diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ce5f63d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/libX11-1.6.8.tar.bz2 diff --git a/0001-Fix-XTS-regression-in-XCopyColormapAndFree.patch b/0001-Fix-XTS-regression-in-XCopyColormapAndFree.patch new file mode 100644 index 0000000..fd4e5aa --- /dev/null +++ b/0001-Fix-XTS-regression-in-XCopyColormapAndFree.patch @@ -0,0 +1,64 @@ +From a515545065ce6e1924de4bc50aaae7ec9b48cfad Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Wed, 11 Dec 2019 11:53:11 -0500 +Subject: [PATCH libX11] Fix XTS regression in XCopyColormapAndFree +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +XCopyColormapAndFree/5 threw an assertion: + + 520|4 5 00014017 1 2|Assertion XCopyColormapAndFree-5.(A) + 520|4 5 00014017 1 3|When a colourmap argument does not name a valid colourmap, + 520|4 5 00014017 1 4|then a BadColor error occurs. + 520|4 5 00014017 1 5|METH: Create a bad colourmap by creating and freeing a colourmap. + 520|4 5 00014017 1 6|METH: Call test function using bad colourmap as the colourmap argument. + 520|4 5 00014017 1 7|METH: Verify that a BadColor error occurs. + 520|4 5 00014017 1 8|unexpected signal 6 (SIGABRT) received + 220|4 5 2 15:05:53|UNRESOLVED + 410|4 5 1 15:05:53|IC End + 510|4|system 0: Abandoning testset: caught unexpected signal 11 (SIGSEGV) + +More specifically: + + lt-XCopyColormapAndFree: xcb_io.c:533: _XAllocID: Assertion `ret != inval_id' failed. + +This bug was introduced (by following my advice, d'oh) in: + + commit 99a2cf1aa0b58391078d5d3edf0a7dab18c7745d + Author: Tapani Pälli + Date: Mon May 13 08:29:49 2019 +0300 + + Protect colormap add/removal with display lock + +In that patch we moved the call to _XcmsCopyCmapRecAndFree inside the +display lock. The problem is said routine has side effects, including +trying to implicitly create a colormap in some cases. Since we don't run +the XID handler until SyncHandle() we would see inconsistent internal +xlib state, triggering the above assert. + +Fix this by dropping and re-taking the display lock before calling into +XCMS. +--- + src/CopyCmap.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/CopyCmap.c b/src/CopyCmap.c +index b4954b01..b37aba73 100644 +--- a/src/CopyCmap.c ++++ b/src/CopyCmap.c +@@ -53,6 +53,11 @@ Colormap XCopyColormapAndFree( + mid = req->mid = XAllocID(dpy); + req->srcCmap = src_cmap; + ++ /* re-lock the display to keep XID handling in sync */ ++ UnlockDisplay(dpy); ++ SyncHandle(); ++ LockDisplay(dpy); ++ + #if XCMS + _XcmsCopyCmapRecAndFree(dpy, src_cmap, mid); + #endif +-- +2.23.0 + diff --git a/0001-Fix-an-integer-overflow-in-init_om.patch b/0001-Fix-an-integer-overflow-in-init_om.patch new file mode 100644 index 0000000..cdb3de4 --- /dev/null +++ b/0001-Fix-an-integer-overflow-in-init_om.patch @@ -0,0 +1,37 @@ +From 2c67fab8415a1d32395de87f056bc5f3b37fedb0 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 13 Aug 2020 18:02:58 +0200 +Subject: [PATCH] Fix an integer overflow in init_om() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2020-14363 + +This can lead to a double free later, as reported by Jayden Rivers. + +Signed-off-by: Matthieu Herrb + +(cherry picked from commit acdaaadcb3d85c61fd43669fc5dddf0f8c3f911d) +Signed-off-by: Michel Dänzer +--- + modules/om/generic/omGeneric.