diff --git a/0001-Fix-use-of-uninitialized-variable-in-_XimTriggerNoti.patch b/0001-Fix-use-of-uninitialized-variable-in-_XimTriggerNoti.patch new file mode 100644 index 0000000..97656e6 --- /dev/null +++ b/0001-Fix-use-of-uninitialized-variable-in-_XimTriggerNoti.patch @@ -0,0 +1,49 @@ +From 4f5541193dd5a004ed5ea44c12fc25e227113c9b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Tue, 30 Apr 2024 16:37:21 +0200 +Subject: [PATCH 1/6] Fix use of uninitialized variable in _XimTriggerNotify +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +`_XimRead()` is being called with `reply` as target buffer instead of +using `preply`, accessing uninitialized memory a few lines later. + +This error has been found by a static analysis tool. This is the report: + + Error: UNINIT (CWE-457): + libX11-1.8.7/modules/im/ximcp/imDefLkup.c:561: alloc_fn: + Calling "malloc" which returns uninitialized memory. + libX11-1.8.7/modules/im/ximcp/imDefLkup.c:561: assign: + Assigning: "preply" = "malloc((size_t)((len == 0) ? 1 : len))", + which points to uninitialized data. + libX11-1.8.7/modules/im/ximcp/imDefLkup.c:573: uninit_use: + Using uninitialized value "*((CARD8 *)preply)". + # 571| } + # 572| buf_s = (CARD16 *)((char *)preply + XIM_HEADER_SIZE); + # 573|-> if (*((CARD8 *)preply) == XIM_ERROR) { + # 574| _XimProcError(im, 0, (XPointer)&buf_s[3]); + # 575| if(reply != preply) + +Signed-off-by: José Expósito +Part-of: +--- + modules/im/ximcp/imDefLkup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/im/ximcp/imDefLkup.c b/modules/im/ximcp/imDefLkup.c +index 2e53ab23..8ccaee26 100644 +--- a/modules/im/ximcp/imDefLkup.c ++++ b/modules/im/ximcp/imDefLkup.c +@@ -635,7 +635,7 @@ _XimTriggerNotify( + } else { + buf_size = len; + preply = Xmalloc(len); +- ret_code = _XimRead(im, &len, (XPointer)reply, buf_size, ++ ret_code = _XimRead(im, &len, preply, buf_size, + _XimTriggerNotifyCheck, (XPointer)ic); + if(ret_code != XIM_TRUE) { + Xfree(preply); +-- +2.45.2 + diff --git a/0002-Fix-use-of-uninitialized-variable-in-_XimExtension.patch b/0002-Fix-use-of-uninitialized-variable-in-_XimExtension.patch new file mode 100644 index 0000000..bbb797e --- /dev/null +++ b/0002-Fix-use-of-uninitialized-variable-in-_XimExtension.patch @@ -0,0 +1,49 @@ +From eaad761e24722b1743d3edee3383294bfb4947d6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Tue, 30 Apr 2024 16:41:40 +0200 +Subject: [PATCH 2/6] Fix use of uninitialized variable in _XimExtension +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +`_XimRead()` is being called with `reply` as target buffer instead of +using `preply`, accessing uninitialized memory a few lines later. + +This error has been found by a static analysis tool. This is the report: + + Error: UNINIT (CWE-457): + libX11-1.8.7/modules/im/ximcp/imExten.c:468: alloc_fn: + Calling "malloc" which returns uninitialized memory. + libX11-1.8.7/modules/im/ximcp/imExten.c:468: assign: + Assigning: "preply" = "malloc((size_t)((buf_size == 0) ? 1 : buf_size))", + which points to uninitialized data. + libX11-1.8.7/modules/im/ximcp/imExten.c:479: uninit_use: + Using uninitialized value "*((CARD8 *)preply)". + # 477| return False; + # 478| buf_s = (CARD16 *)((char *)preply + XIM_HEADER_SIZE); + # 479|-> if (*((CARD8 *)preply) == XIM_ERROR) { + # 480| _XimProcError(im, 0, (XPointer)&buf_s[3]); + # 481| if(reply != preply) + +Signed-off-by: José Expósito +Part-of: +--- + modules/im/ximcp/imExten.