From 0354382a1e12912431a39f1970eed656b386dbe9 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 14 May 2025 15:00:35 +0000 Subject: [PATCH] import UBI libX11-1.8.10-1.el10 --- .gitignore | 2 +- .libX11.metadata | 1 - ...tion-after-freeing-display-structure.patch | 82 ++++ ...through-_XError-due-to-sequence-adju.patch | 166 ------- ...ut-of-bounds-memory-access-in-_XkbRe.patch | 58 --- ...tack-exhaustion-from-infinite-recurs.patch | 37 -- ...nteger-overflow-in-XCreateImage-lead.patch | 59 --- ...S-regression-in-XCopyColormapAndFree.patch | 64 --- ...1-Fix-an-integer-overflow-in-init_om.patch | 37 -- ...Fix-poll_for_response-race-condition.patch | 63 --- ...unds-checks-for-extension-request-ev.patch | 108 ----- ...-that-a-pointer-isn-t-NULL-before-us.patch | 40 -- ...mages-to-maximum-height-width-allowe.patch | 41 -- ...igger-BadValue-error-for-out-of-rang.patch | 47 -- SOURCES/CVE-2021-31535.patch | 411 ------------------ SPECS/libX11.spec | 278 ------------ ...de-0.patch => dont-forward-keycode-0.patch | 16 +- libX11.spec | 356 +++++++++++++++ sources | 1 + 19 files changed, 448 insertions(+), 1419 deletions(-) delete mode 100644 .libX11.metadata create mode 100644 0001-Close-xcb-connection-after-freeing-display-structure.patch delete mode 100644 SOURCES/0001-Avoid-recursing-through-_XError-due-to-sequence-adju.patch delete mode 100644 SOURCES/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch delete mode 100644 SOURCES/0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch delete mode 100644 SOURCES/0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch delete mode 100644 SOURCES/0001-Fix-XTS-regression-in-XCopyColormapAndFree.patch delete mode 100644 SOURCES/0001-Fix-an-integer-overflow-in-init_om.patch delete mode 100644 SOURCES/0001-Fix-poll_for_response-race-condition.patch delete mode 100644 SOURCES/0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch delete mode 100644 SOURCES/0001-imDefLkup-verify-that-a-pointer-isn-t-NULL-before-us.patch delete mode 100644 SOURCES/0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch delete mode 100644 SOURCES/0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch delete mode 100644 SOURCES/CVE-2021-31535.patch delete mode 100644 SPECS/libX11.spec rename SOURCES/dont-forward-keycode-0.patch => dont-forward-keycode-0.patch (83%) create mode 100644 libX11.spec create mode 100644 sources diff --git a/.gitignore b/.gitignore index 8264060..ad8a373 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libX11-1.6.8.tar.bz2 +libX11-1.8.10.tar.xz diff --git a/.libX11.metadata b/.libX11.metadata deleted file mode 100644 index ff15fb1..0000000 --- a/.libX11.metadata +++ /dev/null @@ -1 +0,0 @@ -f1ea96fe472a981d378b4f2eec90dcd063f9a407 SOURCES/libX11-1.6.8.tar.bz2 diff --git a/0001-Close-xcb-connection-after-freeing-display-structure.patch b/0001-Close-xcb-connection-after-freeing-display-structure.patch new file mode 100644 index 0000000..299e515 --- /dev/null +++ b/0001-Close-xcb-connection-after-freeing-display-structure.patch @@ -0,0 +1,82 @@ +From f3d6ebac35301d4ad068e307f0fbe6aa12ccbccb Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Fri, 9 Aug 2024 09:21:31 +0200 +Subject: [PATCH libX11] Close xcb connection after freeing display structure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Commit 1472048b7 to fix a colormap threading issue added a display +lock/unlock and a call to SyncHandle() to _XcmsFreeClientCmaps(). + +When running synchronized, that means calling XSync(). + +_XcmsFreeClientCmaps() is called from _XFreeDisplayStructure() via +XCloseDisplay() after the xcb connection is closed. + +So when running synchronized, we may end up calling XSync() after the +xcb connection to the display is closed, which will generate a spurious +XIO error: + + | #0 in _XDefaultIOError () at /lib64/libX11.so.6 + | #1 in _XIOError () at /lib64/libX11.so.6 + | #2 in _XReply () at /lib64/libX11.so.6 + | #3 in XSync () at /lib64/libX11.so.6 + | #4 in _XSyncFunction () at /lib64/libX11.so.6 + | 8#5 in _XFreeDisplayStructure () at /lib64/libX11.so.6 + | 8#6 in XCloseDisplay () at /lib64/libX11.so.6 + +To avoid that issue, closed the xcb connection to the display last. + +v2: And same in OutOfMemory() as well (José Expósito) + +Signed-off-by: Olivier Fourdan +Reviewed-by: José Expósito +Part-of: +--- + src/ClDisplay.c | 4 +++- + src/OpenDis.c | 7 +++++-- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/ClDisplay.c b/src/ClDisplay.c +index aa904e51..31d3a841 100644 +--- a/src/ClDisplay.c ++++ b/src/ClDisplay.c +@@ -47,6 +47,7 @@ XCloseDisplay ( + { + register _XExtension *ext; + register int i; ++ xcb_connection_t *connection; + + if (!(dpy->flags & XlibDisplayClosing)) + { +@@ -68,7 +69,8 @@ XCloseDisplay ( + if (X_DPY_GET_REQUEST(dpy) != X_DPY_GET_LAST_REQUEST_READ(dpy)) + XSync(dpy, 1); + } +- xcb_disconnect(dpy->xcb->connection); ++ connection = dpy->xcb->connection; + _XFreeDisplayStructure (dpy); ++ xcb_disconnect(connection); + return 0; + } +diff --git a/src/OpenDis.c b/src/OpenDis.c +index 89a0ebdf..6cc43ba3 100644 +--- a/src/OpenDis.c ++++ b/src/OpenDis.c +@@ -709,7 +709,10 @@ void _XFreeDisplayStructure(Display *dpy) + + static void OutOfMemory(Display *dpy) + { +- if(dpy->xcb->connection) +- xcb_disconnect(dpy->xcb->connection); ++ xcb_connection_t *connection = dpy->xcb->connection; ++ + _XFreeDisplayStructure (dpy); ++ ++ if(connection) ++ xcb_disconnect(connection); + } +-- +2.47.1 + diff --git a/SOURCES/0001-Avoid-recursing-through-_XError-due-to-sequence-adju.patch b/SOURCES/0001-Avoid-recursing-through-_XError-due-to-sequence-adju.patch deleted file mode 100644 index 7135626..0000000 --- a/SOURCES/0001-Avoid-recursing-through-_XError-due-to-sequence-adju.patch +++ /dev/null @@ -1,166 +0,0 @@ -From 8c92ef59890c6d6e2be456658d3b9c145eda8629 Mon Sep 17 00:00:00 2001 -From: Keith Packard -Date: Sat, 7 Nov 2020 22:22:47 -0800 -Subject: [PATCH libX11] Avoid recursing through _XError due to sequence - adjustment - -This patch is based on research done by Dmitry Osipenko to uncover the -cause of a large class of Xlib lockups. - -_XError must unlock and re-lock the display around the call to the -user error handler function. When re-locking the display, two -functions are called to ensure that the display is ready to generate a request: - - _XIDHandler(dpy); - _XSeqSyncFunction(dpy); - -The first ensures that there is at least one XID available to use -(possibly calling _xcb_generate_id to do so). The second makes sure a -reply is received at least every 65535 requests to keep sequence -numbers in sync (possibly generating a GetInputFocus request and -synchronously awaiting the reply). - -If the second of these does generate a GetInputFocus request and wait -for the reply, then a pending error will cause recursion into _XError, -which deadlocks the display. - -One seemingly easy fix is to have _XError avoid those calls by -invoking InternalLockDisplay instead of LockDisplay. That function -does everything that LockDisplay does *except* call those final two -functions which may end up receiving an error. - -However, that doesn't protect the system from applications which call -some legal Xlib function from within their error handler. Any Xlib -function which cannot generate protocol or wait for events is valid, -including many which invoke LockDisplay. - -What we need to do is make LockDisplay skip these two function calls -precisely when it is called from within the _XError context for the -same display. - -This patch accomplishes this by creating a list of threads in the -display which are in _XError, and then having LockDisplay check the -current thread against those list elements. - -Inspired-by: Dmitry Osipenko -Signed-off-by: Keith Packard -Tested-by: Dmitry Osipenko -Reviewed-by: Dmitry Osipenko -(cherry picked from commit 30ccef3a48029bf4fc31d4abda2d2778d0ad6277) ---- - include/X11/Xlibint.h | 2 ++ - src/OpenDis.c | 1 + - src/XlibInt.c | 10 ++++++++++ - src/locking.c | 12 ++++++++++++ - src/locking.h | 12 ++++++++++++ - 5 files changed, 37 insertions(+) - -diff --git a/include/X11/Xlibint.h b/include/X11/Xlibint.h -index 6b95bcf7..09078e3f 100644 ---- a/include/X11/Xlibint.h -+++ b/include/X11/Xlibint.h -@@ -202,6 +202,8 @@ struct _XDisplay - unsigned long last_request_read_upper32bit; - unsigned long request_upper32bit; - #endif -+ -+ struct _XErrorThreadInfo *error_threads; - }; - - #define XAllocIDs(dpy,ids,n) (*(dpy)->idlist_alloc)(dpy,ids,n) -diff --git a/src/OpenDis.c b/src/OpenDis.c -index 82723578..85901168 100644 ---- a/src/OpenDis.c -+++ b/src/OpenDis.c -@@ -201,6 +201,7 @@ XOpenDisplay ( - X_DPY_SET_LAST_REQUEST_READ(dpy, 0); - dpy->default_screen = iscreen; /* Value returned by ConnectDisplay */ - dpy->last_req = (char *)&_dummy_request; -+ dpy->error_threads = NULL; - - /* Initialize the display lock */ - if (InitDisplayLock(dpy) != 0) { -diff --git a/src/XlibInt.c b/src/XlibInt.c -index 4e45e62b..8771b791 100644 ---- a/src/XlibInt.c -+++ b/src/XlibInt.c -@@ -1482,6 +1482,11 @@ int _XError ( - if (_XErrorFunction != NULL) { - int rtn_val; - #ifdef XTHREADS -+ struct _XErrorThreadInfo thread_info = { -+ .error_thread = xthread_self(), -+ .next = dpy->error_threads -+ }, **prev; -+ dpy->error_threads = &thread_info; - if (dpy->lock) - (*dpy->lock->user_lock_display)(dpy); - UnlockDisplay(dpy); -@@ -1491,6 +1496,11 @@ int _XError ( - LockDisplay(dpy); - if (dpy->lock) - (*dpy->lock->user_unlock_display)(dpy); -+ -+ /* unlink thread_info from the list */ -+ for (prev = &dpy->error_threads; *prev != &thread_info; prev = &(*prev)->next) -+ ; -+ *prev = thread_info.next; - #endif - return rtn_val; - } else { -diff --git a/src/locking.c b/src/locking.c -index 9f4fe067..bcadc857 100644 ---- a/src/locking.c -+++ b/src/locking.c -@@ -453,6 +453,9 @@ static void _XLockDisplay( - XTHREADS_FILE_LINE_ARGS - ) - { -+#ifdef XTHREADS -+ struct _XErrorThreadInfo *ti; -+#endif - #ifdef XTHREADS_WARN - _XLockDisplayWarn(dpy, file, line); - #else -@@ -460,6 +463,15 @@ static void _XLockDisplay( - #endif - if (dpy->lock->locking_level > 0) - _XDisplayLockWait(dpy); -+#ifdef XTHREADS -+ /* -+ * Skip the two function calls below which may generate requests -+ * when LockDisplay is called from within _XError. -+ */ -+ for (ti = dpy->error_threads; ti; ti = ti->next) -+ if (ti->error_thread == xthread_self()) -+ return; -+#endif - _XIDHandler(dpy); - _XSeqSyncFunction(dpy); - } -diff --git a/src/locking.h b/src/locking.h -index 5251a60c..59fc866e 100644 ---- a/src/locking.h -+++ b/src/locking.h -@@ -149,6 +149,18 @@ typedef struct _LockInfoRec { - xmutex_t lock; - } LockInfoRec; - -+/* A list of threads currently invoking error handlers on this display -+ * LockDisplay operates differently for these threads, avoiding -+ * generating any requests or reading any events as that can cause -+ * recursion into the error handling code, which will deadlock the -+ * thread. -+ */ -+struct _XErrorThreadInfo -+{ -+ struct _XErrorThreadInfo *next; -+ xthread_t error_thread; -+}; -+ - /* XOpenDis.c */ - extern int (*_XInitDisplayLock_fn)(Display *dpy); - extern void (*_XFreeDisplayLock_fn)(Display *dpy); --- -2.43.0 - diff --git a/SOURCES/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch b/SOURCES/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch deleted file mode 100644 index 6427fc2..0000000 --- a/SOURCES/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sun, 17 Sep 2023 14:19:40 -0700 -Subject: [PATCH] CVE-2023-43785: out-of-bounds memory access in - _XkbReadKeySyms() - -Make sure we allocate enough memory in the first place, and -also handle error returns from _XkbReadBufferCopyKeySyms() when -it detects out-of-bounds issues. - -Reported-by: Gregory James DUCK -Signed-off-by: Alan Coopersmith ---- - src/xkb/XKBGetMap.c | 14 +++++++++----- - 1 file changed, 9 insertions(+), 5 deletions(-) - -diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c -index 2891d21e..31199e4a 100644 ---- a/src/xkb/XKBGetMap.c -+++ b/src/xkb/XKBGetMap.c -@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) - if (offset + newMap->nSyms >= map->size_syms) { - register int sz; - -- sz = map->size_syms + 128; -+ sz = offset + newMap->nSyms; -+ sz = ((sz + (unsigned) 128) / 128) * 128; - _XkbResizeArray(map->syms, map->size_syms, sz, KeySym); - if (map->syms == NULL) { - map->size_syms = 0; -@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) - map->size_syms = sz; - } - if (newMap->nSyms > 0) { -- _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], -- newMap->nSyms); -+ if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], -+ newMap->nSyms) == 0) -+ return BadLength; - offset += newMap->nSyms; - } - else { -@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) - newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp); - if (newSyms == NULL) - return BadAlloc; -- if (newMap->nSyms > 0) -- _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms); -+ if (newMap->nSyms > 0) { -+ if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0) -+ return BadLength; -+ } - else - newSyms[0] = NoSymbol; - oldMap->kt_index[0] = newMap->ktIndex[0]; --- -2.41.0 - diff --git a/SOURCES/0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch b/SOURCES/0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch deleted file mode 100644 index 8f6a446..0000000 --- a/SOURCES/0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Thu, 7 Sep 2023 15:54:30 -0700 -Subject: [PATCH 1/3] CVE-2023-43786: stack exhaustion from infinite recursion - in PutSubImage() - -When splitting a single line of pixels into chunks to send to the -X server, be sure to take into account the number of bits per pixel, -so we don't just loop forever trying to send more pixels than fit in -the given request size and not breaking them down into a small enough -chunk to fix. - -Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2 -Signed-off-by: Alan Coopersmith ---- - src/PutImage.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/PutImage.c b/src/PutImage.c -index 857ee916..a6db7b42 100644 ---- a/src/PutImage.c -+++ b/src/PutImage.c -@@ -914,8 +914,9 @@ PutSubImage ( - req_width, req_height - SubImageHeight, - dest_bits_per_pixel, dest_scanline_pad); - } else { -- int SubImageWidth = (((Available << 3) / dest_scanline_pad) -- * dest_scanline_pad) - left_pad; -+ int SubImageWidth = ((((Available << 3) / dest_scanline_pad) -+ * dest_scanline_pad) - left_pad) -+ / dest_bits_per_pixel; - - PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y, - (unsigned int) SubImageWidth, 1, --- -2.41.0 - diff --git a/SOURCES/0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch b/SOURCES/0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch deleted file mode 100644 index 3468d6e..0000000 --- a/SOURCES/0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001 -From: Yair Mizrahi -Date: Thu, 7 Sep 2023 16:15:32 -0700 -Subject: [PATCH] CVE-2023-43787: Integer overflow in XCreateImage() leading to - a heap overflow - -When the format is `Pixmap` it calculates the size of the image data as: - ROUNDUP((bits_per_pixel * width), image->bitmap_pad); -There is no validation on the `width` of the image, and so this -calculation exceeds the capacity of a 4-byte integer, causing an overflow. - -Signed-off-by: Alan Coopersmith ---- - src/ImUtil.c | 20 +++++++++++++++----- - 1 file changed, 15 insertions(+), 5 deletions(-) - -diff --git a/src/ImUtil.c b/src/ImUtil.c -index 36f08a03..fbfad33e 100644 ---- a/src/ImUtil.c -+++ b/src/ImUtil.c -@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. - #include - #include - #include -+#include - #include "ImUtil.h" - - static int _XDestroyImage(XImage *); -@@ -361,13 +362,22 @@ XImage *XCreateImage ( - /* - * compute per line accelerator. - */ -- { -- if (format == ZPixmap) -+ if (format == ZPixmap) { -+ if ((INT_MAX / bits_per_pixel) < width) { -+ Xfree(image); -+ return NULL; -+ } -+ - min_bytes_per_line = -- ROUNDUP((bits_per_pixel * width), image->bitmap_pad); -- else -+ ROUNDUP((bits_per_pixel * width), image->bitmap_pad); -+ } else { -+ if ((INT_MAX - offset) < width) { -+ Xfree(image); -+ return NULL; -+ } -+ - min_bytes_per_line = -- ROUNDUP((width + offset), image->bitmap_pad); -+ ROUNDUP((width + offset), image->bitmap_pad); - } - if (image_bytes_per_line == 0) { - image->bytes_per_line = min_bytes_per_line; --- -2.41.0 - diff --git a/SOURCES/0001-Fix-XTS-regression-in-XCopyColormapAndFree.patch b/SOURCES/0001-Fix-XTS-regression-in-XCopyColormapAndFree.patch deleted file mode 100644 index fd4e5aa..0000000 --- a/SOURCES/0001-Fix-XTS-regression-in-XCopyColormapAndFree.patch +++ /dev/null @@ -1,64 +0,0 @@ -From a515545065ce6e1924de4bc50aaae7ec9b48cfad Mon Sep 17 00:00:00 2001 -From: Adam Jackson -Date: Wed, 11 Dec 2019 11:53:11 -0500 -Subject: [PATCH libX11] Fix XTS regression in XCopyColormapAndFree -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -XCopyColormapAndFree/5 threw an assertion: - - 520|4 5 00014017 1 2|Assertion XCopyColormapAndFree-5.(A) - 520|4 5 00014017 1 3|When a colourmap argument does not name a valid colourmap, - 520|4 5 00014017 1 4|then a BadColor error occurs. - 520|4 5 00014017 1 5|METH: Create a bad colourmap by creating and freeing a colourmap. - 520|4 5 00014017 1 6|METH: Call test function using bad colourmap as the colourmap argument. - 520|4 5 00014017 1 7|METH: Verify that a BadColor error occurs. - 520|4 5 00014017 1 8|unexpected signal 6 (SIGABRT) received - 220|4 5 2 15:05:53|UNRESOLVED - 410|4 5 1 15:05:53|IC End - 510|4|system 0: Abandoning testset: caught unexpected signal 11 (SIGSEGV) - -More specifically: - - lt-XCopyColormapAndFree: xcb_io.c:533: _XAllocID: Assertion `ret != inval_id' failed. - -This bug was introduced (by following my advice, d'oh) in: - - commit 99a2cf1aa0b58391078d5d3edf0a7dab18c7745d - Author: Tapani Pälli - Date: Mon May 13 08:29:49 2019 +0300 - - Protect colormap add/removal with display lock - -In that patch we moved the call to _XcmsCopyCmapRecAndFree inside the -display lock. The problem is said routine has side effects, including -trying to implicitly create a colormap in some cases. Since we don't run -the XID handler until SyncHandle() we would see inconsistent internal -xlib state, triggering the above assert. - -Fix this by dropping and re-taking the display lock before calling into -XCMS. ---- - src/CopyCmap.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/CopyCmap.c b/src/CopyCmap.c -index b4954b01..b37aba73 100644 ---- a/src/CopyCmap.c -+++ b/src/CopyCmap.c -@@ -53,6 +53,11 @@ Colormap XCopyColormapAndFree( - mid = req->mid = XAllocID(dpy); - req->srcCmap = src_cmap; - -+ /* re-lock the display to keep XID handling in sync */ -+ UnlockDisplay(dpy); -+ SyncHandle(); -+ LockDisplay(dpy); -+ - #if XCMS - _XcmsCopyCmapRecAndFree(dpy, src_cmap, mid); - #endif --- -2.23.0 - diff --git a/SOURCES/0001-Fix-an-integer-overflow-in-init_om.patch b/SOURCES/0001-Fix-an-integer-overflow-in-init_om.patch deleted file mode 100644 index cdb3de4..0000000 --- a/SOURCES/0001-Fix-an-integer-overflow-in-init_om.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 2c67fab8415a1d32395de87f056bc5f3b37fedb0 Mon Sep 17 00:00:00 2001 -From: Matthieu Herrb -Date: Thu, 13 Aug 2020 18:02:58 +0200 -Subject: [PATCH] Fix an integer overflow in init_om() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -CVE-2020-14363 - -This can lead to a double free later, as reported by Jayden Rivers. - -Signed-off-by: Matthieu Herrb - -(cherry picked from commit acdaaadcb3d85c61fd43669fc5dddf0f8c3f911d) -Signed-off-by: Michel Dänzer ---- - modules/om/generic/omGeneric.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c -index 22f826ec..bcfb9ab8 100644 ---- a/modules/om/generic/omGeneric.c -+++ b/modules/om/generic/omGeneric.c -@@ -1908,7 +1908,8 @@ init_om( - char **required_list; - XOrientation *orientation; - char **value, buf[BUFSIZ], *bufptr; -- int count = 0, num = 0, length = 0; -+ int count = 0, num = 0; -+ unsigned int length = 0; - - _XlcGetResource(lcd, "XLC_FONTSET", "on_demand_loading", &value, &count); - if (count > 0 && _XlcCompareISOLatin1(*value, "True") == 0) --- -2.28.0 - diff --git a/SOURCES/0001-Fix-poll_for_response-race-condition.patch b/SOURCES/0001-Fix-poll_for_response-race-condition.patch deleted file mode 100644 index 77b4d26..0000000 --- a/SOURCES/0001-Fix-poll_for_response-race-condition.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 77f8517710a724fa1f29de8ad806692782f962bd Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Wed, 29 Jan 2020 09:06:54 +0000 -Subject: [PATCH libX11] Fix poll_for_response race condition - -In poll_for_response is it possible that event replies are skipped -and a more up to date message reply is returned. -This will cause next poll_for_event call to fail aborting the program. - -This was proved using some slow ssh tunnel or using some program -to slow down server replies (I used a combination of xtrace and strace). - -How the race happens: -- program enters into poll_for_response; -- poll_for_event is called but the server didn't still send the reply; -- pending_requests is not NULL because we send a request (see call - to append_pending_request in _XSend); -- xcb_poll_for_reply64 is called from poll_for_response; -- xcb_poll_for_reply64 will read from server, at this point - server reply with an event (say sequence N) and the reply to our - last request (say sequence N+1); -- xcb_poll_for_reply64 returns the reply for the request we asked; -- last_request_read is set to N+1 sequence in poll_for_response; -- poll_for_response returns the response to the request; -- poll_for_event is called (for instance from another poll_for_response); -- event with sequence N is retrieved; -- the N sequence is widen, however, as the "new" number computed from - last_request_read is less than N the number is widened to N + 2^32 - (assuming last_request_read is still contained in 32 bit); -- poll_for_event enters the nested if statement as req is NULL; -- we compare the widen N (which now does not fit into 32 bit) with - request (which fits into 32 bit) hitting the throw_thread_fail_assert. - -I propose to change the widen to not go too far from the wide number -instead of supposing the result is always bigger than the wide number -passed. - -Signed-off-by: Frediano Ziglio ---- - src/xcb_io.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/src/xcb_io.c b/src/xcb_io.c -index 6a12d150..2aacbda3 100644 ---- a/src/xcb_io.c -+++ b/src/xcb_io.c -@@ -201,12 +201,10 @@ static int handle_error(Display *dpy, xError *err, Bool in_XReply) - } - - /* Widen a 32-bit sequence number into a 64bit (uint64_t) sequence number. -- * Treating the comparison as a 1 and shifting it avoids a conditional branch. - */ - static void widen(uint64_t *wide, unsigned int narrow) - { -- uint64_t new = (*wide & ~((uint64_t)0xFFFFFFFFUL)) | narrow; -- *wide = new + (((uint64_t)(new < *wide)) << 32); -+ *wide += (int32_t) (narrow - *wide); - } - - /* Thread-safety rules: --- -2.23.0 - diff --git a/SOURCES/0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch b/SOURCES/0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch deleted file mode 100644 index 014bdc0..0000000 --- a/SOURCES/0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 10 Jun 2023 16:30:07 -0700 -Subject: [PATCH libX11] InitExt.c: Add bounds checks for extension request, - event, & error codes - -Fixes CVE-2023-3138: X servers could return values from XQueryExtension -that would cause Xlib to write entries out-of-bounds of the arrays to -store them, though this would only overwrite other parts of the Display -struct, not outside the bounds allocated for that