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c +index 22f826ec..bcfb9ab8 100644 +--- a/modules/om/generic/omGeneric.c ++++ b/modules/om/generic/omGeneric.c +@@ -1908,7 +1908,8 @@ init_om( + char **required_list; + XOrientation *orientation; + char **value, buf[BUFSIZ], *bufptr; +- int count = 0, num = 0, length = 0; ++ int count = 0, num = 0; ++ unsigned int length = 0; + + _XlcGetResource(lcd, "XLC_FONTSET", "on_demand_loading", &value, &count); + if (count > 0 && _XlcCompareISOLatin1(*value, "True") == 0) +-- +2.28.0 + diff --git a/0001-Fix-poll_for_response-race-condition.patch b/0001-Fix-poll_for_response-race-condition.patch new file mode 100644 index 0000000..77b4d26 --- /dev/null +++ b/0001-Fix-poll_for_response-race-condition.patch @@ -0,0 +1,63 @@ +From 77f8517710a724fa1f29de8ad806692782f962bd Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Wed, 29 Jan 2020 09:06:54 +0000 +Subject: [PATCH libX11] Fix poll_for_response race condition + +In poll_for_response is it possible that event replies are skipped +and a more up to date message reply is returned. +This will cause next poll_for_event call to fail aborting the program. + +This was proved using some slow ssh tunnel or using some program +to slow down server replies (I used a combination of xtrace and strace). + +How the race happens: +- program enters into poll_for_response; +- poll_for_event is called but the server didn't still send the reply; +- pending_requests is not NULL because we send a request (see call + to append_pending_request in _XSend); +- xcb_poll_for_reply64 is called from poll_for_response; +- xcb_poll_for_reply64 will read from server, at this point + server reply with an event (say sequence N) and the reply to our + last request (say sequence N+1); +- xcb_poll_for_reply64 returns the reply for the request we asked; +- last_request_read is set to N+1 sequence in poll_for_response; +- poll_for_response returns the response to the request; +- poll_for_event is called (for instance from another poll_for_response); +- event with sequence N is retrieved; +- the N sequence is widen, however, as the "new" number computed from + last_request_read is less than N the number is widened to N + 2^32 + (assuming last_request_read is still contained in 32 bit); +- poll_for_event enters the nested if statement as req is NULL; +- we compare the widen N (which now does not fit into 32 bit) with + request (which fits into 32 bit) hitting the throw_thread_fail_assert. + +I propose to change the widen to not go too far from the wide number +instead of supposing the result is always bigger than the wide number +passed. + +Signed-off-by: Frediano Ziglio +--- + src/xcb_io.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/src/xcb_io.c b/src/xcb_io.c +index 6a12d150..2aacbda3 100644 +--- a/src/xcb_io.c ++++ b/src/xcb_io.c +@@ -201,12 +201,10 @@ static int handle_error(Display *dpy, xError *err, Bool in_XReply) + } + + /* Widen a 32-bit sequence number into a 64bit (uint64_t) sequence number. +- * Treating the comparison as a 1 and shifting it avoids a conditional branch. + */ + static void widen(uint64_t *wide, unsigned int narrow) + { +- uint64_t new = (*wide & ~((uint64_t)0xFFFFFFFFUL)) | narrow; +- *wide = new + (((uint64_t)(new < *wide)) << 32); ++ *wide += (int32_t) (narrow - *wide); + } + + /* Thread-safety rules: +-- +2.23.0 + diff --git a/CVE-2021-31535.patch