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/im/ximcp/imExten.c b/modules/im/ximcp/imExten.c +index c2e48a89..a25f00d0 100644 +--- a/modules/im/ximcp/imExten.c ++++ b/modules/im/ximcp/imExten.c +@@ -466,7 +466,7 @@ _XimExtension( + } else { + buf_size = len; + preply = Xmalloc(buf_size); +- ret_code = _XimRead(im, &len, reply, buf_size, ++ ret_code = _XimRead(im, &len, preply, buf_size, + _XimQueryExtensionCheck, 0); + if(ret_code != XIM_TRUE) { + Xfree(preply); +-- +2.45.2 + diff --git a/0003-Fix-use-of-uninitialized-variable-in-_XimEncodeICATT.patch b/0003-Fix-use-of-uninitialized-variable-in-_XimEncodeICATT.patch new file mode 100644 index 0000000..0b5d749 --- /dev/null +++ b/0003-Fix-use-of-uninitialized-variable-in-_XimEncodeICATT.patch @@ -0,0 +1,47 @@ +From 836a8f2cf5e930c8a56b512273fdf9890282ba04 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Tue, 30 Apr 2024 16:49:26 +0200 +Subject: [PATCH 3/6] Fix use of uninitialized variable in + _XimEncodeICATTRIBUTE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In the `res->resource_size == XimType_NEST` code path, if +`res->xrm_name != pre_quark` and `res->xrm_name != sts_quark`, `len` can +be used uninitialized. + +This error has been found by a static analysis tool. This is the report: + + Error: UNINIT (CWE-457): + libX11-1.8.7/modules/im/ximcp/imRmAttr.c:1106: var_decl: + Declaring variable "len" without initializer. + libX11-1.8.7/modules/im/ximcp/imRmAttr.c:1179: uninit_use: + Using uninitialized value "len". + # 1177| } + # 1178| + # 1179|-> if (len == 0) { + # 1180| continue; + # 1181| } else if (len < 0) { + +Signed-off-by: José Expósito +Part-of: +--- + modules/im/ximcp/imRmAttr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c +index 709e64ab..c56bd62e 100644 +--- a/modules/im/ximcp/imRmAttr.c ++++ b/modules/im/ximcp/imRmAttr.c +@@ -1115,6 +1115,7 @@ _XimEncodeICATTRIBUTE( + + *ret_len = 0; + for (p = arg; p && p->name; p++) { ++ len = 0; + buf_s = (CARD16 *)buf; + if (!(res = _XimGetResourceListRec(res_list, res_num, p->name))) { + if (_XimSetInnerICAttributes(ic, top, p, mode)) +-- +2.45.2 + diff --git a/0004-XKBMAlloc-Check-that-needed-is-0-in-XkbResizeKeyActi.patch b/0004-XKBMAlloc-Check-that-needed-is-0-in-XkbResizeKeyActi.patch new file mode 100644 index 0000000..0a3d9fe --- /dev/null +++ b/0004-XKBMAlloc-Check-that-needed-is-0-in-XkbResizeKeyActi.patch @@ -0,0 +1,62 @@ +From af1312d2873d2ce49b18708a5029895aed477392 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Tue, 30 Apr 2024 17:37:39 +0200 +Subject: [PATCH 4/6] XKBMAlloc: Check that needed is >= 0 in + XkbResizeKeyActions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Passing a negative value in `needed` to the `XkbResizeKeyActions()` +function can create a `newActs` array of an unespected size. +Check the value and return if it is invalid. + +This error has been found by a static analysis tool. This is the report: + + Error: OVERRUN (CWE-119): + libX11-1.8.7/src/xkb/XKBMAlloc.c:811: cond_const: + Checking "xkb->server->size_acts == 0" implies that + "xkb->server->size_acts" is 0 on the true branch. + libX11-1.8.7/src/xkb/XKBMAlloc.c:811: buffer_alloc: + "calloc" allocates 8 bytes dictated by parameters + "(size_t)((xkb->server->size_acts == 0) ? 1 : xkb->server->size_acts)" + and "8UL". + libX11-1.8.7/src/xkb/XKBMAlloc.c:811: var_assign: + Assigning: "newActs" = "calloc((size_t)((xkb->server->size_acts == 0) ? 