structure. - -Reported-by: Gregory James DUCK -Signed-off-by: Alan Coopersmith ---- - src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 42 insertions(+) - -diff --git a/src/InitExt.c b/src/InitExt.c -index 4de46f15..afc00a6b 100644 ---- a/src/InitExt.c -+++ b/src/InitExt.c -@@ -33,6 +33,18 @@ from The Open Group. - #include - #include - -+/* The X11 protocol spec reserves events 64 through 127 for extensions */ -+#ifndef LastExtensionEvent -+#define LastExtensionEvent 127 -+#endif -+ -+/* The X11 protocol spec reserves requests 128 through 255 for extensions */ -+#ifndef LastExtensionRequest -+#define FirstExtensionRequest 128 -+#define LastExtensionRequest 255 -+#endif -+ -+ - /* - * This routine is used to link a extension in so it will be called - * at appropriate times. -@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent( - WireToEventType proc) /* routine to call when converting event */ - { - register WireToEventType oldproc; -+ if (event_number < 0 || -+ event_number > LastExtensionEvent) { -+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", -+ event_number); -+ return (WireToEventType)_XUnknownWireEvent; -+ } - if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent; - LockDisplay (dpy); - oldproc = dpy->event_vec[event_number]; -@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie( - ) - { - WireToEventCookieType oldproc; -+ if (extension < FirstExtensionRequest || -+ extension > LastExtensionRequest) { -+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", -+ extension); -+ return (WireToEventCookieType)_XUnknownWireEventCookie; -+ } - if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie; - LockDisplay (dpy); - oldproc = dpy->generic_event_vec[extension & 0x7F]; -@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie( - ) - { - CopyEventCookieType oldproc; -+ if (extension < FirstExtensionRequest || -+ extension > LastExtensionRequest) { -+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", -+ extension); -+ return (CopyEventCookieType)_XUnknownCopyEventCookie; -+ } - if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie; - LockDisplay (dpy); - oldproc = dpy->generic_event_copy_vec[extension & 0x7F]; -@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire( - EventToWireType proc) /* routine to call when converting event */ - { - register EventToWireType oldproc; -+ if (event_number < 0 || -+ event_number > LastExtensionEvent) { -+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", -+ event_number); -+ return (EventToWireType)_XUnknownNativeEvent; -+ } - if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent; - LockDisplay (dpy); - oldproc = dpy->wire_vec[event_number]; -@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError( - WireToErrorType proc) /* routine to call when converting error */ - { - register WireToErrorType oldproc = NULL; -+ if (error_number < 0 || -+ error_number > LastExtensionError) { -+ fprintf(stderr, "Xlib: ignoring invalid extension error %d\n", -+ error_number); -+ return (WireToErrorType)_XDefaultWireError; -+ } - if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError; - LockDisplay (dpy); - if (!dpy->error_vec) { --- -2.41.0 - diff --git a/SOURCES/0001-imDefLkup-verify-that-a-pointer-isn-t-NULL-before-us.patch b/SOURCES/0001-imDefLkup-verify-that-a-pointer-isn-t-NULL-before-us.patch deleted file mode 100644 index d8c9fd7..0000000 --- a/SOURCES/0001-imDefLkup-verify-that-a-pointer-isn-t-NULL-before-us.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 623b77d4f30b47258a40f89262e5aa5d25e95fa7 Mon Sep 17 00:00:00 2001 -From: Benno Schulenberg -Date: Mon, 14 Feb 2022 11:33:25 +0100 -Subject: [PATCH] imDefLkup: verify that a pointer isn't NULL before using it - -It is possible for _XimICOfXICID() to return NULL, so it is necessary -to check this isn't actually the case before dereferencing the pointer. -All other callers of _XimICOfXICID() do this check too. - -(The check itself is ugly, but it follows the style of the code in the -rest of the module.) - -Fixes issue #45. - -Reported-by: Bhavi Dhingra - -Original-patch-by: Bhavi Dhingra - -Signed-off-by: Benno Schulenberg ---- - modules/im/ximcp/imDefLkup.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/modules/im/ximcp/imDefLkup.c b/modules/im/ximcp/imDefLkup.c -index dea7f66d..dd1adf53 100644 ---- a/modules/im/ximcp/imDefLkup.c -+++ b/modules/im/ximcp/imDefLkup.c -@@ -88,7 +88,8 @@ _XimSetEventMaskCallback( - - if (imid == im->private.proto.imid) { - if (icid) { -- ic = _XimICOfXICID(im, icid); -+ if (!(ic = _XimICOfXICID(im, icid))) -+ return False; - _XimProcICSetEventMask(ic, (XPointer)&buf_s[2]); - } else { - _XimProcIMSetEventMask(im, (XPointer)&buf_s[2]); --- -2.46.0 - diff --git a/SOURCES/0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch b/SOURCES/0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch deleted file mode 100644 index 27b5912..0000000 --- a/SOURCES/0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Thu, 7 Sep 2023 15:55:04 -0700 -Subject: [PATCH 2/3] XPutImage: clip images to maximum height & width allowed - by protocol - -The PutImage request specifies height & width of the image as CARD16 -(unsigned 16-bit integer), same as the maximum dimensions of an X11 -Drawable, which the image is being copied to. - -Signed-off-by: Alan Coopersmith ---- - src/PutImage.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/PutImage.c b/src/PutImage.c -index a6db7b42..ba411e36 100644 ---- a/src/PutImage.c -+++ b/src/PutImage.c -@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. - #include "Xlibint.h" - #include "Xutil.h" - #include -+#include - #include "Cr.h" - #include "ImUtil.h" - #include "reallocarray.h" -@@ -962,6 +963,10 @@ XPutImage ( - height = image->height - req_yoffset; - if ((width <= 0) || (height <= 0)) - return 0; -+ if (width > USHRT_MAX) -+ width = USHRT_MAX; -+ if (height > USHRT_MAX) -+ height = USHRT_MAX; - - if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) { - dest_bits_per_pixel = 1; --- -2.41.0 - diff --git a/SOURCES/0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch b/SOURCES/0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch deleted file mode 100644 index 0900498..0000000 --- a/SOURCES/0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch +++ /dev/null @@ -1,47 +0,0 @@ -From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Thu, 7 Sep 2023 16:12:27 -0700 -Subject: [PATCH 3/3] XCreatePixmap: trigger BadValue error for out-of-range - dimensions - -The CreatePixmap request specifies height & width of the image as CARD16 -(unsigned 16-bit integer), so if either is larger than that, set it to 0 -so the X server returns a BadValue error as the protocol requires. - -Signed-off-by: Alan Coopersmith ---- - src/CrPixmap.