b/CVE-2021-31535.patch new file mode 100644 index 0000000..aa60662 --- /dev/null +++ b/CVE-2021-31535.patch @@ -0,0 +1,411 @@ +From 2714e4478c1262c94de6295cce605c14572968d3 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Fri, 19 Feb 2021 15:30:39 +0100 +Subject: [PATCH libX11] Reject string longer than USHRT_MAX before sending + them on the wire + +The X protocol uses CARD16 values to represent the length so +this would overflow. + +CVE-2021-31535 + +Signed-off-by: Matthieu Herrb + +[mustard: backported 10 1.6.8 by merging the warning fixes from +upstream commimt 84427130 first - ajax] +--- + src/Font.c | 10 ++++++---- + src/FontInfo.c | 5 ++++- + src/FontNames.c | 5 ++++- + src/GetColor.c | 6 +++++- + src/LoadFont.c | 6 +++++- + src/LookupCol.c | 6 ++++-- + src/ParseCol.c | 7 +++++-- + src/QuExt.c | 7 ++++++- + src/SetFPath.c | 12 +++++++++--- + src/SetHints.c | 9 ++++++++- + src/StNColor.c | 5 ++++- + src/StName.c | 11 ++++++++--- + 12 files changed, 68 insertions(+), 21 deletions(-) + +diff --git a/src/Font.c b/src/Font.c +index 09d2ae91..1cd89cca 100644 +--- a/src/Font.c ++++ b/src/Font.c +@@ -102,12 +102,14 @@ XFontStruct *XLoadQueryFont( + XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy); + #endif + ++ if (strlen(name) >= USHRT_MAX) ++ return NULL; + if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0)) + return font_result; + LockDisplay(dpy); + GetReq(OpenFont, req); + seq = dpy->request; /* Can't use extended sequence number here */ +- nbytes = req->nbytes = name ? strlen(name) : 0; ++ nbytes = req->nbytes = (CARD16) (name ? strlen(name) : 0); + req->fid = fid = XAllocID(dpy); + req->length += (nbytes+3)>>2; + Data (dpy, name, nbytes); +@@ -662,8 +664,8 @@ int _XF86LoadQueryLocaleFont( + + if (!name) + return 0; +- l = strlen(name); +- if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-') ++ l = (int) strlen(name); ++ if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX) + return 0; + charset = NULL; + /* next three lines stolen from _XkbGetCharset() */ +@@ -679,7 +681,7 @@ int _XF86LoadQueryLocaleFont( + return 0; + if (_XlcNCompareISOLatin1(name + l - 2 - (p - charset), charset, p - charset)) + return 0; +- if (strlen(p + 1) + l - 1 >= sizeof(buf) - 1) ++ if (strlen(p + 1) + (size_t) l - 1 >= sizeof(buf) - 1) + return 0; + strcpy(buf, name); + strcpy(buf + l - 1, p + 1); +diff --git a/src/FontInfo.c b/src/FontInfo.c +index f870e431..6644b3fa 100644 +--- a/src/FontInfo.c ++++ b/src/FontInfo.c +@@ -58,10 +58,13 @@ XFontStruct **info) /* RETURN */ + register xListFontsReq *req; + int j; + ++ if (strlen(pattern) >= USHRT_MAX) ++ return NULL; ++ + LockDisplay(dpy); + GetReq(ListFontsWithInfo, req); + req->maxNames = maxNames; +- nbytes = req->nbytes = pattern ? strlen (pattern) : 0; ++ nbytes = req->nbytes = pattern ? (CARD16) strlen (pattern) : 0; + req->length += (nbytes + 3) >> 2; + _XSend (dpy, pattern, nbytes); + /* use _XSend instead of Data, since subsequent _XReply will flush buffer */ +diff --git a/src/FontNames.c b/src/FontNames.c +index b78792d6..458d80c9 100644 +--- a/src/FontNames.c ++++ b/src/FontNames.c +@@ -51,10 +51,13 @@ int *actualCount) /* RETURN */ + register xListFontsReq *req; + unsigned long rlen = 0; + ++ if (strlen(pattern) >= USHRT_MAX) ++ return NULL; ++ + LockDisplay(dpy); + GetReq(ListFonts, req); + req->maxNames = maxNames; +- nbytes = req->nbytes = pattern ? strlen (pattern) : 0; ++ nbytes = req->nbytes = pattern ? (CARD16) strlen (pattern) : 0; + req->length += (nbytes + 3) >> 2; + _XSend (dpy, pattern, nbytes); + /* use _XSend instead of Data, since following _XReply will flush buffer */ +diff --git a/src/GetColor.c b/src/GetColor.c +index cd0eb9f6..c8178067 100644 +--- a/src/GetColor.c ++++ b/src/GetColor.