Hello community, here is the log from the commit of package libXdmcp for openSUSE:Factory checked in at 2019-03-26 22:28:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libXdmcp (Old) and /work/SRC/openSUSE:Factory/.libXdmcp.new.25356 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libXdmcp" Tue Mar 26 22:28:53 2019 rev:10 rq:687380 version:1.1.3 Changes: -------- --- /work/SRC/openSUSE:Factory/libXdmcp/libXdmcp.changes 2017-06-16 10:53:47.479878182 +0200 +++ /work/SRC/openSUSE:Factory/.libXdmcp.new.25356/libXdmcp.changes 2019-03-26 22:28:54.545756657 +0100 @@ -1,0 +2,15 @@ +Thu Mar 21 15:09:26 UTC 2019 - Stefan Dirsch <sndir...@suse.com> + +- Update to version 1.1.3 + * This release provides a fix for CVE-2017-2625 for platforms which don't have + arc4random_buf() in their default libraries but do have getentropy(), such + as Linux platforms with a kernel version of 3.17 or newer and a glibc version + of 2.25 or newer. (libXdmcp 1.1.2 already ensured that arc4random_buf() + is used on platforms that have it to provide sufficient entropy in XDMCP + key generation, but left other platforms with the weaker methods. Linux + platforms could also have linked against libbsd to use arc4random_buf() + with libXdmcp 1.1.2 for stronger keys.) +- supersedes U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch, + U_Use-getentropy-if-arc4random_buf-is-not-available.patch + +------------------------------------------------------------------- Old: ---- U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch U_Use-getentropy-if-arc4random_buf-is-not-available.patch libXdmcp-1.1.2.tar.bz2 New: ---- libXdmcp-1.1.3.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libXdmcp.spec ++++++ --- /var/tmp/diff_new_pack.mZIBbt/_old 2019-03-26 22:28:56.413756206 +0100 +++ /var/tmp/diff_new_pack.mZIBbt/_new 2019-03-26 22:28:56.457756196 +0100 @@ -1,7 +1,7 @@ # # spec file for package libXdmcp # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ Name: libXdmcp %define lname libXdmcp6 -Version: 1.1.2 +Version: 1.1.3 Release: 0 Summary: X Display Manager Control Protocol library License: MIT @@ -29,8 +29,6 @@ #Git-Web: http://cgit.freedesktop.org/xorg/lib/libXdmcp/ Source: http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.bz2 Source1: baselibs.conf -Patch0: U_Use-getentropy-if-arc4random_buf-is-not-available.patch -Patch1: U_Fix-compilation-error-when-arc4random_buf-is-not-ava.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf >= 2.60 BuildRequires: automake @@ -86,8 +84,6 @@ %prep %setup -q -%patch0 -p1 -%patch1 -p1 %build autoreconf -fi ++++++ libXdmcp-1.1.2.tar.bz2 -> libXdmcp-1.1.3.tar.bz2 ++++++ ++++ 25529 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXdmcp-1.1.2/ChangeLog new/libXdmcp-1.1.3/ChangeLog --- old/libXdmcp-1.1.2/ChangeLog 2015-03-21 18:00:45.000000000 +0100 +++ new/libXdmcp-1.1.3/ChangeLog 2019-03-16 17:21:46.000000000 +0100 @@ -1,3 +1,104 @@ +commit 618b3ba5f826d930df2ca6a6a0ce212fa75cef42 +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Sat Mar 16 09:19:02 2019 -0700 + + libXdmcp 1.1.3 + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 7d4c69183b9838c684c1bcedb4e6184301d2816f +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Mon Nov 19 21:51:24 2018 -0800 + + Update README for gitlab migration + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 6d1aee0310001eca8f6ded9814a2a70b3a774896 +Author: Benjamin Tissoires <benjamin.tissoi...