[OE-core] [PATCH 08/15] xorg-xserver: update to 1.19.5

Armin Kuster akuster808 at gmail.com
Fri Nov 3 19:54:42 UTC 2017


Remove patches that are included in 1.19.4

[ANNOUNCE] xorg-server 1.19.4
https://lists.x.org/archives/xorg-devel/2017-October/054839.html

xkb: Handle xkb formated string output safely (CVE-2017-13723)
Xext/shm: Validate shmseg resource id (CVE-2017-13721)

[ANNOUNCE] xorg-server 1.19.5
https://lists.x.org/archives/xorg-announce/2017-October/002814.html
One regression fix since 1.19.4 (mea culpa), and fixes for CVEs 2017-
12176 through 2017-12187. C is a terrible language, please stop writing
code in it.

Signed-off-by: Armin Kuster <akuster at mvista.com>
---
 .../xserver-xorg/CVE-2017-10971-1.patch            | 76 ----------------------
 .../xserver-xorg/CVE-2017-10971-2.patch            | 55 ----------------
 .../xserver-xorg/CVE-2017-10971-3.patch            | 50 --------------
 ...erver-xorg_1.19.3.bb => xserver-xorg_1.19.5.bb} |  7 +-
 4 files changed, 2 insertions(+), 186 deletions(-)
 delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch
 delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch
 delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch
 rename meta/recipes-graphics/xorg-xserver/{xserver-xorg_1.19.3.bb => xserver-xorg_1.19.5.bb} (81%)