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include + #endif ++#include + #include + #include "Xlibint.h" + #include "Xcmsint.h" +@@ -48,6 +49,9 @@ XColor *exact_def) /* RETURN */ + XcmsColor cmsColor_exact; + Status ret; + ++ if (strlen(colorname) >= USHRT_MAX) ++ return (0); ++ + #ifdef XCMS + /* + * Let's Attempt to use Xcms and i18n approach to Parse Color +@@ -83,7 +87,7 @@ XColor *exact_def) /* RETURN */ + GetReq(AllocNamedColor, req); + + req->cmap = cmap; +- nbytes = req->nbytes = strlen(colorname); ++ nbytes = req->nbytes = (CARD16) strlen(colorname); + req->length += (nbytes + 3) >> 2; /* round up to mult of 4 */ + + _XSend(dpy, colorname, nbytes); +diff --git a/src/LoadFont.c b/src/LoadFont.c +index f547976b..3996436f 100644 +--- a/src/LoadFont.c ++++ b/src/LoadFont.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include + #endif ++#include + #include "Xlibint.h" + + Font +@@ -38,12 +39,15 @@ XLoadFont ( + Font fid; + register xOpenFontReq *req; + ++ if (strlen(name) >= USHRT_MAX) ++ return (0); ++ + if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid)) + return fid; + + LockDisplay(dpy); + GetReq(OpenFont, req); +- nbytes = req->nbytes = name ? strlen(name) : 0; ++ nbytes = req->nbytes = name ? (CARD16) strlen(name) : 0; + req->fid = fid = XAllocID(dpy); + req->length += (nbytes+3)>>2; + Data (dpy, name, nbytes); +diff --git a/src/LookupCol.c b/src/LookupCol.c +index f7f969f5..cd9b1368 100644 +--- a/src/LookupCol.c ++++ b/src/LookupCol.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include + #endif ++#include + #include + #include "Xlibint.h" + #include "Xcmsint.h" +@@ -46,6 +47,9 @@ XLookupColor ( + XcmsCCC ccc; + XcmsColor cmsColor_exact; + ++ n = (int) strlen (spec); ++ if (n >= USHRT_MAX) ++ return 0; + #ifdef XCMS + /* + * Let's Attempt to use Xcms and i18n approach to Parse Color +@@ -77,8 +81,6 @@ XLookupColor ( + * Xcms and i18n methods failed, so lets pass it to the server + * for parsing. + */ +- +- n = strlen (spec); + LockDisplay(dpy); + GetReq (LookupColor, req); + req->cmap = cmap; +diff --git a/src/ParseCol.c b/src/ParseCol.c +index e997b1b8..7a84a17b 100644 +--- a/src/ParseCol.c ++++ b/src/ParseCol.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include + #endif ++#include + #include + #include "Xlibint.h" + #include "Xcmsint.h" +@@ -46,7 +47,9 @@ XParseColor ( + XcmsColor cmsColor; + + if (!spec) return(0); +- n = strlen (spec); ++ n = (int) strlen (spec); ++ if (n >= USHRT_MAX) ++ return(0); + if (*spec == '#') { + /* + * RGB +@@ -119,7 +122,7 @@ XParseColor ( + LockDisplay(dpy); + GetReq (LookupColor, req); + req->cmap = cmap; +- req->nbytes = n = strlen(spec); ++ req->nbytes = (CARD16) (n = (int) strlen(spec)); + req->length += (n + 3) >> 2; + Data (dpy, spec, (long)n); + if (!