1 : xkb->server->size_acts), 8UL)". + libX11-1.8.7/src/xkb/XKBMAlloc.c:815: assignment: + Assigning: "nActs" = "1". + libX11-1.8.7/src/xkb/XKBMAlloc.c:829: cond_at_least: + Checking "nCopy > 0" implies that "nCopy" is at least 1 on the + true branch. + libX11-1.8.7/src/xkb/XKBMAlloc.c:830: overrun-buffer-arg: + Overrunning buffer pointed to by "&newActs[nActs]" of 8 bytes by + passing it to a function which accesses it at byte offset 15 + using argument "nCopy * 8UL" (which evaluates to 8). + # 828| + # 829| if (nCopy > 0) + # 830|-> memcpy(&newActs[nActs], XkbKeyActionsPtr(xkb, i), + # 831| nCopy * sizeof(XkbAction)); + # 832| if (nCopy < nKeyActs) + +Signed-off-by: José Expósito +Part-of: +--- + src/xkb/XKBMAlloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/xkb/XKBMAlloc.c b/src/xkb/XKBMAlloc.c +index 8b3be303..0563a688 100644 +--- a/src/xkb/XKBMAlloc.c ++++ b/src/xkb/XKBMAlloc.c +@@ -795,7 +795,7 @@ XkbResizeKeyActions(XkbDescPtr xkb, int key, int needed) + register int i, nActs; + XkbAction *newActs; + +- if (needed == 0) { ++ if (needed <= 0) { + xkb->server->key_acts[key] = 0; + return NULL; + } +-- +2.45.2 + diff --git a/0005-Fix-memory-leak-in-_XimProtoSetIMValues.patch b/0005-Fix-memory-leak-in-_XimProtoSetIMValues.patch new file mode 100644 index 0000000..06cc018 --- /dev/null +++ b/0005-Fix-memory-leak-in-_XimProtoSetIMValues.patch @@ -0,0 +1,64 @@ +From f67a87dad40141f50f4da35b28a92a974bfdf7e1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Tue, 30 Apr 2024 18:04:35 +0200 +Subject: [PATCH 5/6] Fix memory leak in _XimProtoSetIMValues +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This error has been found by a static analysis tool. This is the report: + + Error: RESOURCE_LEAK (CWE-772): + libX11-1.8.7/modules/im/ximcp/imDefIm.c:1316: alloc_fn: + Storage is returned from allocation function "calloc". + libX11-1.8.7/modules/im/ximcp/imDefIm.c:1316: var_assign: + Assigning: "tmp" = storage returned from + "calloc((size_t)((buf_size + data_len == 0) ? 1 : (buf_size + data_len)), 1UL)". + libX11-1.8.7/modules/im/ximcp/imDefIm.c:1319: noescape: + Resource "tmp" is not freed or pointed-to in "memcpy". + libX11-1.8.7/modules/im/ximcp/imDefIm.c:1320: var_assign: + Assigning: "buf" = "tmp". + libX11-1.8.7/modules/im/ximcp/imDefIm.c:1302: var_assign: + Assigning: "data" = "buf". + libX11-1.8.7/modules/im/ximcp/imDefIm.c:1303: noescape: + Resource "data" is not freed or pointed-to in + "_XimEncodeIMATTRIBUTE". + libX11-1.8.7/modules/im/ximcp/imDefIm.c:1333: leaked_storage: + Variable "data" going out of scope leaks the storage it points to. + libX11-1.8.7/modules/im/ximcp/imDefIm.c:1333: leaked_storage: + Variable "buf" going out of scope leaks the storage it points to. + libX11-1.8.7/modules/im/ximcp/imDefIm.c:1333: leaked_storage: + Variable "tmp" going out of scope leaks the storage it points to. + # 1331| + # 1332| if (!total) + # 1333|-> return (char *)NULL; + # 1334| + # 1335| buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE]; + +Signed-off-by: José Expósito +Part-of: +--- + modules/im/ximcp/imDefIm.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/modules/im/ximcp/imDefIm.c b/modules/im/ximcp/imDefIm.c +index a12d2970..e3075398 100644 +--- a/modules/im/ximcp/imDefIm.c ++++ b/modules/im/ximcp/imDefIm.c +@@ -1327,8 +1327,11 @@ _XimProtoSetIMValues( + } + _XimSetCurrentIMValues(im, &im_values); + +- if (!total) +- return (char *)NULL; ++ if (!total) { ++ if (buf != tmp_buf) ++ Xfree(buf); ++ return (char *)NULL; ++ } + + buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE]; + buf_s[0] = im->private.proto.imid; +-- +2.45.2 + diff --git a/0006-Fix-buffer-overrun-in-parse_omit_name.patch b/0006-Fix-buffer-overrun-in-parse_omit_name.patch