svn commit: r451632 - in head/x11-servers: xorg-nestserver xorg-server xorg-server/files xorg-vfbserver xwayland
Koop Mast
kwm at FreeBSD.org
Mon Oct 9 19:30:29 UTC 2017
Author: kwm
Date: Mon Oct 9 19:30:27 2017
New Revision: 451632
URL: https://svnweb.freebsd.org/changeset/ports/451632
Log:
Fix security issues: CVE-2017-13721 and CVE-2017-13723 in xorg-server.
Bump all the slaves due to not being sure where the shared code is used.
MFH: 2017Q4
Security: 4f8ffb9c-f388-4fbd-b90f-b3131559d888
Added:
head/x11-servers/xorg-server/files/patch-CVE-2017-13721 (contents, props changed)
head/x11-servers/xorg-server/files/patch-CVE-2017-13723 (contents, props changed)
Modified:
head/x11-servers/xorg-nestserver/Makefile
head/x11-servers/xorg-server/Makefile
head/x11-servers/xorg-vfbserver/Makefile
head/x11-servers/xwayland/Makefile
Modified: head/x11-servers/xorg-nestserver/Makefile
==============================================================================
--- head/x11-servers/xorg-nestserver/Makefile Mon Oct 9 19:29:14 2017 (r451631)
+++ head/x11-servers/xorg-nestserver/Makefile Mon Oct 9 19:30:27 2017 (r451632)
@@ -3,6 +3,7 @@
PORTNAME= xorg-nestserver
PORTVERSION= 1.19.1
+PORTREVISION= 1
PORTEPOCH= 2
COMMENT= Nesting X server from X.Org
@@ -25,6 +26,9 @@ CONFIGURE_ARGS+=--enable-xnest --disable-dmx --disable
--disable-xwayland
PLIST_FILES= bin/Xnest man/man1/Xnest.1.gz
+
+EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-13721 \
+ ${MASTERDIR}/files/patch-CVE-2017-13723
do-install:
cd ${WRKSRC}/hw/xnest; DESTDIR=${STAGEDIR} ${MAKE} install
Modified: head/x11-servers/xorg-server/Makefile
==============================================================================
--- head/x11-servers/xorg-server/Makefile Mon Oct 9 19:29:14 2017 (r451631)
+++ head/x11-servers/xorg-server/Makefile Mon Oct 9 19:30:27 2017 (r451632)
@@ -3,7 +3,7 @@
PORTNAME?= xorg-server
PORTVERSION?= 1.18.4
-PORTREVISION?= 3
+PORTREVISION?= 4
PORTEPOCH?= 1
CATEGORIES= x11-servers
MASTER_SITES= XORG/individual/xserver
Added: head/x11-servers/xorg-server/files/patch-CVE-2017-13721
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/x11-servers/xorg-server/files/patch-CVE-2017-13721 Mon Oct 9 19:30:27 2017 (r451632)
@@ -0,0 +1,26 @@
+From b95f25af141d33a65f6f821ea9c003f66a01e1f1 Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb at suse.com>
+Date: Fri, 28 Jul 2017 16:27:10 +0200
+Subject: Xext/shm: Validate shmseg resource id (CVE-2017-13721)
+
+Otherwise it can belong to a non-existing client and abort X server with
+FatalError "client not in use", or overwrite existing segment of another
+existing client.
+
+Signed-off-by: Julien Cristau <jcristau at debian.org>
+
+diff --git a/Xext/shm.c b/Xext/shm.c
+index 91ea90b..2f9a788 100644
+--- Xext/shm.c
++++ Xext/shm.c
+@@ -1238,6 +1238,7 @@ ProcShmCreateSegment(ClientPtr client)
+ };
+
+ REQUEST_SIZE_MATCH(xShmCreateSegmentReq);
++ LEGAL_NEW_RESOURCE(stuff->shmseg, client);
+ if ((stuff->readOnly != xTrue) && (stuff->readOnly != xFalse)) {
+ client->errorValue = stuff->readOnly;
+ return BadValue;
+--
+cgit v0.10.2
+
Added: head/x11-servers/xorg-server/files/patch-CVE-2017-13723
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/x11-servers/xorg-server/files/patch-CVE-2017-13723 Mon Oct 9 19:30:27 2017 (r451632)
@@ -0,0 +1,115 @@
+From 94f11ca5cf011ef123bd222cabeaef6f424d76ac Mon Sep 17 00:00:00 2001
+From: Keith Packard <keithp at keithp.com>
+Date: Thu, 27 Jul 2017 10:08:32 -0700
+Subject: xkb: Handle xkb formated string output safely (CVE-2017-13723)
+
+Generating strings for XKB data used a single shared static buffer,
+which offered several opportunities for errors. Use a ring of
+resizable buffers instead, to avoid problems when strings end up
+longer than anticipated.
+
+Reviewed-by: Michal Srb <msrb at suse.com>
+Signed-off-by: Keith Packard <keithp at keithp.com>
+Signed-off-by: Julien Cristau <jcristau at debian.org>
+
+diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c
+index ead2b1a..d2a2567 100644
+--- xkb/xkbtext.c
++++ xkb/xkbtext.c
+@@ -47,23 +47,27 @@
+
+ /***====================================================================***/
+
+-#define BUFFER_SIZE 512
+-
+-static char textBuffer[BUFFER_SIZE];
+-static int tbNext = 0;
++#define NUM_BUFFER 8
++static struct textBuffer {
++ int size;
++ char *buffer;
++} textBuffer[NUM_BUFFER];
++static int textBufferIndex;
+
+ static char *
+ tbGetBuffer(unsigned size)
+ {
+- char *rtrn;
++ struct textBuffer *tb;
+
+- if (size >= BUFFER_SIZE)
+- return NULL;
+- if ((BUFFER_SIZE - tbNext) <= size)
+- tbNext = 0;
+- rtrn = &textBuffer[tbNext];
+- tbNext += size;
+- return rtrn;
++ tb = &textBuffer[textBufferIndex];
++ textBufferIndex = (textBufferIndex + 1) % NUM_BUFFER;
++
++ if (size > tb->size) {
++ free(tb->buffer);
++ tb->buffer = xnfalloc(size);
++ tb->size = size;
++ }
++ return tb->buffer;
+ }
+
+ /***====================================================================***/
+@@ -79,8 +83,6 @@ XkbAtomText(Atom atm, unsigned format)
+ int len;
+
+ len = strlen(atmstr) + 1;
+- if (len > BUFFER_SIZE)
+- len = BUFFER_SIZE - 2;
+ rtrn = tbGetBuffer(len);
+ strlcpy(rtrn, atmstr, len);
+ }
+@@ -128,8 +130,6 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format)
+ len = strlen(tmp) + 1;
+ if (format == XkbCFile)
+ len += 4;
+- if (len >= BUFFER_SIZE)
+- len = BUFFER_SIZE - 1;
+ rtrn = tbGetBuffer(len);
+ if (format == XkbCFile) {
+ strcpy(rtrn, "vmod_");
+@@ -140,6 +140,8 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format)
+ return rtrn;
+ }
+
++#define VMOD_BUFFER_SIZE 512
++
+ char *
+ XkbVModMaskText(XkbDescPtr xkb,
+ unsigned modMask, unsigned mask, unsigned format)
+@@ -147,7 +149,7 @@ XkbVModMaskText(XkbDescPtr xkb,
+ register int i, bit;
+ int len;
+ char *mm, *rtrn;
+- char *str, buf[BUFFER_SIZE];
++ char *str, buf[VMOD_BUFFER_SIZE];
+
+ if ((modMask == 0) && (mask == 0)) {
+ rtrn = tbGetBuffer(5);
+@@ -173,7 +175,7 @@ XkbVModMaskText(XkbDescPtr xkb,
+ len = strlen(tmp) + 1 + (str == buf ? 0 : 1);
+ if (format == XkbCFile)
+ len += 4;
+- if ((str - (buf + len)) <= BUFFER_SIZE) {
++ if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) {
+ if (str != buf) {
+ if (format == XkbCFile)
+ *str++ = '|';
+@@ -199,8 +201,6 @@ XkbVModMaskText(XkbDescPtr xkb,
+ len = 0;
+ if (str)
+ len += strlen(str) + (mm == NULL ? 0 : 1);
+- if (len >= BUFFER_SIZE)
+- len = BUFFER_SIZE - 1;
+ rtrn = tbGetBuffer(len + 1);
+ rtrn[0] = '\0';
+
+--
+cgit v0.10.2
+
Modified: head/x11-servers/xorg-vfbserver/Makefile
==============================================================================
--- head/x11-servers/xorg-vfbserver/Makefile Mon Oct 9 19:29:14 2017 (r451631)
+++ head/x11-servers/xorg-vfbserver/Makefile Mon Oct 9 19:30:27 2017 (r451632)
@@ -3,6 +3,7 @@
PORTNAME= xorg-vfbserver
PORTVERSION= 1.19.1
+PORTREVISION= 1
PORTEPOCH= 1
COMMENT= X virtual framebuffer server from X.Org
@@ -23,6 +24,9 @@ CONFIGURE_ARGS+=--enable-xvfb --disable-dmx --disable-
--disable-xwayland
PLIST_FILES= bin/Xvfb man/man1/Xvfb.1.gz
+
+EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-13721 \
+ ${MASTERDIR}/files/patch-CVE-2017-13723
do-install:
cd ${WRKSRC}/hw/vfb; DESTDIR=${STAGEDIR} ${MAKE} install
Modified: head/x11-servers/xwayland/Makefile
==============================================================================
--- head/x11-servers/xwayland/Makefile Mon Oct 9 19:29:14 2017 (r451631)
+++ head/x11-servers/xwayland/Makefile Mon Oct 9 19:30:27 2017 (r451632)
@@ -2,6 +2,7 @@
PORTNAME= xwayland
PORTVERSION= 1.19.1
+PORTREVISION= 1
COMMENT= X Clients under Wayland
@@ -27,6 +28,9 @@ CONFIGURE_ARGS+= --disable-docs --disable-devel-docs \
--disable-xquartz --disable-xwin
PLIST_FILES= bin/Xwayland
+
+EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-13721 \
+ ${MASTERDIR}/files/patch-CVE-2017-13723
do-install:
cd ${WRKSRC}/hw/xwayland; DESTDIR=${STAGEDIR} ${MAKE_CMD} install
More information about the svn-ports-head
mailing list