_XReply (dpy, (xReply *) &reply, 0, xTrue)) { +diff --git a/src/QuExt.c b/src/QuExt.c +index 4e230e77..4cb99fcf 100644 +--- a/src/QuExt.c ++++ b/src/QuExt.c +@@ -27,6 +27,8 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include + #endif ++#include ++#include + #include "Xlibint.h" + + Bool +@@ -40,9 +42,12 @@ XQueryExtension( + xQueryExtensionReply rep; + register xQueryExtensionReq *req; + ++ if (strlen(name) >= USHRT_MAX) ++ return false; ++ + LockDisplay(dpy); + GetReq(QueryExtension, req); +- req->nbytes = name ? strlen(name) : 0; ++ req->nbytes = name ? (CARD16) strlen(name) : 0; + req->length += (req->nbytes+(unsigned)3)>>2; + _XSend(dpy, name, (long)req->nbytes); + (void) _XReply (dpy, (xReply *)&rep, 0, xTrue); +diff --git a/src/SetFPath.c b/src/SetFPath.c +index 60aaef01..13fce49e 100644 +--- a/src/SetFPath.c ++++ b/src/SetFPath.c +@@ -26,6 +26,7 @@ in this Software without prior written authorization from The Open Group. + + #ifdef HAVE_CONFIG_H + #include ++#include + #endif + #include "Xlibint.h" + +@@ -48,7 +49,12 @@ XSetFontPath ( + GetReq (SetFontPath, req); + req->nFonts = ndirs; + for (i = 0; i < ndirs; i++) { +- n += safestrlen (directories[i]) + 1; ++ n = (int) ((size_t) n + (safestrlen (directories[i]) + 1)); ++ if (n >= USHRT_MAX) { ++ UnlockDisplay(dpy); ++ SyncHandle(); ++ return 0; ++ } + } + nbytes = (n + 3) & ~3; + req->length += nbytes >> 2; +@@ -59,9 +65,9 @@ XSetFontPath ( + char *tmp = p; + + for (i = 0; i < ndirs; i++) { +- register int length = safestrlen (directories[i]); ++ register int length = (int) safestrlen (directories[i]); + *p = length; +- memcpy (p + 1, directories[i], length); ++ memcpy (p + 1, directories[i], (size_t)length); + p += length + 1; + } + Data (dpy, tmp, nbytes); +diff --git a/src/SetHints.c b/src/SetHints.c +index bc46498a..61cb0684 100644 +--- a/src/SetHints.c ++++ b/src/SetHints.c +@@ -49,6 +49,7 @@ SOFTWARE. + #ifdef HAVE_CONFIG_H + #include + #endif ++#include + #include + #include + #include "Xatomtype.h" +@@ -214,6 +215,8 @@ XSetCommand ( + register char *buf, *bp; + for (i = 0, nbytes = 0; i < argc; i++) { + nbytes += safestrlen(argv[i]) + 1; ++ if (nbytes >= USHRT_MAX) ++ return 1; + } + if ((bp = buf = Xmalloc(nbytes))) { + /* copy arguments into single buffer */ +@@ -256,11 +259,13 @@ XSetStandardProperties ( + + if (name != NULL) XStoreName (dpy, w, name); + ++ if (safestrlen(icon_string) >= USHRT_MAX) ++ return 1; + if (icon_string != NULL) { + XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8, + PropModeReplace, + (_Xconst unsigned char *)icon_string, +- safestrlen(icon_string)); ++ (int)safestrlen(icon_string)); + } + + if (icon_pixmap != None) { +@@ -298,6 +303,8 @@ XSetClassHint( + + len_nm = safestrlen(classhint->res_name); + len_cl = safestrlen(classhint->res_class); ++ if (len_nm + len_cl >= USHRT_MAX) ++ return 1; + if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) { + if (len_nm) { + strcpy(s, classhint->res_name); +diff --git a/src/StNColor.c b/src/StNColor.c +index 8b821c3e..16dc9cbc 100644 +--- a/src/StNColor.c ++++ b/src/StNColor.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include + #endif ++#include + #include + #include "Xlibint.h" + #include "Xcmsint.h" +@@ -46,6 +47,8 @@ int flags) /* DoRed, DoGreen, DoBlue */ + XcmsColor cmsColor_exact; + XColor scr_def; + ++ if (strlen(name) >= USHRT_MAX) ++ return 0; + #ifdef XCMS + /* + * Let's Attempt to use Xcms approach to Parse Color +@@ -76,7 +79,7 @@ int flags) /* DoRed, DoGreen, DoBlue */ + req->cmap = cmap; + req->flags = flags; + req->pixel = pixel; +- req->nbytes = nbytes = strlen(name); ++ req->nbytes = (CARD16) (nbytes = (unsigned) strlen(name)); + req->length += (nbytes + 3) >> 2; /* round up to multiple of 4 */ + Data(dpy, name, (long)nbytes); + UnlockDisplay(dpy); +diff --git a/src/StName.c b/src/StName.c +index b4048bff..04bb3aa6 100644 +--- a/src/StName.c ++++ b/src/StName.