@gmail.com> +Date: Thu May 4 11:12:13 2017 +0200 + + Fix compilation error when arc4random_buf is not available + + Not sure how I missed that, but I did. + + Also rename emulate_getrandom_buf() into insecure_getrandom_buf() as + requested in the previous patch reviews. + + Last, getbits() expects an unsigned char, so remove the warning. + + Signed-off-by: Benjamin Tissoires <benjamin.tissoi...@gmail.com> + Reviewed-by: Peter Hutterer <peter.hutte...@who-t.net> + Signed-off-by: Peter Hutterer <peter.hutte...@who-t.net> + +commit 0554324ec6bbc2071f5d1f8ad211a1643e29eb1f +Author: Benjamin Tissoires <benjamin.tissoi...@gmail.com> +Date: Tue Apr 4 19:13:38 2017 +0200 + + Use getentropy() if arc4random_buf() is not available + + This allows to fix CVE-2017-2625 on Linux platforms without pulling in + libbsd. + The libc getentropy() is available since glibc 2.25 but also on OpenBSD. + For Linux, we need at least a v3.17 kernel. If the recommended + arc4random_buf() function is not available, emulate it by first trying + to use getentropy() on a supported glibc and kernel. If the call fails, + fall back to the current (vulnerable) code. + + Signed-off-by: Benjamin Tissoires <benjamin.tissoi...@gmail.com> + Reviewed-by: Mark Kettenis <kette...@openbsd.org> + Reviewed-by: Alan Coopersmith <alan.coopersm...@oracle.com> + Signed-off-by: Peter Hutterer <peter.hutte...@who-t.net> + +commit f1bf902c52884e35d48f4d03915f019337f84717 +Author: Mihail Konev <k....@ya.ru> +Date: Thu Jan 26 13:52:49 2017 +1000 + + autogen: add default patch prefix + + Signed-off-by: Mihail Konev <k....@ya.ru> + +commit 34ac12e5eb93ba1c4685bd25f5d9a25288d2d89e +Author: Emil Velikov <emil.l.veli...@gmail.com> +Date: Mon Mar 9 12:00:52 2015 +0000 + + autogen.sh: use quoted string variables + + Place quotes around the $srcdir, $ORIGDIR and $0 variables to prevent + fall-outs, when they contain space. + + Signed-off-by: Emil Velikov <emil.l.veli...@gmail.com> + Reviewed-by: Peter Hutterer <peter.hutte...@who-t.net> + Signed-off-by: Peter Hutterer <peter.hutte...@who-t.net> + +commit 3d813e1a45fb5d1b4b566c35218b9bcf0261b74a +Author: Peter Hutterer <peter.hutte...@who-t.net> +Date: Tue Jan 24 10:32:07 2017 +1000 + + autogen.sh: use exec instead of waiting for configure to finish + + Syncs the invocation of configure with the one from the server. + + Signed-off-by: Peter Hutterer <peter.hutte...@who-t.net> + Reviewed-by: Emil Velikov <emil.veli...@collabora.com> + +commit 5021b93d68c499831ad65a2abf1bfb7e6ed2724f +Author: Helmut Grohne <hel...@subdivi.de> +Date: Wed Nov 11 22:23:15 2015 +0100 + + do not use &fullrelvers; in xdmcp.xml (Debian bug 761628) + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit b10f382e3aa2e86cd5a2bc27d6758da55f0ab1f6 +Author: Jon TURNEY <jon.tur...@dronecode.org.uk> +Date: Sat Sep 13 20:28:38 2014 +0100 + + Link with winsock library for socket functions on MinGW + + Signed-off-by: Jon TURNEY <jon.tur...@dronecode.org.uk> + Reviewed-by: David Macek <david.mace...