Xi/sendexev.c -index 1cf118a..5e63bfc 100644 ---- a/Xi/sendexev.c -+++ b/Xi/sendexev.c -@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client) - int - ProcXSendExtensionEvent(ClientPtr client) - { -- int ret; -+ int ret, i; - DeviceIntPtr dev; - xEvent *first; - XEventClass *list; -@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client) - /* The client's event type must be one defined by an extension. */ - - first = ((xEvent *) &stuff[1]); -- if (!((EXTENSION_EVENT_BASE <= first->u.u.type) && -- (first->u.u.type < lastEvent))) { -- client->errorValue = first->u.u.type; -- return BadValue; -+ for (i = 0; i < stuff->num_events; i++) { -+ if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) && -+ (first[i].u.u.type < lastEvent))) { -+ client->errorValue = first[i].u.u.type; -+ return BadValue; -+ } - } - - list = (XEventClass *) (first + stuff->num_events); --- -cgit v0.10.2 - -From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001 -From: Michal Srb -Date: Wed, 24 May 2017 15:54:42 +0300 -Subject: Xi: Do not try to swap GenericEvent. - -The SProcXSendExtensionEvent must not attempt to swap GenericEvent because -it is assuming that the event has fixed size and gives the swapping function -xEvent-sized buffer. - -A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway. - -Signed-off-by: Michal Srb -Reviewed-by: Peter Hutterer -Signed-off-by: Peter Hutterer - -diff --git a/Xi/sendexev.c b/Xi/sendexev.c -index 5e63bfc..5c2e0fc 100644 ---- a/Xi/sendexev.c -+++ b/Xi/sendexev.c -@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client) - - eventP = (xEvent *) &stuff[1]; - for (i = 0; i < stuff->num_events; i++, eventP++) { -+ if (eventP->u.u.type == GenericEvent) { -+ client->errorValue = eventP->u.u.type; -+ return BadValue; -+ } -+ - proc = EventSwapVector[eventP->u.u.type & 0177]; -- if (proc == NotImplemented) /* no swapping proc; invalid event type? */ -+ /* no swapping proc; invalid event type? */ -+ if (proc == NotImplemented) { -+ client->errorValue = eventP->u.u.type; - return BadValue; -+ } - (*proc) (eventP, &eventT); - *eventP = eventT; - } --- -cgit v0.10.2 - diff --git a/gnu/packages/patches/xorg-server-CVE-2017-10972.patch b/gnu/packages/patches/xorg-server-CVE-2017-10972.patch deleted file mode 100644 index f24e9c0ae6..0000000000 --- a/gnu/packages/patches/xorg-server-CVE-2017-10972.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001 -From: Michal Srb -Date: Wed, 24 May 2017 15:54:39 +0300 -Subject: Xi: Zero target buffer in SProcXSendExtensionEvent. - -Make sure that the xEvent eventT is initialized with zeros, the same way as -in SProcSendEvent. - -Some event swapping functions do not overwrite all 32 bytes of xEvent -structure, for example XSecurityAuthorizationRevoked. Two cooperating -clients, one swapped and the other not, can send -XSecurityAuthorizationRevoked event to each other to retrieve old stack data -from X server. This can be potentialy misused to go around ASLR or -stack-protector. - -Signed-off-by: Michal Srb -Reviewed-by: Peter Hutterer -Signed-off-by: Peter Hutterer - -diff --git a/Xi/sendexev.c b/Xi/sendexev.c -index 11d8202..1cf118a 100644 ---- a/Xi/sendexev.c -+++ b/Xi/sendexev.c -@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client) - { - CARD32 *p; - int i; -- xEvent eventT; -+ xEvent eventT = { .u.u.type = 0 }; - xEvent *eventP; - EventSwapPtr proc; - --- -cgit v0.10.2 - diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm index d66cf417f6..f3d415c096 100644 --- a/gnu/packages/xorg.scm +++ b/gnu/packages/xorg.scm @@ -5067,7 +5067,7 @@ over Xlib, including: (define-public xorg-server (package (name "xorg-server") - (version "1.19.3") + (version "1.19.4") (source (origin (method url-fetch) @@ -5076,9 +5076,9 @@ over Xlib, including: name "-" version ".tar.bz2")) (sha256 (base32 - "162s1v901djr57gxmmk4airk8hiwcz79dqyz72972x1lw1k82yk7")) + "1a690fzv5l5ks45g9zhlzdskdq8q73mcbpb9a3wz3shxm778lxda")) (patches - (cons + (list ;; See: ;; https://lists.fedoraproject.org/archives/list/devel@lists. ;; fedoraproject.org/message/JU655YB7AM4OOEQ4MOMCRHJTYJ76VFOK/ @@ -5090,9 +5090,7 @@ over Xlib, including: (sha256 (base32 "0mm70y058r8s9y9jiv7q2myv0ycnaw3iqzm7d274410s0ik38w7q")) - (file-name "xorg-server-use-intel-only-on-pre-gen4.diff")) - (search-patches "xorg-server-CVE-2017-10971.patch" - "xorg-server-CVE-2017-10972.patch"))))) + (file-name "xorg-server-use-intel-only-on-pre-gen4.diff")))))) (build-system gnu-build-system) (propagated-inputs `(("dri2proto" ,dri2proto)