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/src/CrPixmap.c b/src/CrPixmap.c -index cdf31207..3cb2ca6d 100644 ---- a/src/CrPixmap.c -+++ b/src/CrPixmap.c -@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group. - #include - #endif - #include "Xlibint.h" -+#include - - #ifdef USE_DYNAMIC_XCURSOR - void -@@ -47,6 +48,16 @@ Pixmap XCreatePixmap ( - Pixmap pid; - register xCreatePixmapReq *req; - -+ /* -+ * Force a BadValue X Error if the requested dimensions are larger -+ * than the X11 protocol has room for, since that's how callers expect -+ * to get notified of errors. -+ */ -+ if (width > USHRT_MAX) -+ width = 0; -+ if (height > USHRT_MAX) -+ height = 0; -+ - LockDisplay(dpy); - GetReq(CreatePixmap, req); - req->drawable = d; --- -2.41.0 - diff --git a/SOURCES/CVE-2021-31535.patch b/SOURCES/CVE-2021-31535.patch deleted file mode 100644 index aa60662..0000000 --- a/SOURCES/CVE-2021-31535.patch +++ /dev/null @@ -1,411 +0,0 @@ -From 2714e4478c1262c94de6295cce605c14572968d3 Mon Sep 17 00:00:00 2001 -From: Matthieu Herrb -Date: Fri, 19 Feb 2021 15:30:39 +0100 -Subject: [PATCH libX11] Reject string longer than USHRT_MAX before sending - them on the wire - -The X protocol uses CARD16 values to represent the length so -this would overflow. - -CVE-2021-31535 - -Signed-off-by: Matthieu Herrb - -[mustard: backported 10 1.6.8 by merging the warning fixes from -upstream commimt 84427130 first - ajax] ---- - src/Font.c | 10 ++++++---- - src/FontInfo.c | 5 ++++- - src/FontNames.c | 5 ++++- - src/GetColor.c | 6 +++++- - src/LoadFont.c | 6 +++++- - src/LookupCol.c | 6 ++++-- - src/ParseCol.c | 7 +++++-- - src/QuExt.c | 7 ++++++- - src/SetFPath.c | 12 +++++++++--- - src/SetHints.c | 9 ++++++++- - src/StNColor.c | 5 ++++- - src/StName.c | 11 ++++++++--- - 12 files changed, 68 insertions(+), 21 deletions(-) - -diff --git a/src/Font.c b/src/Font.c -index 09d2ae91..1cd89cca 100644 ---- a/src/Font.c -+++ b/src/Font.c -@@ -102,12 +102,14 @@ XFontStruct *XLoadQueryFont( - XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy); - #endif - -+ if (strlen(name) >= USHRT_MAX) -+ return NULL; - if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0)) - return font_result; - LockDisplay(dpy); - GetReq(OpenFont, req); - seq = dpy->request; /* Can't use extended sequence number here */ -- nbytes = req->nbytes = name ? strlen(name) : 0; -+ nbytes = req->nbytes = (CARD16) (name ? strlen(name) : 0); - req->fid = fid = XAllocID(dpy); - req->length += (nbytes+3)>>2; - Data (dpy, name, nbytes); -@@ -662,8 +664,8 @@ int _XF86LoadQueryLocaleFont( - - if (!name) - return 0; -- l = strlen(name); -- if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-') -+ l = (int) strlen(name); -+ if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX) - return 0; - charset = NULL; - /* next three lines stolen from _XkbGetCharset() */ -@@ -679,7 +681,7 @@ int _XF86LoadQueryLocaleFont( - return 0; - if (_XlcNCompareISOLatin1(name + l - 2 - (p - charset), charset, p - charset)) - return 0; -- if (strlen(p + 1) + l - 1 >= sizeof(buf) - 1) -+ if (strlen(p + 1) + (size_t) l - 1 >= sizeof(buf) - 1) - return 0; - strcpy(buf, name); - strcpy(buf + l - 1, p + 1); -diff --git a/src/FontInfo.c b/src/FontInfo.c -index f870e431..6644b3fa 100644 ---- a/src/FontInfo.c -+++ b/src/FontInfo.c -@@ -58,10 +58,13 @@ XFontStruct **info) /* RETURN */ - register xListFontsReq *req; - int j; - -+ if (strlen(pattern) >= USHRT_MAX) -+ return NULL; -+ - LockDisplay(dpy); - GetReq(ListFontsWithInfo, req); - req->maxNames = maxNames; -- nbytes = req->nbytes = pattern ? strlen (pattern) : 0; -+ nbytes = req->nbytes = pattern ? (CARD16) strlen (pattern) : 0; - req->length += (nbytes + 3) >> 2; - _XSend (dpy, pattern, nbytes); - /* use _XSend instead of Data, since subsequent _XReply will flush buffer */ -diff --git a/src/FontNames.c b/src/FontNames.c -index b78792d6..458d80c9 100644 ---- a/src/FontNames.c -+++ b/src/FontNames.c -@@ -51,10 +51,13 @@ int *actualCount) /* RETURN */ - register xListFontsReq *req; - unsigned long rlen = 0; - -+ if (strlen(pattern) >= USHRT_MAX) -+ return NULL; -+ - LockDisplay(dpy); - GetReq(ListFonts, req); - req->maxNames = maxNames; -- nbytes = req->nbytes = pattern ? strlen (pattern) : 0; -+ nbytes = req->nbytes = pattern ? (CARD16) strlen (pattern) : 0; - req->length += (nbytes + 3) >> 2; - _XSend (dpy, pattern, nbytes); - /* use _XSend instead of Data, since following _XReply will flush buffer */ -diff --git a/src/GetColor.c b/src/GetColor.c -index cd0eb9f6..c8178067 100644 ---- a/src/GetColor.c -+++ b/src/GetColor.c -@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. - #ifdef HAVE_CONFIG_H - #include - #endif -+#include - #include - #include "Xlibint.h" - #include "Xcmsint.h" -@@ -48,6 +49,9 @@ XColor *exact_def) /* RETURN */ - XcmsColor cmsColor_exact; - Status ret; - -+ if (strlen(colorname) >= USHRT_MAX) -+ return (0); -+ - #ifdef XCMS - /* - * Let's Attempt to use Xcms and i18n approach to Parse Color -@@ -83,7 +87,7 @@ XColor *exact_def) /* RETURN */ - GetReq(AllocNamedColor, req); - - req->cmap = cmap; -- nbytes = req->nbytes = strlen(colorname); -+ nbytes = req->nbytes = (CARD16) strlen(colorname); - req->length += (nbytes + 3) >> 2; /* round up to mult of 4 */ - - _XSend(dpy, colorname, nbytes); -diff --git a/src/LoadFont.c b/src/LoadFont.c -index f547976b..3996436f 100644 ---- a/src/LoadFont.c -+++ b/src/LoadFont.c -@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. - #ifdef HAVE_CONFIG_H - #include - #endif -+#include - #include "Xlibint.h" - - Font -@@ -38,12 +39,15 @@ XLoadFont ( - Font fid; - register xOpenFontReq *req; - -+ if (strlen(name) >= USHRT_MAX) -+ return (0); -+ - if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid)) - return fid; - - LockDisplay(dpy); - GetReq(OpenFont, req); -- nbytes = req->nbytes = name ? strlen(name) : 0; -+ nbytes = req->nbytes = name ? (CARD16) strlen(name) : 0; - req->fid = fid = XAllocID(dpy); - req->length += (nbytes+3)>>2; - Data (dpy, name, nbytes); -diff --git a/src/LookupCol.c b/src/LookupCol.c -index f7f969f5..cd9b1368 100644 ---- a/src/LookupCol.c -+++ b/src/LookupCol.c -@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. - #ifdef HAVE_CONFIG_H - #include - #endif -+#include - #include - #include "Xlibint.h" - #include "Xcmsint.h" -@@ -46,6 +47,9 @@ XLookupColor ( - XcmsCCC ccc; - XcmsColor cmsColor_exact; - -+ n = (int) strlen (spec); -+ if (n >= USHRT_MAX) -+ return 0; - #ifdef XCMS - /* - * Let's Attempt to use Xcms and i18n approach to Parse Color -@@ -77,8 +81,6 @@ XLookupColor ( - * Xcms and i18n methods failed, so lets pass it to the server - * for parsing. - */ -- -- n = strlen (spec); - LockDisplay(dpy); - GetReq (LookupColor, req); - req->cmap = cmap; -diff --git a/src/ParseCol.c b/src/ParseCol.c -index e997b1b8..7a84a17b 100644 ---- a/src/ParseCol.c -+++ b/src/ParseCol.c -@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. - #ifdef HAVE_CONFIG_H - #include - #endif -+#include - #include - #include "Xlibint.h" - #include "Xcmsint.h" -@@ -46,7 +47,9 @@ XParseColor ( - XcmsColor cmsColor; - - if (!spec) return(0); -- n = strlen (spec); -+ n = (int) strlen (spec); -+ if (n >= USHRT_MAX) -+ return(0); - if (*spec == '#') { - /* - * RGB -@@ -119,7 +122,7 @@ XParseColor ( - LockDisplay(dpy); - GetReq (LookupColor, req); - req->cmap = cmap; -- req->nbytes = n = strlen(spec); -+ req->nbytes = (CARD16) (n = (int) strlen(spec)); - req->length += (n + 3) >> 2; - Data (dpy, spec, (long)n); - if (!_XReply (dpy, (xReply *) &reply, 0, xTrue)) { -diff --git a/src/QuExt.c b/src/QuExt.c -index 4e230e77..4cb99fcf 100644 ---- a/src/QuExt.c -+++ b/src/QuExt.c -@@ -27,6 +27,8 @@ in this Software without prior written authorization from The Open Group. - #ifdef HAVE_CONFIG_H - #include - #endif -+#include -+#include - #include "Xlibint.h" - - Bool -@@ -40,9 +42,12 @@ XQueryExtension( - xQueryExtensionReply rep; - register xQueryExtensionReq *req; - -+ if (strlen(name) >= USHRT_MAX) -+ return false; -+ - LockDisplay(dpy); - GetReq(QueryExtension, req); -- req->nbytes = name ? strlen(name) : 0; -+ req->nbytes = name ? (CARD16) strlen(name) : 0; - req->length += (req->nbytes+(unsigned)3)>>2; - _XSend(dpy, name, (long)req->nbytes); - (void) _XReply (dpy, (xReply *)&rep, 0, xTrue); -diff --git a/src/SetFPath.c b/src/SetFPath.c -index 60aaef01..13fce49e 100644 ---- a/src/SetFPath.c -+++ b/src/SetFPath.c -@@ -26,6 +26,7 @@ in this Software without prior written authorization from The Open Group. - - #ifdef HAVE_CONFIG_H - #include -+#include - #endif - #include "Xlibint.h" - -@@ -48,7 +49,12 @@ XSetFontPath ( - GetReq (SetFontPath, req); - req->nFonts = ndirs; - for (i = 0; i < ndirs; i++) { -- n += safestrlen (directories[i]) + 1; -+ n = (int) ((size_t) n + (safestrlen (directories[i]) + 1)); -+ if (n >= USHRT_MAX) { -+ UnlockDisplay(dpy); -+ SyncHandle(); -+ return 0; -+ } - } - nbytes = (n + 3) & ~3; - req->length += nbytes >> 2; -@@ -59,9 +65,9 @@ XSetFontPath ( - char *tmp = p; - - for (i = 0; i < ndirs; i++) { -- register int length = safestrlen (directories[i]); -+ register int length = (int) safestrlen (directories[i]); - *p = length; -- memcpy (p + 1, directories[i], length); -+ memcpy (p + 1, directories[i], (size_t)length); - p += length + 1; - } - Data (dpy, tmp, nbytes); -diff --git a/src/SetHints.c b/src/SetHints.c -index bc46498a..61cb0684 100644 ---- a/src/SetHints.c -+++ b/src/SetHints.c -@@ -49,6 +49,7 @@ SOFTWARE. - #ifdef HAVE_CONFIG_H - #include - #endif -+#include - #include - #include - #include "Xatomtype.h" -@@ -214,6 +215,8 @@ XSetCommand ( - register char *buf, *bp; - for (i = 0, nbytes = 0; i < argc; i++) { - nbytes += safestrlen(argv[i]) + 1; -+ if (nbytes >= USHRT_MAX) -+ return 1; - } - if ((bp = buf = Xmalloc(nbytes))) { - /* copy arguments into single buffer */ -@@ -256,11 +259,13 @@ XSetStandardProperties ( - - if (name != NULL) XStoreName (dpy, w, name); - -+ if (safestrlen(icon_string) >= USHRT_MAX) -+ return 1; - if (icon_string != NULL) { - XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8, - PropModeReplace, - (_Xconst unsigned char *)icon_string, -- safestrlen(icon_string)); -+ (int)safestrlen(icon_string)); - } - - if (icon_pixmap != None) { -@@ -298,6 +303,8 @@ XSetClassHint( - - len_nm = safestrlen(classhint->res_name); - len_cl = safestrlen(classhint->res_class); -+ if (len_nm + len_cl >= USHRT_MAX) -+ return 1; - if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) { - if (len_nm) { - strcpy(s, classhint->res_name); -diff --git a/src/StNColor.c b/src/StNColor.c -index 8b821c3e..16dc9cbc 100644 ---- a/src/StNColor.c -+++ b/src/StNColor.c -@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. - #ifdef HAVE_CONFIG_H - #include - #endif -+#include - #include - #include "Xlibint.h" - #include "Xcmsint.h" -@@ -46,6 +47,8 @@ int flags) /* DoRed, DoGreen, DoBlue */ - XcmsColor cmsColor_exact; - XColor scr_def; - -+ if (strlen(name) >= USHRT_MAX) -+ return 0; - #ifdef XCMS - /* - * Let's Attempt to use Xcms approach to Parse Color -@@ -76,7 +79,7 @@ int flags) /* DoRed, DoGreen, DoBlue */ - req->cmap = cmap; - req->flags = flags; - req->pixel = pixel; -- req->nbytes = nbytes = strlen(name); -+ req->nbytes = (CARD16) (nbytes = (unsigned) strlen(name)); - req->length += (nbytes + 3) >> 2; /* round up to multiple of 4 */ - Data(dpy, name, (long)nbytes); - UnlockDisplay(dpy); -diff --git a/src/StName.c b/src/StName.c -index b4048bff..04bb3aa6 100644 ---- a/src/StName.c -+++ b/src/StName.c -@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. - #ifdef HAVE_CONFIG_H - #include - #endif -+#include - #include - #include - -@@ -36,9 +37,11 @@ XStoreName ( - Window w, - _Xconst char *name) - { -- return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, -+ if (strlen(name) >= USHRT_MAX) -+ return 0; -+ return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /* */ - 8, PropModeReplace, (_Xconst unsigned char *)name, -- name ? strlen(name) : 0); -+ name ? (int) strlen(name) : 0); - } - - int -@@ -47,7 +50,9 @@ XSetIconName ( - Window w, - _Xconst char *icon_name) - { -+ if (strlen(icon_name) >= USHRT_MAX) -+ return 0; - return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8, - PropModeReplace, (_Xconst unsigned char *)icon_name, -- icon_name ? strlen(icon_name) : 0); -+ icon_name ? (int) strlen(icon_name) : 0); - } --- -2.30.1 - diff --git a/SPECS/libX11.spec b/SPECS/libX11.spec deleted file mode 100644 index cb48da4..0000000 --- a/SPECS/libX11.spec +++ /dev/null @@ -1,278 +0,0 @@ -%global tarball libX11 -#global gitdate 20130524 -%global gitversion a3bdd2b09 - -Summary: Core X11 protocol client library -Name: libX11 -Version: 1.6.8 -Release: 9%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist} -License: MIT -Group: System Environment/Libraries -URL: http://www.x.org - -%if 0%{?gitdate} -Source0: %{tarball}-%{gitdate}.tar.bz2 -Source1: make-git-snapshot.sh -Source2: commitid -%else -Source0: https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.tar.bz2 -%endif - -Patch2: dont-forward-keycode-0.patch -Patch3: 0001-Fix-XTS-regression-in-XCopyColormapAndFree.patch -Patch4: 0001-Fix-poll_for_response-race-condition.patch - -# CVE-2020-14363 -Patch5: 0001-Fix-an-integer-overflow-in-init_om.patch -Patch6: CVE-2021-31535.patch -# CVE-2023-3138 -Patch7: 0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch - -# CVE-2023-43785 -Patch8: 0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch - -# CVE-2023-43786 -Patch9: 0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch -Patch10: 0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch -Patch11: 0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch - -# CVE-2023-43787 -Patch12: 0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch - -# RHEL-23452 -Patch13: 0001-Avoid-recursing-through-_XError-due-to-sequence-adju.patch - -# https://issues.redhat.com/browse/RHEL-58444 -Patch14: 0001-imDefLkup-verify-that-a-pointer-isn-t-NULL-before-us.patch - -BuildRequires: xorg-x11-util-macros >= 1.11 -BuildRequires: pkgconfig(xproto) >= 7.0.15 -BuildRequires: xorg-x11-xtrans-devel >= 1.0.3-4 -BuildRequires: libxcb-devel >= 1.2 -BuildRequires: pkgconfig(xau) pkgconfig(xdmcp) -BuildRequires: perl(Pod::Usage) - -Requires: %{name}-common >= %{version}-%{release} - -%description -Core X11 protocol client library. - -%package common -Summary: Common data for libX11 -Group: System Environment/Libraries -BuildArch: noarch - -%description common -libX11 common data - -%package devel -Summary: Development files for %{name} -Group: Development/Libraries -Requires: %{name} = %{version}-%{release} -Requires: %{name}-xcb = %{version}-%{release} - -%description devel -X.Org X11 libX11 development package - -%package xcb -Summary: XCB interop for libX11 -Group: System Environment/Libraries -Conflicts: %{name} < %{version}-%{release} - -%description xcb -libX11/libxcb interoperability library - -%prep -%setup -q -n %{tarball}-%{?gitdate:%{gitdate}}%{!?gitdate:%{version}} -%patch2 -p1 -b .dont-forward-keycode-0 -%patch3 -p1 -b .copycolormapandfree -%patch4 -p1 -b .race -%patch5 -p1 -b .fix-an-integer-overflow-in-init_om -%patch6 -p1 -b .cve-2021-31535 -%patch7 -p1 -b .cve-2023-3138 -%patch8 -p1 -b .cve-2023-43785 -%patch9 -p1 -b .cve-2023-43786 -%patch10 -p1 -b .xputimage-clip-images-to-maximum-height-width-allowe -%patch11 -p1 -b .xcreatepixmap-trigger-badvalue-error-for-out-of-rang -%patch12 -p1 -b .cve-2023-43787 -%patch13 -p1 -b .rhel-23452 -%patch14 -p1 -b .rhel-58444 - -%build -autoreconf -v --install --force -%configure --disable-silent-rules --disable-static - -make %{?_smp_mflags} - -%install -make install DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" - -# create/own compose cache dir -mkdir -p $RPM_BUILD_ROOT/var/cache/libX11/compose - -# We intentionally don't ship *.la files -find $RPM_BUILD_ROOT -type f -name '*.la' -delete - -# FIXME: Don't install Xcms.txt - find out why upstream still ships this. -find $RPM_BUILD_ROOT -name 'Xcms.txt' -delete - -# FIXME package these properly -rm -rf $RPM_BUILD_ROOT%{_docdir} - -%check -make %{?