Bug#988832: unblock: libx11/2:1.7.1-1

2021-05-21 Thread Cyril Brulebois 
Hi,

Paul Gevers  (2021-05-21):
> On 20-05-2021 10:26, Emilio Pozuelo Monfort wrote:
> > Please unblock package libx11
> 
> This needs also an ack from d-i, boot CC-ed.

Tests are looking good, feel free to go ahead.

> > The debdiff is a little large due to the autotools version the
> > tarball was generated with. I'm attaching a debdiff filtered with
> > 
> >   filterdiff -x '*/Makefile.in' -x '*.man' -x '*/aclocal.m4' -x 
> > '*/configure'
> > 
> > (the *.man changes are actual manpage syntax fixes, but make it
> > harder to review the actually important code fixes in this update,
> > so I filtered them).

Thanks for that.

> Funny how some copyrights go backward in time in this release.

Exactly my first reaction when I d'd your package. :)


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#988832: unblock: libx11/2:1.7.1-1

2021-05-21 Thread Paul Gevers 
Control: tags -1 d-i confirmed

Hi,

On 20-05-2021 10:26, Emilio Pozuelo Monfort wrote:
> Please unblock package libx11

This needs also an ack from d-i, boot CC-ed.

> This fixes CVE-2021-31535, a bug in libX11 which could lead to the
> execution of additional X requests due to insufficient buffer checks.
> 
> I have done some manual tests (run an X server with various applications)
> 
> The risks are minor as the changes are pretty much limited to the security
> fix, with minor changes aside of that.
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
> 
> The debdiff is a little large due to the autotools version the tarball
> was generated with. I'm attaching a debdiff filtered with
> 
>   filterdiff -x '*/Makefile.in' -x '*.man' -x '*/aclocal.m4' -x '*/configure'
> 
> (the *.man changes are actual manpage syntax fixes, but make it harder to 
> review
> the actually important code fixes in this update, so I filtered them).

Funny how some copyrights go backward in time in this release.

Paul



OpenPGP_signature
Description: OpenPGP digital signature

Bug#988832: unblock: libx11/2:1.7.1-1

2021-05-20 Thread Emilio Pozuelo Monfort 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: debia...@lists.debian.org

Please unblock package libx11

This fixes CVE-2021-31535, a bug in libX11 which could lead to the
execution of additional X requests due to insufficient buffer checks.

I have done some manual tests (run an X server with various applications)

The risks are minor as the changes are pretty much limited to the security
fix, with minor changes aside of that.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

The debdiff is a little large due to the autotools version the tarball
was generated with. I'm attaching a debdiff filtered with

  filterdiff -x '*/Makefile.in' -x '*.man' -x '*/aclocal.m4' -x '*/configure'

(the *.man changes are actual manpage syntax fixes, but make it harder to review
the actually important code fixes in this update, so I filtered them).

unblock libx11/2:1.7.1-1
diff -Nru libx11-1.7.0/compile libx11-1.7.1/compile
--- libx11-1.7.0/compile2020-11-20 20:08:19.0 +0100
+++ libx11-1.7.1/compile2021-05-18 16:14:45.0 +0200
@@ -3,7 +3,7 @@
 
 scriptversion=2018-03-07.03; # UTC
 
-# Copyright (C) 1999-2020 Free Software Foundation, Inc.
+# Copyright (C) 1999-2018 Free Software Foundation, Inc.
 # Written by Tom Tromey .
 #
 # This program is free software; you can redistribute it and/or modify
@@ -53,7 +53,7 @@
  MINGW*)
file_conv=mingw
;;
- CYGWIN* | MSYS*)
+ CYGWIN*)
file_conv=cygwin
;;
  *)
@@ -67,7 +67,7 @@
mingw/*)
  file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'`
  ;;
-   cygwin/* | msys/*)
+   cygwin/*)
  file=`cygpath -m "$file" || echo "$file"`
  ;;
wine/*)
diff -Nru libx11-1.7.0/configure.ac libx11-1.7.1/configure.ac
--- libx11-1.7.0/configure.ac   2020-11-20 20:08:11.0 +0100
+++ libx11-1.7.1/configure.ac   2021-05-18 16:14:20.0 +0200
@@ -1,7 +1,7 @@
 
