Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libX11 for openSUSE:Factory checked
in at 2023-06-17 22:20:09
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libX11 (Old)
and /work/SRC/openSUSE:Factory/.libX11.new.15902 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libX11"
Sat Jun 17 22:20:09 2023 rev:48 rq:1093353 version:1.8.5
Changes:
--------
--- /work/SRC/openSUSE:Factory/libX11/libX11.changes 2023-06-04
00:11:33.197157650 +0200
+++ /work/SRC/openSUSE:Factory/.libX11.new.15902/libX11.changes 2023-06-17
22:20:21.127551971 +0200
@@ -1,0 +2,6 @@
+Mon Jun 12 13:14:03 UTC 2023 - Stefan Dirsch <sndir...@suse.com>
+
+- U_InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
+ * Buffer overflows in InitExt.c (boo#1212102, CVE-2023-3138)
+
+-------------------------------------------------------------------
New:
----
U_InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libX11.spec ++++++
--- /var/tmp/diff_new_pack.gf4mhK/_old 2023-06-17 22:20:21.719555528 +0200
+++ /var/tmp/diff_new_pack.gf4mhK/_new 2023-06-17 22:20:21.723555553 +0200
@@ -32,6 +32,7 @@
# PATCH-FIX-UPSTREAM en-locales.diff fdo#48596 bnc#388711 -- Add missing data
for more en locales
Patch2: en-locales.diff
Patch3: u_no-longer-crash-in-XVisualIDFromVisual.patch
+Patch1212102: U_InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
BuildRequires: fdupes
BuildRequires: libtool
BuildRequires: pkgconfig
@@ -135,6 +136,7 @@
%patch1
%patch2
%patch3 -p1
+%patch1212102 -p1
%build
%configure \
++++++ U_InitExt.c-Add-bounds-checks-for-extension-request-ev.patch ++++++
>From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Sat, 10 Jun 2023 16:30:07 -0700
Subject: [PATCH libX11] InitExt.c: Add bounds checks for extension request,
event, & error codes
Fixes CVE-2023-3138: X servers could return values from XQueryExtension
that would cause Xlib to write entries out-of-bounds of the arrays to
store them, though this would only overwrite other parts of the Display
struct, not outside the bounds allocated for that structure.
Reported-by: Gregory James DUCK <gjd...@gmail.com>
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
---
src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 42 insertions(+)
diff --git a/src/InitExt.c b/src/InitExt.c
index 4de46f15..afc00a6b 100644
--- a/src/InitExt.c
+++ b/src/InitExt.c
@@ -33,6 +33,18 @@ from The Open Group.
#include <X11/Xos.h>
#include <stdio.h>
+/* The X11 protocol spec reserves events 64 through 127 for extensions */
+#ifndef LastExtensionEvent
+#define LastExtensionEvent 127
+#endif
+
+/* The X11 protocol spec reserves requests 128 through 255 for extensions */
+#ifndef LastExtensionRequest
+#define FirstExtensionRequest 128
+#define LastExtensionRequest 255
+#endif
+
+
/*
* This routine is used to link a extension in so it will be called
* at appropriate times.
@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent(
WireToEventType proc) /* routine to call when converting event */
{
register WireToEventType oldproc;
+ if (event_number < 0 ||
+ event_number > LastExtensionEvent) {
+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
+ event_number);
+ return (WireToEventType)_XUnknownWireEvent;
+ }
if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent;
LockDisplay (dpy);
oldproc = dpy->event_vec[event_number];
@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie(
)
{
WireToEventCookieType oldproc;
+ if (extension < FirstExtensionRequest ||
+ extension > LastExtensionRequest) {
+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
+ extension);
+ return (WireToEventCookieType)_XUnknownWireEventCookie;
+ }
if (proc == NULL) proc =
(WireToEventCookieType)_XUnknownWireEventCookie;
LockDisplay (dpy);
oldproc = dpy->generic_event_vec[extension & 0x7F];
@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie(
)
{
CopyEventCookieType oldproc;
+ if (extension < FirstExtensionRequest ||
+ extension > LastExtensionRequest) {
+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
+ extension);
+ return (CopyEventCookieType)_XUnknownCopyEventCookie;
+ }
if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie;
LockDisplay (dpy);
oldproc = dpy->generic_event_copy_vec[extension & 0x7F];
@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire(
EventToWireType proc) /* routine to call when converting event */
{
register EventToWireType oldproc;
+ if (event_number < 0 ||
+ event_number > LastExtensionEvent) {
+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
+ event_number);
+ return (EventToWireType)_XUnknownNativeEvent;
+ }
if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent;
LockDisplay (dpy);
oldproc = dpy->wire_vec[event_number];
@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError(
WireToErrorType proc) /* routine to call when converting error */
{
register WireToErrorType oldproc = NULL;
+ if (error_number < 0 ||
+ error_number > LastExtensionError) {
+ fprintf(stderr, "Xlib: ignoring invalid extension error %d\n",
+ error_number);
+ return (WireToErrorType)_XDefaultWireError;
+ }
if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError;
LockDisplay (dpy);
if (!dpy->error_vec) {
--
2.15.2