_smp_mflags} check - -%ldconfig_post -%ldconfig_postun - -%files -%{_libdir}/libX11.so.6 -%{_libdir}/libX11.so.6.3.0 - -%files xcb -%{_libdir}/libX11-xcb.so.1 -%{_libdir}/libX11-xcb.so.1.0.0 - -%files common -%doc AUTHORS COPYING README.md NEWS -%{_datadir}/X11/locale/ -%{_datadir}/X11/XErrorDB -%dir /var/cache/libX11 -%dir /var/cache/libX11/compose - -%files devel -%{_includedir}/X11/ImUtil.h -%{_includedir}/X11/XKBlib.h -%{_includedir}/X11/Xcms.h -%{_includedir}/X11/Xlib.h -%{_includedir}/X11/XlibConf.h -%{_includedir}/X11/Xlibint.h -%{_includedir}/X11/Xlib-xcb.h -%{_includedir}/X11/Xlocale.h -%{_includedir}/X11/Xregion.h -%{_includedir}/X11/Xresource.h -%{_includedir}/X11/Xutil.h -%{_includedir}/X11/cursorfont.h -%{_libdir}/libX11.so -%{_libdir}/libX11-xcb.so -%{_libdir}/pkgconfig/x11.pc -%{_libdir}/pkgconfig/x11-xcb.pc -%{_mandir}/man3/*.3* -%{_mandir}/man5/*.5* - -%changelog -* Fri Sep 13 2024 José Expósito - 1.6.8-9 -- Backport NULL check to avoid a crash - Resolves: https://issues.redhat.com/browse/RHEL-58444 - -* Tue Jan 30 2024 Olivier Fourdan - 1.6.8-8 -- Backport fix for Xlib lockups due to recursive XError (RHEL-23452) - -* Wed Oct 11 2023 José Expósito - 1.6.8-7 -- Fix CVE-2023-43785: out-of-bounds memory access in _XkbReadKeySyms() -- Fix CVE-2023-43786: stack exhaustion from infinite recursion in - PutSubImage() -- Fix CVE-2023-43787: integer overflow in XCreateImage() leading to - a heap overflow - -* Wed Jul 05 2023 Olivier Fourdan - 1.6.8-6 -- CVE fix for: CVE-2023-3138 - Resolve: rhbz#2213762 - -* Thu Aug 12 2021 Adam Jackson - 1.6.8-5 -- Fix CVE-2021-31535 (#1962439) - -* Tue Nov 3 2020 Michel Dänzer - 1.6.8-4 -- Fix CVE-2020-14363 (#1873923) - -* Mon Feb 24 2020 Adam Jackson - 1.6.8-3 -- Fix race condition in poll_for_reponse - -* Fri Dec 13 2019 Adam Jackson - 1.6.8-2 -- Fix assertion on error in XCopyColormapAndFree - -* Tue Nov 19 2019 Adam Jackson - 1.6.8-1 -- libX11 1.6.8 - -* Tue Oct 09 2018 Adam Jackson - 1.6.7-1 -- libX11 1.6.7 - -* Tue Aug 21 2018 Adam Jackson - 1.6.6-1 -- libX11 1.6.6 - -* Fri Jul 13 2018 Fedora Release Engineering - 1.6.5-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Fri Jun 29 2018 Adam Jackson - 1.6.5-8 -- Use ldconfig scriptlet macros - -* Fri Mar 23 2018 Peter Hutterer 1.6.5-7 -- Fix FTBS caused by fake size in the XimCacheStruct (#1556616) - -* Wed Feb 07 2018 Fedora Release Engineering - 1.6.5-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Tue Oct 17 2017 Peter Hutterer 1.6.5-5 -- run make check as part of the build (#1502658) - -* Tue Aug 01 2017 Adam Jackson - 1.6.5-4 -- Split libX11-xcb to its own subpackage. This doesn't have much effect at - the moment because x11-xcb.pc still lists both libX11 and libxcb in - Requires, but once that's fixed eg. libEGL should be able to be installed - without libX11. - -* Wed Jul 26 2017 Fedora Release Engineering - 1.6.5-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Fri May 12 2017 Hans de Goede - 1.6.5-2 -- Rebuild against new xproto to pick up support for new keysyms - -* Wed Apr 26 2017 Adam Jackson - 1.6.5-1 -- libX11 1.6.5 - -* Thu Feb 16 2017 Rex Dieter - 1.6.4-6 -- create/own /var/cache/libx11/compose (#962764) -- %%build: --disable-silent-rules - -* Fri Feb 10 2017 Fedora Release Engineering - 1.6.4-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Fri Jan 20 2017 Peter Hutterer 1.6.4-4 -- Actually apply the patch from 1.6.4-3 - -* Mon Jan 09 2017 Peter Hutterer 1.6.4-3 -- Fix a bug in the memory leak fix from 1.6.4-2 - -* Thu Jan 05 2017 Peter Hutterer 1.6.4-2 -- Plug a memory leak in XListFonts() - -* Wed Oct 05 2016 Adam Jackson - 1.6.4-1 -- libX11 1.6.4 - -* Thu Feb 04 2016 Fedora Release Engineering - 1.6.3-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Thu Jan 28 2016 Peter Hutterer -- Remove unnecessary defattr - -* Wed Jun 17 2015 Fedora Release Engineering - 1.6.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Tue Mar 10 2015 Adam Jackson 1.6.3-1 -- libX11 1.6.3 - -* Sun Aug 17 2014 Fedora Release Engineering - 1.6.2-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Mon Jun 30 2014 Adam Jackson 1.6.2-1 -- libX11 1.6.2 plus a fix for interleaved xcb/xlib usage -- Use >= for the -common Requires - -* Sat Jun 07 2014 Fedora Release Engineering - 1.6.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Tue Jul 30 2013 Peter Hutterer 1.6.1-1 -- libX11 1.6.1 - -* Tue Jun 04 2013 Peter Hutterer 1.6.0-1 -- libX11 1.6.0 diff --git a/SOURCES/dont-forward-keycode-0.patch b/dont-forward-keycode-0.patch similarity index 83% rename from SOURCES/dont-forward-keycode-0.patch rename to dont-forward-keycode-0.patch index c16d874..466c583 100644 --- a/SOURCES/dont-forward-keycode-0.patch +++ b/dont-forward-keycode-0.patch @@ -1,19 +1,19 @@ diff -up libX11-1.6.3/modules/im/ximcp/imDefFlt.c.jx libX11-1.6.3/modules/im/ximcp/imDefFlt.c --- libX11-1.6.3/modules/im/ximcp/imDefFlt.c.jx 2015-03-09 18:28:45.000000000 -0400 +++ libX11-1.6.3/modules/im/ximcp/imDefFlt.c 2015-03-10 12:32:31.912149644 -0400 -@@ -142,7 +142,7 @@ _XimProtoKeypressFilter( +@@ -143,7 +143,7 @@ _XimProtoKeypressFilter( { Xim im = (Xim)ic->core.im; -- if (IS_FABRICATED(im)) { -+ if ((ev->keycode == 0) || IS_FABRICATED(im)) { +- if (_XimIsFabricatedSerial(im, ev)) { ++ if ((ev->keycode == 0) || _XimIsFabricatedSerial(im, ev)) { _XimPendingFilter(ic); - UNMARK_FABRICATED(im); + _XimUnfabricateSerial(im, ic, ev); return NOTFILTERD; diff -up libX11-1.6.3/modules/im/ximcp/imDefLkup.c.jx libX11-1.6.3/modules/im/ximcp/imDefLkup.c --- libX11-1.6.3/modules/im/ximcp/imDefLkup.c.jx 2015-03-09 18:28:45.000000000 -0400 +++ libX11-1.6.3/modules/im/ximcp/imDefLkup.c 2015-03-10 12:32:31.911149637 -0400 -@@ -332,6 +332,17 @@ _XimForwardEvent( +@@ -333,6 +333,17 @@ _XimForwardEvent( XEvent *ev, Bool sync) { @@ -31,9 +31,9 @@ diff -up libX11-1.6.3/modules/im/ximcp/imDefLkup.c.jx libX11-1.6.3/modules/im/xi #ifdef EXT_FORWARD if (((ev->type == KeyPress) || (ev->type == KeyRelease))) if (_XimExtForwardKeyEvent(ic, (XKeyEvent *)ev, sync)) -@@ -604,6 +615,19 @@ _XimUnregCommitInfo( - Xfree(info->keysym); - ic->private.proto.commit_info = info->next; +@@ -703,6 +714,19 @@ _XimUnregRealCommitInfo( + else + ic->private.proto.commit_info = info->next; Xfree(info); + + /* diff --git a/libX11.spec b/libX11.spec new file mode 100644 index 0000000..47fff32 --- /dev/null +++ b/libX11.spec @@ -0,0 +1,356 @@ +%global tarball libX11 +#global gitdate 20130524 +#global gitversion a3bdd2b09 + +Summary: Core X11 protocol client library +Name: libX11 +Version: 1.8.10 +Release: 1%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist} +License: MIT AND X11 +URL: http://www.x.org + +%if 0%{?gitdate} +Source0: %{tarball}-%{gitdate}.tar.bz2 +Source1: make-git-snapshot.sh +Source2: commitid +%else +Source0: https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.tar.xz +%endif + + +Patch02: dont-forward-keycode-0.patch +# https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/264 +Patch03: 0001-Close-xcb-connection-after-freeing-display-structure.patch + +BuildRequires: libtool +BuildRequires: make +BuildRequires: xorg-x11-util-macros >= 1.11 +BuildRequires: pkgconfig(xproto) >= 7.0.15 +BuildRequires: xorg-x11-xtrans-devel >= 1.0.3-4 +BuildRequires: libxcb-devel >= 1.2 +BuildRequires: pkgconfig(xau) pkgconfig(xdmcp) +BuildRequires: perl(Pod::Usage) + +Requires: %{name}-common >= %{version}-%{release} + +%description +Core X11 protocol client library. + +%package common +Summary: Common data for libX11 +BuildArch: noarch + +%description common +libX11 common data + +%package devel +Summary: Development files for %{name} +Requires: %{name} = %{version}-%{release} +Requires: %{name}-xcb = %{version}-%{release} + +%description devel +X.Org X11 libX11 development package + +%package xcb +Summary: XCB interop for libX11 +Conflicts: %{name} < %{version}-%{release} + +%description xcb +libX11/libxcb interoperability library + +%prep +%autosetup -p1 -n %{tarball}-%{?gitdate:%{gitdate}}%{!?gitdate:%{version}} + +%build +autoreconf -v --install --force +%configure --disable-silent-rules --disable-static + +make %{?_smp_mflags} + +%install +make install DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" + +# create/own compose cache dir +mkdir -p $RPM_BUILD_ROOT/var/cache/libX11/compose + +# We intentionally don't ship *.la files +find $RPM_BUILD_ROOT -type f -name '*.la' -delete + +# FIXME: Don't install Xcms.txt - find out why upstream still ships this. +find $RPM_BUILD_ROOT -name 'Xcms.txt' -delete + +# FIXME package these properly +rm -rf $RPM_BUILD_ROOT%{_docdir} + +%check +make %{?