 # Initialize Autoconf
 AC_PREREQ([2.60])
-AC_INIT([libX11], [1.7.0],
+AC_INIT([libX11], [1.7.1],
 [https://gitlab.freedesktop.org/xorg/lib/libx11/issues], [libX11])
 AC_CONFIG_SRCDIR([Makefile.am])
 AC_CONFIG_HEADERS([src/config.h include/X11/XlibConf.h])
diff -Nru libx11-1.7.0/debian/changelog libx11-1.7.1/debian/changelog
--- libx11-1.7.0/debian/changelog   2021-05-20 10:05:15.0 +0200
+++ libx11-1.7.1/debian/changelog   2021-05-20 10:05:15.0 +0200
@@ -1,3 +1,16 @@
+libx11 (2:1.7.1-1) unstable; urgency=medium
+
+  [ Julien Cristau ]
+  * libx11-6 Breaks old libx11-xcb1, as further mitigation for bug
+#979590.
+
+  [ Emilio Pozuelo Monfort ]
+  * New upstream release.
+  * CVE-2021-31535: X protocol command injection due to missing request
+length checks (closes: #988737)
+
+ -- Emilio Pozuelo Monfort   Wed, 19 May 2021 17:22:09 +0200
+
 libx11 (2:1.7.0-2) unstable; urgency=medium
 
   * Set a strict dependency of libx11-xcb1 on libx11-6, as internal ABI
diff -Nru libx11-1.7.0/debian/control libx11-1.7.1/debian/control
--- libx11-1.7.0/debian/control 2021-05-20 10:05:15.0 +0200
+++ libx11-1.7.1/debian/control 2021-05-20 10:05:15.0 +0200
@@ -28,6 +28,8 @@
  ${misc:Depends},
  libx11-data,
 Pre-Depends: ${misc:Pre-Depends}
+Breaks:
+ libx11-xcb1 (<< 2:1.7.0-2),
 Multi-Arch: same
 Description: X11 client-side library
  This package provides a client interface to the X Window System, otherwise
diff -Nru libx11-1.7.0/depcomp libx11-1.7.1/depcomp
--- libx11-1.7.0/depcomp2020-11-20 20:08:19.0 +0100
+++ libx11-1.7.1/depcomp2021-05-18 16:14:46.0 +0200
@@ -3,7 +3,7 @@
 
 scriptversion=2018-03-07.03; # UTC
 
-# Copyright (C) 1999-2020 Free Software Foundation, Inc.
+# Copyright (C) 1999-2018 Free Software Foundation, Inc.
 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
diff -Nru libx11-1.7.0/include/X11/Xlib.h libx11-1.7.1/include/X11/Xlib.h
--- libx11-1.7.0/include/X11/Xlib.h 2020-11-20 20:08:11.0 +0100
+++ libx11-1.7.1/include/X11/Xlib.h 2021-05-18 16:14:20.0 +0200
@@ -367,7 +367,7 @@
 int bitmap_bit_order;  /* LSBFirst, MSBFirst */
 int bitmap_pad;/* 8, 16, 32 either XY or ZPixmap */
 int depth; /* depth of image */
-int bytes_per_line;/* accelarator to next line */
+int bytes_per_line;/* accelerator to next line */
 int bits_per_pixel;/* bits per pixel (ZPixmap) */
 unsigned long red_mask;/* bits in z arrangement */
 unsigned long green_mask;
diff -Nru libx11-1.7.0/install-sh libx11-1.7.1/install-sh
--- libx11-1.7.0/install-sh 2020-11-20 20:08:19.0 +0100