@gmail.com> + commit 0c09444d276fbf46a0e8b427a4f6a325d0625742 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Mar 21 09:39:14 2015 -0700 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXdmcp-1.1.2/Key.c new/libXdmcp-1.1.3/Key.c --- old/libXdmcp-1.1.2/Key.c 2015-03-21 17:39:26.000000000 +0100 +++ new/libXdmcp-1.1.3/Key.c 2019-03-16 17:21:22.000000000 +0100 @@ -62,20 +62,41 @@ #define getpid(x) _getpid(x) #endif -void -XdmcpGenerateKey (XdmAuthKeyPtr key) -{ #ifndef HAVE_ARC4RANDOM_BUF + +static void +insecure_getrandom_buf (unsigned char *auth, int len) +{ long lowbits, highbits; srandom ((int)getpid() ^ time((Time_t *)0)); lowbits = random (); highbits = random (); - getbits (lowbits, key->data); - getbits (highbits, key->data + 4); -#else + getbits (lowbits, auth); + getbits (highbits, auth + 4); +} + +static void +arc4random_buf (void *auth, int len) +{ + int ret; + +#if HAVE_GETENTROPY + /* weak emulation of arc4random through the getentropy libc call */ + ret = getentropy (auth, len); + if (ret == 0) + return; +#endif /* HAVE_GETENTROPY */ + + insecure_getrandom_buf (auth, len); +} + +#endif /* !defined(HAVE_ARC4RANDOM_BUF) */ + +void +XdmcpGenerateKey (XdmAuthKeyPtr key) +{ arc4random_buf(key->data, 8); -#endif } int diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXdmcp-1.1.2/Makefile.am new/libXdmcp-1.1.3/Makefile.am --- old/libXdmcp-1.1.2/Makefile.am 2015-03-21 17:39:26.000000000 +0100 +++ new/libXdmcp-1.1.3/Makefile.am 2019-03-16 17:21:22.000000000 +0100 @@ -33,7 +33,7 @@ pkgconfig_DATA = xdmcp.pc MAINTAINERCLEANFILES = ChangeLog INSTALL -EXTRA_DIST = autogen.sh Wraphelp.c Wraphelp.README.crypto +EXTRA_DIST = autogen.sh Wraphelp.c Wraphelp.README.crypto README.md if LINT ALL_LINT_FLAGS=$(LINT_FLAGS) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXdmcp-1.1.2/README new/libXdmcp-1.1.3/README --- old/libXdmcp-1.1.2/README 2015-03-21 17:39:26.000000000 +0100 +++ new/libXdmcp-1.1.3/README 1970-01-01 01:00:00.000000000 +0100 @@ -1,25 +0,0 @@ -libXdmcp - X Display Manager Control Protocol library - -All questions regarding this software should be directed at the -Xorg mailing list: - - http://lists.freedesktop.org/mailman/listinfo/xorg - -Please submit bug reports to the Xorg bugzilla: - - https://bugs.freedesktop.org/enter_bug.cgi?product=xorg - -The master development code repository can be found at: - - git://anongit.freedesktop.org/git/xorg/lib/libXdmcp - - http://cgit.freedesktop.org/xorg/lib/libXdmcp - -For patch submission instructions, see: - - http://www.x.org/wiki/Development/Documentation/SubmittingPatches - -For more information on the git code manager, see: - - http://wiki.x.org/wiki/GitPage - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXdmcp-1.1.2/README.md new/libXdmcp-1.1.3/README.md --- old/libXdmcp-1.1.2/README.md 1970-01-01 01:00:00.000000000 +0100 +++ new/libXdmcp-1.1.3/README.md 2019-03-16 17:21:22.000000000 +0100 @@ -0,0 +1,18 @@ +libXdmcp - X Display Manager Control Protocol library +----------------------------------------------------- + +All questions regarding this software should be directed at the +Xorg mailing list: + + https://lists.x.org/mailman/listinfo/xorg + +The master development code repository can be found at: + + https://gitlab.freedesktop.org/xorg/lib/libXdmcp + +Please submit bug reports and requests to merge patches there. + +For patch submission instructions, see: + + https://www.x.org/wiki/Development/Documentation/SubmittingPatches + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXdmcp-1.1.2/autogen.sh new/libXdmcp-1.1.3/autogen.sh --- old/libXdmcp-1.1.2/autogen.sh 2015-03-21 17:39:26.000000000 +0100 +++ new/libXdmcp-1.1.3/autogen.sh 2019-03-16 17:21:22.000000000 +0100 @@ -1,14 +1,17 @@ #! /bin/sh -srcdir=`dirname $0` +srcdir=`dirname "$0"` test -z "$srcdir" && srcdir=. ORIGDIR=`pwd` -cd $srcdir +cd "$srcdir" autoreconf -v --install || exit 1 -cd $ORIGDIR || exit $? +cd "$ORIGDIR" || exit $? + +git config --local --get format.subjectPrefix >/dev/null 2>&1 || + git config --local format.subjectPrefix "PATCH libXdmcp" if test -z "$NOCONFIGURE"; then - $srcdir/configure "$@" + exec "$srcdir"/configure "$@" fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXdmcp-1.1.2/config.h.in new/libXdmcp-1.1.3/config.h.in --- old/libXdmcp-1.1.2/config.h.in 2015-03-21 17:39:34.000000000 +0100 +++ new/libXdmcp-1.1.3/config.h.in 2019-03-16 17:21:32.000000000 +0100 @@ -9,12 +9,18 @@ /* Define to 1 if you have the <dlfcn.h> header file. */ #undef HAVE_DLFCN_H +/* Define to 1 if you have the `getentropy' function. */ +#undef HAVE_GETENTROPY + /* Define to 1 if you have the <inttypes.h> header file. */ #undef HAVE_INTTYPES_H /* Define to 1 if you have the `bsd' library (-lbsd). */ #undef HAVE_LIBBSD +/* Define to 1 if you have the `ws2_32' library (-lws2_32). */ +#undef HAVE_LIBWS2_32 + /* Define to 1 if you have the `lrand48' function. */ #undef HAVE_LRAND48 @@ -45,8 +51,7 @@ /* Define to 1 if you have the <unistd.h> header file. */ #undef HAVE_UNISTD_H -/* Define to the sub-directory in which libtool stores uninstalled libraries. - */ +/* Define to the sub-directory where libtool stores uninstalled libraries. */ #undef LT_OBJDIR /* Name of package */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXdmcp-1.1.2/configure.ac new/libXdmcp-1.1.3/configure.ac --- old/libXdmcp-1.1.2/configure.ac 2015-03-21 17:39:26.000000000 +0100 +++ new/libXdmcp-1.1.3/configure.ac 2019-03-16 17:21:22.000000000 +0100 @@ -22,7 +22,7 @@ # Initialize Autoconf AC_PREREQ([2.60]) -AC_INIT([libXdmcp], [1.1.2], +AC_INIT([libXdmcp], [1.1.3], [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXdmcp]) AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_HEADERS([config.h]) @@ -55,9 +55,17 @@ # Checks for libraries. AC_SEARCH_LIBS([recvfrom],[socket]) +case $host_os in + *mingw*) + AC_CHECK_LIB([ws2_32],[main]) + ;; + *) + ;; +esac + # Checks for library functions. AC_CHECK_LIB([bsd], [arc4random_buf]) -AC_CHECK_FUNCS([srand48 lrand48 arc4random_buf]) +AC_CHECK_FUNCS([srand48 lrand48 arc4random_buf getentropy]) # Obtain compiler/linker options for depedencies PKG_CHECK_MODULES(XDMCP, xproto) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXdmcp-1.1.2/doc/xdmcp.xml new/libXdmcp-1.1.3/doc/xdmcp.xml --- old/libXdmcp-1.1.2/doc/xdmcp.xml 2015-03-21 17:39:26.000000000 +0100 +++ new/libXdmcp-1.1.3/doc/xdmcp.xml 2019-03-16 17:21:22.000000000 +0100 @@ -23,7 +23,7 @@ <bookinfo> <title>X Display Manager Control Protocol</title> <subtitle>X.Org Standard</subtitle> - <releaseinfo>X Version 11, Release &fullrelvers;</releaseinfo> + <releaseinfo>X Version 11</releaseinfo> <releaseinfo>Version 1.1</releaseinfo> <authorgroup> <author>