_smp_mflags} check + +%ldconfig_post +%ldconfig_postun + +%files +%{_libdir}/libX11.so.6 +%{_libdir}/libX11.so.6.4.0 + +%files xcb +%{_libdir}/libX11-xcb.so.1 +%{_libdir}/libX11-xcb.so.1.0.0 + +%files common +%doc AUTHORS COPYING README.md +%{_datadir}/X11/locale/ +%{_datadir}/X11/XErrorDB +%dir /var/cache/libX11 +%dir /var/cache/libX11/compose + +%files devel +%{_includedir}/X11/ImUtil.h +%{_includedir}/X11/XKBlib.h +%{_includedir}/X11/Xcms.h +%{_includedir}/X11/Xlib.h +%{_includedir}/X11/XlibConf.h +%{_includedir}/X11/Xlibint.h +%{_includedir}/X11/Xlib-xcb.h +%{_includedir}/X11/Xlocale.h +%{_includedir}/X11/Xregion.h +%{_includedir}/X11/Xresource.h +%{_includedir}/X11/Xutil.h +%{_includedir}/X11/cursorfont.h +%{_includedir}/X11/extensions/XKBgeom.h +%{_libdir}/libX11.so +%{_libdir}/libX11-xcb.so +%{_libdir}/pkgconfig/x11.pc +%{_libdir}/pkgconfig/x11-xcb.pc +%{_mandir}/man3/*.3* +%{_mandir}/man5/*.5* + +%changelog +* Thu Dec 05 2024 Olivier Fourdan - 1.8.10-1 +- Rebase to 1.8.10 + Resolves: https://issues.redhat.com/browse/RHEL-70185 + +* Tue Oct 29 2024 Troy Dawson - 1.8.7-8 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 + +* Fri Jul 05 2024 José Expósito - 1.8.7-7 +- Fix deadlock in XRebindKeysym() + Resolves: https://issues.redhat.com/browse/RHEL-45855 + +* Mon Jun 24 2024 Troy Dawson - 1.8.7-6 +- Bump release for June 2024 mass rebuild + +* Thu Jun 20 2024 José Expósito - 1.8.7-5 +- Add gating.yaml + +* Thu Jun 20 2024 José Expósito - 1.8.7-4 +- Fix XTS test XCopyColormapAndFree/5 hangs + Resolves: https://issues.redhat.com/browse/RHEL-40132 +- Fix RHEL SAST Automation errors + Resolves: https://issues.redhat.com/browse/RHEL-34918 + +* Thu Jan 25 2024 Fedora Release Engineering - 1.8.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sun Jan 21 2024 Fedora Release Engineering - 1.8.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Oct 04 2023 Peter Hutterer - 1.8.7-1 +- libX11 1.8.7 + - CVE-2023-43785 libX11: out-of-bounds memory access in _XkbReadKeySyms() + - CVE-2023-43786 libX11: stack exhaustion from infinite recursion in + PutSubImage() + - CVE-2023-43787 libX11: integer overflow in XCreateImage() leading to + a heap overflow + - CVE-2023-43788 libXpm: out of bounds read in XpmCreateXpmImageFromBuffer() + - CVE-2023-43789 libXpm: out of bounds read on XPM with corrupted colormap + +* Thu Sep 07 2023 José Expósito - 1.8.6-3 +- SPDX Migration + +* Thu Jul 20 2023 Fedora Release Engineering - 1.8.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Fri Jun 16 2023 Peter Hutterer - 1.8.6-1 +- libX11 1.8.6 (CVE-2023-3138) + +* Mon Jun 05 2023 Peter Hutterer 1.8.5-1 +- libX11 1.8.5 + +* Wed Feb 08 2023 Peter Hutterer - 1.8.4-1 +- libX11 1.8.4 + +* Thu Jan 19 2023 Fedora Release Engineering - 1.8.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Mon Jan 16 2023 Peter Hutterer - 1.8.3-2 +- Fix XPutBackEvent() issues (#2161020) + +* Fri Jan 06 2023 Peter Hutterer - 1.8.3-1 +- libX11 1.8.3 + +* Thu Jul 21 2022 Fedora Release Engineering - 1.8.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jun 16 2022 Peter Hutterer - 1.8.1-1 +- libX11 1.8.1 + +* Mon Apr 04 2022 Peter Hutterer - 1.7.5-1 +- libX11 1.7.5 + +* Thu Mar 31 2022 Peter Hutterer - 1.7.4-1 +- libX11 1.7.4 + +* Thu Jan 20 2022 Fedora Release Engineering - 1.7.3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Fri Dec 10 2021 Peter Hutterer - 1.7.3.1-1 +- libX11 1.7.3.1 + +* Tue Dec 07 2021 Peter Hutterer - 1.7.3-1 +- libX11 1.7.3 +- manually add ax_gcc_builtin, it's missing from the tarball + +* Tue Jul 27 2021 Peter Hutterer - 1.7.2-3 +- Parse the new _EVDEVK symbols + +* Thu Jul 22 2021 Fedora Release Engineering - 1.7.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Wed Jun 09 2021 Peter Hutterer 1.7.2-1 +- libX11 1.7.2 + +* Tue May 18 2021 Adam Jackson - 1.7.1-1 +- libX11 1.7.1 (CVE-2021-31535) + +* Tue Jan 26 2021 Fedora Release Engineering - 1.7.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Tue Dec 01 2020 Peter Hutterer 1.7.0-2 +- libX11 1.7.0 (with the tarball this time) + +* Tue Dec 01 2020 Peter Hutterer 1.7.0-1 +- libX11 1.7.0 +- switch to using the autosetup rpm macro + +* Mon Nov 09 2020 Peter Hutterer 1.6.12-3 +- Fix a race-condition in poll_for_response (#1758384) + +* Thu Nov 5 11:12:56 AEST 2020 Peter Hutterer - 1.6.12-2 +- Add BuildRequires for make + +* Wed Aug 26 2020 Peter Hutterer 1.6.12-1 +- libX11 1.6.12 (CVE-2020-14363, CVE 2020-14344) + +* Fri Jul 31 2020 Adam Jackson - 1.6.9-5 +- Fix server reply validation issue in XIM (CVE 2020-14344) + +* Tue Jul 28 2020 Fedora Release Engineering - 1.6.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jan 29 2020 Fedora Release Engineering - 1.6.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Dec 11 2019 Peter Hutterer 1.6.9-2 +- handle ssharp in XConvertCase + +* Wed Oct 09 2019 Adam Jackson - 1.6.9-1 +- libX11 1.6.9 + +* Thu Jul 25 2019 Fedora Release Engineering - 1.6.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Jun 20 2019 Peter Hutterer 1.6.8-2 +- rebuild to pick up the new xorgproto keysyms + +* Thu Jun 20 2019 Peter Hutterer 1.6.8-1 +- libX11 1.6.8 + +* Thu Mar 21 2019 Adam Jackson - 1.6.7-3 +- Rebuild for xtrans 1.4.0 + +* Fri Feb 01 2019 Fedora Release Engineering - 1.6.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Tue Oct 09 2018 Adam Jackson - 1.6.7-1 +- libX11 1.6.7 + +* Tue Aug 21 2018 Adam Jackson - 1.6.6-1 +- libX11 1.6.6 + +* Fri Jul 13 2018 Fedora Release Engineering - 1.6.5-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Jun 29 2018 Adam Jackson - 1.6.5-8 +- Use ldconfig scriptlet macros + +* Fri Mar 23 2018 Peter Hutterer 1.6.5-7 +- Fix FTBS caused by fake size in the XimCacheStruct (#1556616) + +* Wed Feb 07 2018 Fedora Release Engineering - 1.6.5-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Oct 17 2017 Peter Hutterer 1.6.5-5 +- run make check as part of the build (#1502658) + +* Tue Aug 01 2017 Adam Jackson - 1.6.5-4 +- Split libX11-xcb to its own subpackage. This doesn't have much effect at + the moment because x11-xcb.pc still lists both libX11 and libxcb in + Requires, but once that's fixed eg. libEGL should be able to be installed + without libX11. + +* Wed Jul 26 2017 Fedora Release Engineering - 1.6.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri May 12 2017 Hans de Goede - 1.6.5-2 +- Rebuild against new xproto to pick up support for new keysyms + +* Wed Apr 26 2017 Adam Jackson - 1.6.5-1 +- libX11 1.6.5 + +* Thu Feb 16 2017 Rex Dieter - 1.6.4-6 +- create/own /var/cache/libx11/compose (#962764) +- %%build: --disable-silent-rules + +* Fri Feb 10 2017 Fedora Release Engineering - 1.6.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Jan 20 2017 Peter Hutterer 1.6.4-4 +- Actually apply the patch from 1.6.4-3 + +* Mon Jan 09 2017 Peter Hutterer 1.6.4-3 +- Fix a bug in the memory leak fix from 1.6.4-2 + +* Thu Jan 05 2017 Peter Hutterer 1.6.4-2 +- Plug a memory leak in XListFonts() + +* Wed Oct 05 2016 Adam Jackson - 1.6.4-1 +- libX11 1.6.4 + +* Thu Feb 04 2016 Fedora Release Engineering - 1.6.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Jan 28 2016 Peter Hutterer +- Remove unnecessary defattr + +* Wed Jun 17 2015 Fedora Release Engineering - 1.6.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue Mar 10 2015 Adam Jackson 1.6.3-1 +- libX11 1.6.3 + +* Sun Aug 17 2014 Fedora Release Engineering - 1.6.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Mon Jun 30 2014 Adam Jackson 1.6.2-1 +- libX11 1.6.2 plus a fix for interleaved xcb/xlib usage +- Use >= for the -common Requires + +* Sat Jun 07 2014 Fedora Release Engineering - 1.6.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue Jul 30 2013 Peter Hutterer 1.6.1-1 +- libX11 1.6.1 + +* Tue Jun 04 2013 Peter Hutterer 1.6.0-1 +- libX11 1.6.0 diff --git a/sources b/sources new file mode 100644 index 0000000..33944c3 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (libX11-1.8.10.tar.xz) = f801f5b77cbc55074f73dc95b29fff7b5e1b13b99641f6e397788ad9f31a29793ed4e8e5bd373122c790ef90627e8f9d6d5e271051c1767a479a85c55cd82bc1