diff --git a/54a963608d23d35cd9233b2223f880ac3671f10b.patch b/54a963608d23d35cd9233b2223f880ac3671f10b.patch new file mode 100644 index 0000000..55330a1 --- /dev/null +++ b/54a963608d23d35cd9233b2223f880ac3671f10b.patch @@ -0,0 +1,33 @@ +From 54a963608d23d35cd9233b2223f880ac3671f10b Mon Sep 17 00:00:00 2001 +From: Jamey Sharp +Date: Fri, 06 Aug 2010 22:51:56 +0000 +Subject: Fix use-after-free in _XReply on X errors. + +_XReply would always call dequeue_pending_request on errors. When it +got an error for the current request, it would call dequeue, then break +out of the loop; then, if it had an error in the event queue, it would +compare it with the sequence number of the now-freed pending request. +_XReply already stored that sequence number in dpy->last_request_read +before freeing it, so look at that instead. + +Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=29412 + +Signed-off-by: Jamey Sharp +Signed-off-by: Josh Triplett +(cherry picked from commit 4b8ff7db39f2fe7ef12968d462aaf3f9054b6c18) +--- +diff --git a/src/xcb_io.c b/src/xcb_io.c +index dac7622..72881d8 100644 +--- a/src/xcb_io.c ++++ b/src/xcb_io.c +@@ -579,7 +579,7 @@ Status _XReply(Display *dpy, xReply *rep, int extra, Bool discard) + xcb_generic_event_t *event = dpy->xcb->next_event; + unsigned long event_sequence = dpy->last_request_read; + widen(&event_sequence, event->full_sequence); +- if(event_sequence == current->sequence) ++ if(event_sequence == dpy->last_request_read) + { + error = (xcb_generic_error_t *) event; + dpy->xcb->next_event = NULL; +-- +cgit v0.8.3-6-g21f6 diff --git a/libX11.spec b/libX11.spec index 31a863b..c9f4ea7 100644 --- a/libX11.spec +++ b/libX11.spec @@ -4,7 +4,7 @@ Summary: Core X11 protocol client library Name: libX11 Version: 1.3.4 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Group: System Environment/Libraries URL: http://www.x.org @@ -16,7 +16,7 @@ Source0: http://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.t #Source1: make-git-snapshot.sh Patch2: dont-forward-keycode-0.patch - +Patch3: 54a963608d23d35cd9233b2223f880ac3671f10b.patch BuildRequires: xorg-x11-util-macros BuildRequires: pkgconfig(xproto) >= 7.0.15 BuildRequires: xorg-x11-xtrans-devel >= 1.0.3-4 @@ -48,6 +48,7 @@ X.Org X11 libX11 development package %setup -q #setup -q -n %{tarball}-%{gitdate} %patch2 -p1 -b .dont-forward-keycode-0 +%patch3 -p1 %build # sodding libtool @@ -114,6 +115,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man5/*.5* %changelog +* Tue Aug 10 2010 Bill Nottingham - 1.3.4-3 +- Merge upstream commit 54a96360, fixes use-after-free (fd.o 29412) + * Mon Jul 19 2010 Matěj Cepl - 1.3.4-2 - don't own /usr/share/X11, filesystem owns it already (#569395)