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include + #endif ++#include + #include + #include + +@@ -36,9 +37,11 @@ XStoreName ( + Window w, + _Xconst char *name) + { +- return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, ++ if (strlen(name) >= USHRT_MAX) ++ return 0; ++ return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /* */ + 8, PropModeReplace, (_Xconst unsigned char *)name, +- name ? strlen(name) : 0); ++ name ? (int) strlen(name) : 0); + } + + int +@@ -47,7 +50,9 @@ XSetIconName ( + Window w, + _Xconst char *icon_name) + { ++ if (strlen(icon_name) >= USHRT_MAX) ++ return 0; + return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8, + PropModeReplace, (_Xconst unsigned char *)icon_name, +- icon_name ? strlen(icon_name) : 0); ++ icon_name ? (int) strlen(icon_name) : 0); + } +-- +2.30.1 + diff --git a/EMPTY b/EMPTY deleted file mode 100644 index 0519ecb..0000000 --- a/EMPTY +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/dont-forward-keycode-0.patch b/dont-forward-keycode-0.patch new file mode 100644 index 0000000..c16d874 --- /dev/null +++ b/dont-forward-keycode-0.patch @@ -0,0 +1,53 @@ +diff -up libX11-1.6.3/modules/im/ximcp/imDefFlt.c.jx libX11-1.6.3/modules/im/ximcp/imDefFlt.c +--- libX11-1.6.3/modules/im/ximcp/imDefFlt.c.jx 2015-03-09 18:28:45.000000000 -0400 ++++ libX11-1.6.3/modules/im/ximcp/imDefFlt.c 2015-03-10 12:32:31.912149644 -0400 +@@ -142,7 +142,7 @@ _XimProtoKeypressFilter( + { + Xim im = (Xim)ic->core.im; + +- if (IS_FABRICATED(im)) { ++ if ((ev->keycode == 0) || IS_FABRICATED(im)) { + _XimPendingFilter(ic); + UNMARK_FABRICATED(im); + return NOTFILTERD; +diff -up libX11-1.6.3/modules/im/ximcp/imDefLkup.c.jx libX11-1.6.3/modules/im/ximcp/imDefLkup.c +--- libX11-1.6.3/modules/im/ximcp/imDefLkup.c.jx 2015-03-09 18:28:45.000000000 -0400 ++++ libX11-1.6.3/modules/im/ximcp/imDefLkup.c 2015-03-10 12:32:31.911149637 -0400 +@@ -332,6 +332,17 @@ _XimForwardEvent( + XEvent *ev, + Bool sync) + { ++ /* ++ * Don't forward a key event which has keycode=0. ++ * keycode=0 is reserved for special purpose to let Xmb/wcLookupString() ++ * functions know that there is a commited string available from IM. ++ */ ++ if (((ev->type == KeyPress) || (ev->type == KeyRelease))) { ++ if (((XKeyEvent *)ev)->keycode == 0) { ++ return True; ++ } ++ } ++ + #ifdef EXT_FORWARD + if (((ev->type == KeyPress) || (ev->type == KeyRelease))) + if (_XimExtForwardKeyEvent(ic, (XKeyEvent *)ev, sync)) +@@ -604,6 +615,19 @@ _XimUnregCommitInfo( + Xfree(info->keysym); + ic->private.proto.commit_info = info->next; + Xfree(info); ++ ++ /* ++ * "Commit" uses fabricated flag to process a commited string ++ * from IM engine. ++ * Turn off the fabricated flag here (unregister the commited ++ * information function). Otherwise, next regular key press ++ * event will be ignored at _XimProtoKeypressFilter() and it ++ * will not be passed to IM engine. ++ */ ++ if (IS_FABRICATED(ic)) { ++ UNMARK_FABRICATED(ic); ++ } ++ + return; + } + diff --git a/libX11.spec b/libX11.spec new file mode 100644 index 0000000..ced136f --- /dev/null +++ b/libX11.spec @@ -0,0 +1,233 @@ +%global tarball libX11 +#global gitdate 20130524 +%global gitversion a3bdd2b09 + +Summary: Core X11 protocol client library +Name: libX11 +Version: 1.6.8 +Release: 5%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist} +License: MIT +Group: System Environment/Libraries +URL: http://www.x.org + +%if 0%{?gitdate} +Source0: %{tarball}-%{gitdate}.tar.bz2 +Source1: make-git-snapshot.sh +Source2: commitid +%else +Source0: https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.tar.bz2 +%endif + +Patch2: dont-forward-keycode-0.patch +Patch3: 0001-Fix-XTS-regression-in-XCopyColormapAndFree.patch +Patch4: 0001-Fix-poll_for_response-race-condition.patch + +# CVE-2020-14363 +Patch5: 0001-Fix-an-integer-overflow-in-init_om.patch +Patch6: CVE-2021-31535.patch + +BuildRequires: xorg-x11-util-macros >= 1.11 +BuildRequires: pkgconfig(xproto) >= 7.0.15 +BuildRequires: xorg-x11-xtrans-devel >= 1.0.3-4 +BuildRequires: libxcb-devel >= 1.2 +BuildRequires: pkgconfig(xau) pkgconfig(xdmcp) +BuildRequires: perl(Pod::Usage) + +Requires: %{name}-common >= %{version}-%{release} + +%description +Core X11 protocol client library. + +%package common +Summary: Common data for libX11 +Group: System Environment/Libraries +BuildArch: noarch + +%description common +libX11 common data + +%package devel +Summary: Development files for %{name} +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} +Requires: %{name}-xcb = %{version}-%{release} + +%description devel +X.Org X11 libX11 development package + +%package xcb +Summary: XCB interop for libX11 +Group: System Environment/Libraries +Conflicts: %{name} < %{version}-%{release} + +%description xcb +libX11/libxcb interoperability library + +%prep +%setup -q -n %{tarball}-%{?gitdate:%{gitdate}}%{!?gitdate:%{version}} +%patch2 -p1 -b .dont-forward-keycode-0 +%patch3 -p1 -b .copycolormapandfree +%patch4 -p1 -b .race +%patch5 -p1 -b .fix-an-integer-overflow-in-init_om +%patch6 -p1 -b .cve-2021-31535 + +%build +autoreconf -v --install --force +%configure --disable-silent-rules --disable-static + +make %{?_smp_mflags} + +%install +make install DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" + +# create/own compose cache dir +mkdir -p $RPM_BUILD_ROOT/var/cache/libX11/compose + +# We intentionally don't ship *.la files +find $RPM_BUILD_ROOT -type f -name '*.la' -delete + +# FIXME: Don't install Xcms.txt - find out why upstream still ships this. +find $RPM_BUILD_ROOT -name 'Xcms.txt' -delete + +# FIXME package these properly +rm -rf $RPM_BUILD_ROOT%{_docdir} + +%check +make %{?_smp_mflags} check + +%ldconfig_post +%ldconfig_postun + +%files +%{_libdir}/libX11.so.6 +%{_libdir}/libX11.so.6.3.0 + +%files xcb +%{_libdir}/libX11-xcb.so.1 +%{_libdir}/libX11-xcb.so.1.0.0 + +%files common +%doc AUTHORS COPYING README.md NEWS +%{_datadir}/X11/locale/ +%{_datadir}/X11/XErrorDB +%dir /var/cache/libX11 +%dir /var/cache/libX11/compose + +%files devel +%{_includedir}/X11/ImUtil.h +%{_includedir}/X11/XKBlib.h +%{_includedir}/X11/Xcms.h +%{_includedir}/X11/Xlib.h +%{_includedir}/X11/XlibConf.h +%{_includedir}/X11/Xlibint.h +%{_includedir}/X11/Xlib-xcb.h +%{_includedir}/X11/Xlocale.h +%{_includedir}/X11/Xregion.h +%{_includedir}/X11/Xresource.h +%{_includedir}/X11/Xutil.h +%{_includedir}/X11/cursorfont.h +%{_libdir}/libX11.so +%{_libdir}/libX11-xcb.so +%{_libdir}/pkgconfig/x11.pc +%{_libdir}/pkgconfig/x11-xcb.pc +%{_mandir}/man3/*.3* +%{_mandir}/man5/*.5* + +%changelog +* Thu Aug 12 2021 Adam Jackson - 1.6.8-5 +- Fix CVE-2021-31535 (#1962439) + +* Tue Nov 3 2020 Michel Dänzer - 1.6.8-4 +- Fix CVE-2020-14363 (#1873923) + +* Mon Feb 24 2020 Adam Jackson - 1.6.8-3 +- Fix race condition in poll_for_reponse + +* Fri Dec 13 2019 Adam Jackson - 1.6.8-2 +- Fix assertion on error in XCopyColormapAndFree + +* Tue Nov 19 2019 Adam Jackson - 1.6.8-1 +- libX11 1.6.8 + +* Tue Oct 09 2018 Adam Jackson - 1.6.7-1 +- libX11 1.6.7 + +* Tue Aug 21 2018 Adam Jackson - 1.6.6-1 +- libX11 1.6.6 + +* Fri Jul 13 2018 Fedora Release Engineering - 1.6.5-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Jun 29 2018 Adam Jackson - 1.6.5-8 +- Use ldconfig scriptlet macros + +* Fri Mar 23 2018 Peter Hutterer 1.6.5-7 +- Fix FTBS caused by fake size in the XimCacheStruct (#1556616) + +* Wed Feb 07 2018 Fedora Release Engineering - 1.6.5-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Oct 17 2017 Peter Hutterer 1.6.5-5 +- run make check as part of the build (#1502658) + +* Tue Aug 01 2017 Adam Jackson - 1.6.5-4 +- Split libX11-xcb to its own subpackage. This doesn't have much effect at + the moment because x11-xcb.pc still lists both libX11 and libxcb in + Requires, but once that's fixed eg. libEGL should be able to be installed + without libX11. + +* Wed Jul 26 2017 Fedora Release Engineering - 1.6.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri May 12 2017 Hans de Goede - 1.6.5-2 +- Rebuild against new xproto to pick up support for new keysyms + +* Wed Apr 26 2017 Adam Jackson - 1.6.5-1 +- libX11 1.6.5 + +* Thu Feb 16 2017 Rex Dieter - 1.6.4-6 +- create/own /var/cache/libx11/compose (#962764) +- %%build: --disable-silent-rules + +* Fri Feb 10 2017 Fedora Release Engineering - 1.6.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Jan 20 2017 Peter Hutterer 1.6.4-4 +- Actually apply the patch from 1.6.4-3 + +* Mon Jan 09 2017 Peter Hutterer 1.6.4-3 +- Fix a bug in the memory leak fix from 1.6.4-2 + +* Thu Jan 05 2017 Peter Hutterer 1.6.4-2 +- Plug a memory leak in XListFonts() + +* Wed Oct 05 2016 Adam Jackson - 1.6.4-1 +- libX11 1.6.4 + +* Thu Feb 04 2016 Fedora Release Engineering - 1.6.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Jan 28 2016 Peter Hutterer +- Remove unnecessary defattr + +* Wed Jun 17 2015 Fedora Release Engineering - 1.6.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue Mar 10 2015 Adam Jackson 1.6.3-1 +- libX11 1.6.3 + +* Sun Aug 17 2014 Fedora Release Engineering - 1.6.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Mon Jun 30 2014 Adam Jackson 1.6.2-1 +- libX11 1.6.2 plus a fix for interleaved xcb/xlib usage +- Use >= for the -common Requires + +* Sat Jun 07 2014 Fedora Release Engineering - 1.6.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue Jul 30 2013 Peter Hutterer 1.6.1-1 +- libX11 1.6.1 + +* Tue Jun 04 2013 Peter Hutterer 1.6.0-1 +- libX11 1.6.0 diff --git a/sources b/sources new file mode 100644 index 0000000..b8eaa55 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (libX11-1.6.8.tar.bz2) = 1de8e0ec466308bc48946d1ce7a7dc6bd3120b1b365cd01afd1bd51dd7369e3d1870dd379b0b7c5b07699095d59761bd23e2e02ab60929de32c39b6885016e76