Date: Mon, 9 Oct 2017 19:30:27 +0000 (UTC) From: Koop Mast <kwm@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r451632 - in head/x11-servers: xorg-nestserver xorg-server xorg-server/files xorg-vfbserver xwayland Message-ID: <201710091930.v99JURro039227@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kwm Date: Mon Oct 9 19:30:27 2017 New Revision: 451632 URL: https://svnweb.freebsd.org/changeset/ports/451632 Log: Fix security issues: CVE-2017-13721 and CVE-2017-13723 in xorg-server. Bump all the slaves due to not being sure where the shared code is used. MFH: 2017Q4 Security: 4f8ffb9c-f388-4fbd-b90f-b3131559d888 Added: head/x11-servers/xorg-server/files/patch-CVE-2017-13721 (contents, props changed) head/x11-servers/xorg-server/files/patch-CVE-2017-13723 (contents, props changed) Modified: head/x11-servers/xorg-nestserver/Makefile head/x11-servers/xorg-server/Makefile head/x11-servers/xorg-vfbserver/Makefile head/x11-servers/xwayland/Makefile Modified: head/x11-servers/xorg-nestserver/Makefile ============================================================================== --- head/x11-servers/xorg-nestserver/Makefile Mon Oct 9 19:29:14 2017 (r451631) +++ head/x11-servers/xorg-nestserver/Makefile Mon Oct 9 19:30:27 2017 (r451632) @@ -3,6 +3,7 @@ PORTNAME= xorg-nestserver PORTVERSION= 1.19.1 +PORTREVISION= 1 PORTEPOCH= 2 COMMENT= Nesting X server from X.Org @@ -25,6 +26,9 @@ CONFIGURE_ARGS+=--enable-xnest --disable-dmx --disable --disable-xwayland PLIST_FILES= bin/Xnest man/man1/Xnest.1.gz + +EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-13721 \ + ${MASTERDIR}/files/patch-CVE-2017-13723 do-install: cd ${WRKSRC}/hw/xnest; DESTDIR=${STAGEDIR} ${MAKE} install Modified: head/x11-servers/xorg-server/Makefile ============================================================================== --- head/x11-servers/xorg-server/Makefile Mon Oct 9 19:29:14 2017 (r451631) +++ head/x11-servers/xorg-server/Makefile Mon Oct 9 19:30:27 2017 (r451632) @@ -3,7 +3,7 @@ PORTNAME?= xorg-server PORTVERSION?= 1.18.4 -PORTREVISION?= 3 +PORTREVISION?= 4 PORTEPOCH?= 1 CATEGORIES= x11-servers MASTER_SITES= XORG/individual/xserver Added: head/x11-servers/xorg-server/files/patch-CVE-2017-13721 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/x11-servers/xorg-server/files/patch-CVE-2017-13721 Mon Oct 9 19:30:27 2017 (r451632) @@ -0,0 +1,26 @@ +From b95f25af141d33a65f6f821ea9c003f66a01e1f1 Mon Sep 17 00:00:00 2001 +From: Michal Srb <msrb@suse.com> +Date: Fri, 28 Jul 2017 16:27:10 +0200 +Subject: Xext/shm: Validate shmseg resource id (CVE-2017-13721) + +Otherwise it can belong to a non-existing client and abort X server with +FatalError "client not in use", or overwrite existing segment of another +existing client. + +Signed-off-by: Julien Cristau <jcristau@debian.org> + +diff --git a/Xext/shm.c b/Xext/shm.c +index 91ea90b..2f9a788 100644 +--- Xext/shm.c ++++ Xext/shm.c +@@ -1238,6 +1238,7 @@ ProcShmCreateSegment(ClientPtr client) + }; + + REQUEST_SIZE_MATCH(xShmCreateSegmentReq); ++ LEGAL_NEW_RESOURCE(stuff->shmseg, client); + if ((stuff->readOnly != xTrue) && (stuff->readOnly != xFalse)) { + client->errorValue = stuff->readOnly; + return BadValue; +-- +cgit v0.10.2 + Added: head/x11-servers/xorg-server/files/patch-CVE-2017-13723 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/x11-servers/xorg-server/files/patch-CVE-2017-13723 Mon Oct 9 19:30:27 2017 (r451632) @@ -0,0 +1,115 @@ +From 94f11ca5cf011ef123bd222cabeaef6f424d76ac Mon Sep 17 00:00:00 2001 +From: Keith Packard <keithp@keithp.com> +Date: Thu, 27 Jul 2017 10:08:32 -0700 +Subject: xkb: Handle xkb formated string output safely (CVE-2017-13723) + +Generating strings for XKB data used a single shared static buffer, +which offered several opportunities for errors. Use a ring of +resizable buffers instead, to avoid problems when strings end up +longer than anticipated. + +Reviewed-by: Michal Srb <msrb@suse.com> +Signed-off-by: Keith Packard <keithp@keithp.com> +Signed-off-by: Julien Cristau <jcristau@debian.org> + +diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c +index ead2b1a..d2a2567 100644 +--- xkb/xkbtext.c ++++ xkb/xkbtext.c +@@ -47,23 +47,27 @@ + + /***====================================================================***/ + +-#define BUFFER_SIZE 512 +- +-static char textBuffer[BUFFER_SIZE]; +-static int tbNext = 0; ++#define NUM_BUFFER 8 ++static struct textBuffer { ++ int size; ++ char *buffer; ++} textBuffer[NUM_BUFFER]; ++static int textBufferIndex; + + static char * + tbGetBuffer(unsigned size) + { +- char *rtrn; ++ struct textBuffer *tb; + +- if (size >= BUFFER_SIZE) +- return NULL; +- if ((BUFFER_SIZE - tbNext) <= size) +- tbNext = 0; +- rtrn = &textBuffer[tbNext]; +- tbNext += size; +- return rtrn; ++ tb = &textBuffer[textBufferIndex]; ++ textBufferIndex = (textBufferIndex + 1) % NUM_BUFFER; ++ ++ if (size > tb->size) { ++ free(tb->buffer); ++ tb->buffer = xnfalloc(size); ++ tb->size = size; ++ } ++ return tb->buffer; + } + + /***====================================================================***/ +@@ -79,8 +83,6 @@ XkbAtomText(Atom atm, unsigned format) + int len; + + len = strlen(atmstr) + 1; +- if (len > BUFFER_SIZE) +- len = BUFFER_SIZE - 2; + rtrn = tbGetBuffer(len); + strlcpy(rtrn, atmstr, len); + } +@@ -128,8 +130,6 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format) + len = strlen(tmp) + 1; + if (format == XkbCFile) + len += 4; +- if (len >= BUFFER_SIZE) +- len = BUFFER_SIZE - 1; + rtrn = tbGetBuffer(len); + if (format == XkbCFile) { + strcpy(rtrn, "vmod_"); +@@ -140,6 +140,8 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format) + return rtrn; + } + ++#define VMOD_BUFFER_SIZE 512 ++ + char * + XkbVModMaskText(XkbDescPtr xkb, + unsigned modMask, unsigned mask, unsigned format) +@@ -147,7 +149,7 @@ XkbVModMaskText(XkbDescPtr xkb, + register int i, bit; + int len; + char *mm, *rtrn; +- char *str, buf[BUFFER_SIZE]; ++ char *str, buf[VMOD_BUFFER_SIZE]; + + if ((modMask == 0) && (mask == 0)) { + rtrn = tbGetBuffer(5); +@@ -173,7 +175,7 @@ XkbVModMaskText(XkbDescPtr xkb, + len = strlen(tmp) + 1 + (str == buf ? 0 : 1); + if (format == XkbCFile) + len += 4; +- if ((str - (buf + len)) <= BUFFER_SIZE) { ++ if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) { + if (str != buf) { + if (format == XkbCFile) + *str++ = '|'; +@@ -199,8 +201,6 @@ XkbVModMaskText(XkbDescPtr xkb, + len = 0; + if (str) + len += strlen(str) + (mm == NULL ? 0 : 1); +- if (len >= BUFFER_SIZE) +- len = BUFFER_SIZE - 1; + rtrn = tbGetBuffer(len + 1); + rtrn[0] = '\0'; + +-- +cgit v0.10.2 + Modified: head/x11-servers/xorg-vfbserver/Makefile ============================================================================== --- head/x11-servers/xorg-vfbserver/Makefile Mon Oct 9 19:29:14 2017 (r451631) +++ head/x11-servers/xorg-vfbserver/Makefile Mon Oct 9 19:30:27 2017 (r451632) @@ -3,6 +3,7 @@ PORTNAME= xorg-vfbserver PORTVERSION= 1.19.1 +PORTREVISION= 1 PORTEPOCH= 1 COMMENT= X virtual framebuffer server from X.Org @@ -23,6 +24,9 @@ CONFIGURE_ARGS+=--enable-xvfb --disable-dmx --disable- --disable-xwayland PLIST_FILES= bin/Xvfb man/man1/Xvfb.1.gz + +EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-13721 \ + ${MASTERDIR}/files/patch-CVE-2017-13723 do-install: cd ${WRKSRC}/hw/vfb; DESTDIR=${STAGEDIR} ${MAKE} install Modified: head/x11-servers/xwayland/Makefile ============================================================================== --- head/x11-servers/xwayland/Makefile Mon Oct 9 19:29:14 2017 (r451631) +++ head/x11-servers/xwayland/Makefile Mon Oct 9 19:30:27 2017 (r451632) @@ -2,6 +2,7 @@ PORTNAME= xwayland PORTVERSION= 1.19.1 +PORTREVISION= 1 COMMENT= X Clients under Wayland @@ -27,6 +28,9 @@ CONFIGURE_ARGS+= --disable-docs --disable-devel-docs \ --disable-xquartz --disable-xwin PLIST_FILES= bin/Xwayland + +EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-13721 \ + ${MASTERDIR}/files/patch-CVE-2017-13723 do-install: cd ${WRKSRC}/hw/xwayland; DESTDIR=${STAGEDIR} ${MAKE_CMD} install
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201710091930.v99JURro039227>