new file mode 100644 index 0000000..caeaccc --- /dev/null +++ b/0006-Fix-buffer-overrun-in-parse_omit_name.patch @@ -0,0 +1,57 @@ +From 97fb5bda3d0777380cd4b964f48771a82ef3f2a7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Tue, 30 Apr 2024 18:21:08 +0200 +Subject: [PATCH 6/6] Fix buffer overrun in parse_omit_name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When `num_fields == 12`, if the last character of the pattern is '-', +the `buf` array is overrun. + +This error has been found by a static analysis tool. This is the report: + + Error: OVERRUN (CWE-119): + libX11-1.8.7/modules/om/generic/omGeneric.c:691: cond_at_most: + Checking "length > 255" implies that "length" may be up to 255 on + the false branch. + libX11-1.8.7/modules/om/generic/omGeneric.c:695: alias: + Assigning: "last" = "buf + length - 1". "last" may now point to as + high as byte 254 of "buf" (which consists of 256 bytes). + libX11-1.8.7/modules/om/generic/omGeneric.c:718: ptr_incr: + Incrementing "last". "last" may now point to as high as byte 255 + of "buf" (which consists of 256 bytes). + libX11-1.8.7/modules/om/generic/omGeneric.c:720: ptr_incr: + Incrementing "last". "last" may now point to as high as byte 256 + of "buf" (which consists of 256 bytes). + libX11-1.8.7/modules/om/generic/omGeneric.c:720: overrun-local: + Overrunning array of 256 bytes at byte offset 256 by + dereferencing pointer "++last". + # 718| *++last = '*'; + # 719| + # 720|-> *++last = '-'; + # 721| break; + # 722| case 13: + +Signed-off-by: José Expósito +Part-of: +--- + modules/om/generic/omGeneric.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c +index 406cec93..370072f3 100644 +--- a/modules/om/generic/omGeneric.c ++++ b/modules/om/generic/omGeneric.c +@@ -688,7 +688,7 @@ parse_omit_name( + + length = strlen (pattern); + +- if (length > XLFD_MAX_LEN) ++ if (length > XLFD_MAX_LEN - 1) + return -1; + + strcpy(buf, pattern); +-- +2.45.2 + diff --git a/libX11.spec b/libX11.spec index 79724ee..3da57ef 100644 --- a/libX11.spec +++ b/libX11.spec @@ -5,7 +5,7 @@ Summary: Core X11 protocol client library Name: libX11 Version: 1.8.7 -Release: 3%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist} +Release: 4%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist} License: MIT AND X11 URL: http://www.x.org @@ -25,6 +25,14 @@ Patch03: 0001-Revert-Fix-XTS-regression-in-XCopyColormapAndFree.patch Patch04: 0002-Revert-Protect-colormap-add-removal-with-display-loc.patch Patch05: 0003-Make-colormap-private-interfaces-thread-safe.patch +# https://issues.redhat.com/browse/RHEL-34918 +Patch06: 0001-Fix-use-of-uninitialized-variable-in-_XimTriggerNoti.patch +Patch07: 0002-Fix-use-of-uninitialized-variable-in-_XimExtension.patch +Patch08: 0003-Fix-use-of-uninitialized-variable-in-_XimEncodeICATT.patch +Patch09: 0004-XKBMAlloc-Check-that-needed-is-0-in-XkbResizeKeyActi.patch +Patch10: 0005-Fix-memory-leak-in-_XimProtoSetIMValues.patch +Patch11: 0006-Fix-buffer-overrun-in-parse_omit_name.patch + BuildRequires: libtool BuildRequires: make BuildRequires: xorg-x11-util-macros >= 1.11 @@ -128,6 +136,12 @@ make %{?_smp_mflags} check %{_mandir}/man5/*.5* %changelog +* Thu Jun 20 2024 José Expósito - 1.8.7-4 +- Fix XTS test XCopyColormapAndFree/5 hangs + Resolves: https://issues.redhat.com/browse/RHEL-40132 +- Fix RHEL SAST Automation errors + Resolves: https://issues.redhat.com/browse/RHEL-34918 + * Thu Jan 25 2024 Fedora Release Engineering - 1.8.7-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild