Hello community, here is the log from the commit of package libXdmcp for openSUSE:Factory checked in at 2017-06-16 10:53:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libXdmcp (Old) and /work/SRC/openSUSE:Factory/.libXdmcp.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libXdmcp" Fri Jun 16 10:53:43 2017 rev:9 rq:502911 version:1.1.2 Changes: -------- --- /work/SRC/openSUSE:Factory/libXdmcp/libXdmcp.changes 2015-03-25 09:55:47.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.libXdmcp.new/libXdmcp.changes 2017-06-16 10:53:47.479878182 +0200 @@ -1,0 +2,9 @@ +Sun Jun 11 20:28:03 UTC 2017 - sndir...@suse.com + +- U_Use-getentropy-if-arc4random_buf-is-not-available.patch + * Use getentropy() if arc4random_buf() is not available + (bsc#1025046, CVE-2017-2625) +- U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch + * Fix compilation error when arc4random_buf is not available + +------------------------------------------------------------------- New: ---- U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch U_Use-getentropy-if-arc4random_buf-is-not-available.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libXdmcp.spec ++++++ --- /var/tmp/diff_new_pack.nkCfkJ/_old 2017-06-16 10:53:48.083793168 +0200 +++ /var/tmp/diff_new_pack.nkCfkJ/_new 2017-06-16 10:53:48.087792605 +0200 @@ -1,7 +1,7 @@ # # spec file for package libXdmcp # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,8 +29,12 @@ #Git-Web: http://cgit.freedesktop.org/xorg/lib/libXdmcp/ Source: http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.bz2 Source1: baselibs.conf +Patch0: U_Use-getentropy-if-arc4random_buf-is-not-available.patch +Patch1: U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build -#git#BuildRequires: autoconf >= 2.60, automake, libtool +BuildRequires: autoconf >= 2.60 +BuildRequires: automake +BuildRequires: libtool BuildRequires: pkgconfig BuildRequires: pkgconfig(xorg-macros) >= 1.12 BuildRequires: pkgconfig(xproto) @@ -46,8 +50,8 @@ %package -n %lname Summary: X Display Manager Control Protocol library -Group: System/Libraries # O/P added for 12.2 +Group: System/Libraries Provides: xorg-x11-libXdmcp = 7.6_%version-%release Obsoletes: xorg-x11-libXdmcp < 7.6_%version-%release @@ -82,8 +86,11 @@ %prep %setup -q +%patch0 -p1 +%patch1 -p1 %build +autoreconf -fi %configure --docdir=%_docdir/%name --disable-static make %{?_smp_mflags} ++++++ U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch ++++++ >From 6d1aee0310001eca8f6ded9814a2a70b3a774896 Mon Sep 17 00:00:00 2001 From: Benjamin Tissoires <benjamin.tissoi...@gmail.com> Date: Thu, 4 May 2017 11:12:13 +0200 Subject: [PATCH 2/2] Fix compilation error when arc4random_buf is not available Not sure how I missed that, but I did. Also rename emulate_getrandom_buf() into insecure_getrandom_buf() as requested in the previous patch reviews. Last, getbits() expects an unsigned char, so remove the warning. Signed-off-by: Benjamin Tissoires <benjamin.tissoi...@gmail.com> Reviewed-by: Peter Hutterer <peter.hutte...@who-t.net> Signed-off-by: Peter Hutterer <peter.hutte...@who-t.net> --- Key.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Key.c b/Key.c index 70607d0..d61ad0e 100644 --- a/Key.c +++ b/Key.c @@ -65,15 +65,15 @@ getbits (long data, unsigned char *dst) #ifndef HAVE_ARC4RANDOM_BUF static void -emulate_getrandom_buf (char *auth, int len) +insecure_getrandom_buf (unsigned char *auth, int len) { long lowbits, highbits; srandom ((int)getpid() ^ time((Time_t *)0)); lowbits = random (); highbits = random (); - getbits (lowbits, key->data); - getbits (highbits, key->data + 4); + getbits (lowbits, auth); + getbits (highbits, auth + 4); } static void @@ -88,7 +88,7 @@ arc4random_buf (void *auth, int len) return; #endif /* HAVE_GETENTROPY */ - emulate_getrandom_buf (auth, len); + insecure_getrandom_buf (auth, len); } #endif /* !defined(HAVE_ARC4RANDOM_BUF) */ -- 2.12.3 ++++++ U_Use-getentropy-if-arc4random_buf-is-not-available.patch ++++++ >From 0554324ec6bbc2071f5d1f8ad211a1643e29eb1f Mon Sep 17 00:00:00 2001 From: Benjamin Tissoires <benjamin.tissoi...@gmail.com> Date: Tue, 4 Apr 2017 19:13:38 +0200 Subject: [PATCH 1/2] Use getentropy() if arc4random_buf() is not available This allows to fix CVE-2017-2625 on Linux platforms without pulling in libbsd. The libc getentropy() is available since glibc 2.25 but also on OpenBSD. For Linux, we need at least a v3.17 kernel. If the recommended arc4random_buf() function is not available, emulate it by first trying to use getentropy() on a supported glibc and kernel. If the call fails, fall back to the current (vulnerable) code. Signed-off-by: Benjamin Tissoires <benjamin.tissoi...@gmail.com> Reviewed-by: Mark Kettenis <kette...@openbsd.org> Reviewed-by: Alan Coopersmith <alan.coopersm...@oracle.com> Signed-off-by: Peter Hutterer <peter.hutte...@who-t.net> --- Key.c | 31 ++++++++++++++++++++++++++----- configure.ac | 2 +- 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/Key.c b/Key.c index a09b316..70607d0 100644 --- a/Key.c +++ b/Key.c @@ -62,10 +62,11 @@ getbits (long data, unsigned char *dst) #define getpid(x) _getpid(x) #endif -void -XdmcpGenerateKey (XdmAuthKeyPtr key) -{ #ifndef HAVE_ARC4RANDOM_BUF + +static void +emulate_getrandom_buf (char *auth, int len) +{ long lowbits, highbits; srandom ((int)getpid() ^ time((Time_t *)0)); @@ -73,9 +74,29 @@ XdmcpGenerateKey (XdmAuthKeyPtr key) highbits = random (); getbits (lowbits, key->data); getbits (highbits, key->data + 4); -#else +} + +static void +arc4random_buf (void *auth, int len) +{ + int ret; + +#if HAVE_GETENTROPY + /* weak emulation of arc4random through the getentropy libc call */ + ret = getentropy (auth, len); + if (ret == 0) + return; +#endif /* HAVE_GETENTROPY */ + + emulate_getrandom_buf (auth, len); +} + +#endif /* !defined(HAVE_ARC4RANDOM_BUF) */ + +void +XdmcpGenerateKey (XdmAuthKeyPtr key) +{ arc4random_buf(key->data, 8); -#endif } int diff --git a/configure.ac b/configure.ac index 2288502..d2b045d 100644 --- a/configure.ac +++ b/configure.ac @@ -65,7 +65,7 @@ esac # Checks for library functions. AC_CHECK_LIB([bsd], [arc4random_buf]) -AC_CHECK_FUNCS([srand48 lrand48 arc4random_buf]) +AC_CHECK_FUNCS([srand48 lrand48 arc4random_buf getentropy]) # Obtain compiler/linker options for depedencies PKG_CHECK_MODULES(XDMCP, xproto) -- 2.12.3