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch
deleted file mode 100644
index 23c8049..0000000
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 215f894965df5fb0bb45b107d84524e700d2073c Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb at suse.com>
-Date: Wed, 24 May 2017 15:54:40 +0300
-Subject: [PATCH] dix: Disallow GenericEvent in SendEvent request.
-
-The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
-no less. Both ProcSendEvent and SProcSendEvent verify that the received data
-exactly match the request size. However nothing stops the client from passing
-in event with xEvent::type = GenericEvent and any value of
-xGenericEvent::length.
-
-In the case of ProcSendEvent, the event will be eventually passed to
-WriteEventsToClient which will see that it is Generic event and copy the
-arbitrary length from the receive buffer (and possibly past it) and send it to
-the other client. This allows clients to copy unitialized heap memory out of X
-server or to crash it.
-
-In case of SProcSendEvent, it will attempt to swap the incoming event by
-calling a swapping function from the EventSwapVector array. The swapped event
-is written to target buffer, which in this case is local xEvent variable. The
-xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
-expect that the target buffer has size matching the size of the source
-GenericEvent. This allows clients to cause stack buffer overflows.
-
-Signed-off-by: Michal Srb <msrb at suse.com>
-Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
-
-CVE: CVE-2017-10971
-
-Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=215f894965df5fb0bb45b107d84524e700d2073c]
-
-Signed-off-by: Jackie Huang <jackie.huang at windriver.com>
----
- dix/events.c  |    6 ++++++
- dix/swapreq.c |    7 +++++++
- 2 files changed, 13 insertions(+)
-
-diff --git a/dix/events.c b/dix/events.c
-index 3e3a01e..d3a33ea 100644
---- a/dix/events.c
-+++ b/dix/events.c
-@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client)
-         client->errorValue = stuff->event.u.u.type;
-         return BadValue;
-     }
-+    /* Generic events can have variable size, but SendEvent request holds
-+       exactly 32B of event data. */
-+    if (stuff->event.u.u.type == GenericEvent) {
-+        client->errorValue = stuff->event.u.u.type;
-+        return BadValue;
-+    }
-     if (stuff->event.u.u.type == ClientMessage &&
-         stuff->event.u.u.detail != 8 &&
-         stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) {
-diff --git a/dix/swapreq.c b/dix/swapreq.c
-index 719e9b8..6785059 100644
---- a/dix/swapreq.c
-+++ b/dix/swapreq.c
-@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client)
-     swapl(&stuff->destination);
-     swapl(&stuff->eventMask);
- 
-+    /* Generic events can have variable size, but SendEvent request holds
-+       exactly 32B of event data. */
-+    if (stuff->event.u.u.type == GenericEvent) {
-+        client->errorValue = stuff->event.u.u.type;
-+        return BadValue;
-+    }
-+
-     /* Swap event */
-     proc = EventSwapVector[stuff->event.u.u.type & 0177];
-     if (!proc || proc == NotImplemented)        /* no swapping proc; invalid event type? */
--- 
-1.7.9.5
-
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch
deleted file mode 100644
index 5c9887a..0000000
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb at suse.com>
-Date: Wed, 24 May 2017 15:54:41 +0300
-Subject: [PATCH] Xi: Verify all events in ProcXSendExtensionEvent.
-
-The requirement is that events have type in range
-EXTENSION_EVENT_BASE..lastEvent, but it was tested
-only for first event of all.
-
-Signed-off-by: Michal Srb <msrb at suse.com>
-Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
-
-CVE: CVE-2017-10971
-
-Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d]
-
-Signed-off-by: Jackie Huang <jackie.huang at windriver.com>
----
- Xi/sendexev.c |   12 +++++++-----
- 1 file changed, 7 insertions(+), 5 deletions(-)
-
-diff --git a/Xi/sendexev.c b/Xi/sendexev.c
-index 1cf118a..5e63bfc 100644
---- a/Xi/sendexev.c
-+++ b/Xi/sendexev.c
-@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client)
- int
- ProcXSendExtensionEvent(ClientPtr client)
- {
--    int ret;
-+    int ret, i;
-     DeviceIntPtr dev;
-     xEvent *first;
-     XEventClass *list;
-@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client)
-     /* The client's event type must be one defined by an extension. */
- 
-     first = ((xEvent *) &stuff[1]);
--    if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
--          (first->u.u.type < lastEvent))) {
--        client->errorValue = first->u.u.type;
--        return BadValue;
-+    for (i = 0; i < stuff->num_events; i++) {
-+        if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
-+            (first[i].u.u.type < lastEvent))) {
-+            client->errorValue = first[i].u.u.type;
-+            return BadValue;
-+        }
-     }
- 
-     list = (XEventClass *) (first + stuff->num_events);
--- 
-1.7.9.5
-
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch
deleted file mode 100644
index 54ba481..0000000
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb at suse.com>
-Date: Wed, 24 May 2017 15:54:42 +0300
-Subject: [PATCH] Xi: Do not try to swap GenericEvent.
-
-The SProcXSendExtensionEvent must not attempt to swap GenericEvent because
-it is assuming that the event has fixed size and gives the swapping function
-xEvent-sized buffer.
-
-A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway.
-
-Signed-off-by: Michal Srb <msrb at suse.com>
-Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
-
-CVE: CVE-2017-10971
-
-Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=ba336b24052122b136486961c82deac76bbde455]
-
-Signed-off-by: Jackie Huang <jackie.huang at windriver.com>
----
- Xi/sendexev.c |   10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/Xi/sendexev.c b/Xi/sendexev.c
-index 5e63bfc..5c2e0fc 100644
---- a/Xi/sendexev.c
-+++ b/Xi/sendexev.c
-@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client)
- 
-     eventP = (xEvent *) &stuff[1];
-     for (i = 0; i < stuff->num_events; i++, eventP++) {
-+        if (eventP->u.u.type == GenericEvent) {
-+            client->errorValue = eventP->u.u.type;
-+            return BadValue;
-+        }
-+
-         proc = EventSwapVector[eventP->u.u.type & 0177];
--        if (proc == NotImplemented)     /* no swapping proc; invalid event type? */
-+        /* no swapping proc; invalid event type? */
-+        if (proc == NotImplemented) {
-+            client->errorValue = eventP->u.u.type;
-             return BadValue;
-+        }
-         (*proc) (eventP, &eventT);
-         *eventP = eventT;
-     }
--- 
-1.7.9.5
-
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.3.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.5.bb
similarity index 81%
rename from meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.3.bb
rename to meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.5.bb
index 65ef6c6..c953031 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.3.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.5.bb
@@ -5,12 +5,9 @@ SRC_URI += "file://musl-arm-inb-outb.patch \
             file://0002-configure.ac-Fix-wayland-scanner-and-protocols-locat.patch \
             file://0003-modesetting-Fix-16-bit-depth-bpp-mode.patch \
             file://0003-Remove-check-for-useSIGIO-option.patch \
-            file://CVE-2017-10971-1.patch \
-            file://CVE-2017-10971-2.patch \
-            file://CVE-2017-10971-3.patch \
             "
-SRC_URI[md5sum] = "015d2fc4b9f2bfe7a626edb63a62c65e"
-SRC_URI[sha256sum] = "677a8166e03474719238dfe396ce673c4234735464d6dadf2959b600d20e5a98"
+SRC_URI[md5sum] = "4ac6feeae6790436ce9de879ca9a3bf8"
+SRC_URI[sha256sum] = "18fffa8eb93d06d2800d06321fc0df4d357684d8d714315a66d8dfa7df251447"
 
 # These extensions are now integrated into the server, so declare the migration
 # path for in-place upgrades.
-- 
2.7.4




More information about the Openembedded-core mailing list