Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libX11 for openSUSE:Factory checked in at 2023-06-17 22:20:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libX11 (Old) and /work/SRC/openSUSE:Factory/.libX11.new.15902 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libX11" Sat Jun 17 22:20:09 2023 rev:48 rq:1093353 version:1.8.5 Changes: -------- --- /work/SRC/openSUSE:Factory/libX11/libX11.changes 2023-06-04 00:11:33.197157650 +0200 +++ /work/SRC/openSUSE:Factory/.libX11.new.15902/libX11.changes 2023-06-17 22:20:21.127551971 +0200 @@ -1,0 +2,6 @@ +Mon Jun 12 13:14:03 UTC 2023 - Stefan Dirsch <sndir...@suse.com> + +- U_InitExt.c-Add-bounds-checks-for-extension-request-ev.patch + * Buffer overflows in InitExt.c (boo#1212102, CVE-2023-3138) + +------------------------------------------------------------------- New: ---- U_InitExt.c-Add-bounds-checks-for-extension-request-ev.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libX11.spec ++++++ --- /var/tmp/diff_new_pack.gf4mhK/_old 2023-06-17 22:20:21.719555528 +0200 +++ /var/tmp/diff_new_pack.gf4mhK/_new 2023-06-17 22:20:21.723555553 +0200 @@ -32,6 +32,7 @@ # PATCH-FIX-UPSTREAM en-locales.diff fdo#48596 bnc#388711 -- Add missing data for more en locales Patch2: en-locales.diff Patch3: u_no-longer-crash-in-XVisualIDFromVisual.patch +Patch1212102: U_InitExt.c-Add-bounds-checks-for-extension-request-ev.patch BuildRequires: fdupes BuildRequires: libtool BuildRequires: pkgconfig @@ -135,6 +136,7 @@ %patch1 %patch2 %patch3 -p1 +%patch1212102 -p1 %build %configure \ ++++++ U_InitExt.c-Add-bounds-checks-for-extension-request-ev.patch ++++++ >From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001 From: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat, 10 Jun 2023 16:30:07 -0700 Subject: [PATCH libX11] InitExt.c: Add bounds checks for extension request, event, & error codes Fixes CVE-2023-3138: X servers could return values from XQueryExtension that would cause Xlib to write entries out-of-bounds of the arrays to store them, though this would only overwrite other parts of the Display struct, not outside the bounds allocated for that structure. Reported-by: Gregory James DUCK <gjd...@gmail.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> --- src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/src/InitExt.c b/src/InitExt.c index 4de46f15..afc00a6b 100644 --- a/src/InitExt.c +++ b/src/InitExt.c @@ -33,6 +33,18 @@ from The Open Group. #include <X11/Xos.h> #include <stdio.h> +/* The X11 protocol spec reserves events 64 through 127 for extensions */ +#ifndef LastExtensionEvent +#define LastExtensionEvent 127 +#endif + +/* The X11 protocol spec reserves requests 128 through 255 for extensions */ +#ifndef LastExtensionRequest +#define FirstExtensionRequest 128 +#define LastExtensionRequest 255 +#endif + + /* * This routine is used to link a extension in so it will be called * at appropriate times. @@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent( WireToEventType proc) /* routine to call when converting event */ { register WireToEventType oldproc; + if (event_number < 0 || + event_number > LastExtensionEvent) { + fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", + event_number); + return (WireToEventType)_XUnknownWireEvent; + } if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent; LockDisplay (dpy); oldproc = dpy->event_vec[event_number]; @@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie( ) { WireToEventCookieType oldproc; + if (extension < FirstExtensionRequest || + extension > LastExtensionRequest) { + fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", + extension); + return (WireToEventCookieType)_XUnknownWireEventCookie; + } if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie; LockDisplay (dpy); oldproc = dpy->generic_event_vec[extension & 0x7F]; @@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie( ) { CopyEventCookieType oldproc; + if (extension < FirstExtensionRequest || + extension > LastExtensionRequest) { + fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", + extension); + return (CopyEventCookieType)_XUnknownCopyEventCookie; + } if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie; LockDisplay (dpy); oldproc = dpy->generic_event_copy_vec[extension & 0x7F]; @@ -305,6 +335,12 @@ EventToWireType XESetEventToWire( EventToWireType proc) /* routine to call when converting event */ { register EventToWireType oldproc; + if (event_number < 0 || + event_number > LastExtensionEvent) { + fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", + event_number); + return (EventToWireType)_XUnknownNativeEvent; + } if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent; LockDisplay (dpy); oldproc = dpy->wire_vec[event_number]; @@ -325,6 +361,12 @@ WireToErrorType XESetWireToError( WireToErrorType proc) /* routine to call when converting error */ { register WireToErrorType oldproc = NULL; + if (error_number < 0 || + error_number > LastExtensionError) { + fprintf(stderr, "Xlib: ignoring invalid extension error %d\n", + error_number); + return (WireToErrorType)_XDefaultWireError; + } if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError; LockDisplay (dpy); if (!dpy->error_vec) { -- 2.15.2