diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2023-11-01 08:50:11 +0100 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2023-11-01 08:57:06 +0100 |
commit | 87597971a8202f7054a6b6de1bd2694f66e49157 (patch) | |
tree | 11447b155d7db71cb36c9b8c44d0ba80c893281c | |
parent | 0276255a68be6b154f7adb48b57f5bede26c167e (diff) |
main/libx11: security upgrade to 1.8.7
- CVE-2023-43785
- CVE-2023-43786
- CVE-2023-43787
ref: https://gitlab.alpinelinux.org/alpine/aports/-/issues/15425
(cherry picked from commit 659ef3a25fa07768ad1cd89570951dee794fc8bf)
(cherry picked from commit 746e74770ab323ae42ce36afc41c7a368a89b020)
-rw-r--r-- | main/libx11/APKBUILD | 15 | ||||
-rw-r--r-- | main/libx11/CVE-2023-3138.patch | 110 |
2 files changed, 8 insertions, 117 deletions
diff --git a/main/libx11/APKBUILD b/main/libx11/APKBUILD index 9fc97e2f5d1..04b7ba2af4b 100644 --- a/main/libx11/APKBUILD +++ b/main/libx11/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libx11 -pkgver=1.8 -pkgrel=1 +pkgver=1.8.7 +pkgrel=0 pkgdesc="X11 client-side library" url="http://xorg.freedesktop.org/" arch="all" @@ -9,12 +9,14 @@ license="custom:XFREE86" subpackages="$pkgname-static $pkgname-dev $pkgname-doc" depends_dev="libxcb-dev xtrans" makedepends="$depends_dev xorgproto util-macros xmlto" -source="https://www.x.org/releases/individual/lib/libX11-$pkgver.tar.xz - CVE-2023-3138.patch - " +source="https://www.x.org/releases/individual/lib/libX11-$pkgver.tar.xz" builddir="$srcdir"/libX11-$pkgver # secfixes: +# 1.8.7-r0: +# - CVE-2023-43785 +# - CVE-2023-43786 +# - CVE-2023-43787 # 1.8-r1: # - CVE-2023-3138 # 1.7.1-r0: @@ -50,6 +52,5 @@ package() { } sha512sums=" -64899ba9efbda00211daf08534a2a98eba86bb377980d21ce319106075cd36b511b17245d02e8ebd1045e7c2147f2c005004bcf579121138be7a7b879eeca83b libX11-1.8.tar.xz -6bd3cd9d50c9b7fc46c0ac769fe2b7a1b819ff828dda477368e07aa7bb6020c4efe75d8d63c4c9778879010add31e82fc0fe33d376e8cd6957ed097d77426e0f CVE-2023-3138.patch +d53bfc18f38d339a6a695b09835b2ae96b323881678bfe7ddca697605e3bdf4102ff49cc3078880a6c55b5977fcdd0aadaf5429086132de3a5bda302f79a2fa6 libX11-1.8.7.tar.xz " diff --git a/main/libx11/CVE-2023-3138.patch b/main/libx11/CVE-2023-3138.patch deleted file mode 100644 index 18a18653a87..00000000000 --- a/main/libx11/CVE-2023-3138.patch +++ /dev/null @@ -1,110 +0,0 @@ -Patch-Source: https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/304a654a0d57bf0f00d8998185f0360332cfa36c --- -From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sat, 10 Jun 2023 16:30:07 -0700 -Subject: [PATCH] InitExt.c: Add bounds checks for extension request, event, & - error codes - -Fixes CVE-2023-3138: X servers could return values from XQueryExtension -that would cause Xlib to write entries out-of-bounds of the arrays to -store them, though this would only overwrite other parts of the Display -struct, not outside the bounds allocated for that structure. - -Reported-by: Gregory James DUCK <gjduck@gmail.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> ---- - src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 42 insertions(+) - -diff --git a/src/InitExt.c b/src/InitExt.c -index 4de46f15..afc00a6b 100644 ---- a/src/InitExt.c -+++ b/src/InitExt.c -@@ -33,6 +33,18 @@ from The Open Group. - #include <X11/Xos.h> - #include <stdio.h> - -+/* The X11 protocol spec reserves events 64 through 127 for extensions */ -+#ifndef LastExtensionEvent -+#define LastExtensionEvent 127 -+#endif -+ -+/* The X11 protocol spec reserves requests 128 through 255 for extensions */ -+#ifndef LastExtensionRequest -+#define FirstExtensionRequest 128 -+#define LastExtensionRequest 255 -+#endif -+ -+ - /* - * This routine is used to link a extension in so it will be called - * at appropriate times. -@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent( - WireToEventType proc) /* routine to call when converting event */ - { - register WireToEventType oldproc; -+ if (event_number < 0 || -+ event_number > LastExtensionEvent) { -+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", -+ event_number); -+ return (WireToEventType)_XUnknownWireEvent; -+ } - if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent; - LockDisplay (dpy); - oldproc = dpy->event_vec[event_number]; -@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie( - ) - { - WireToEventCookieType oldproc; -+ if (extension < FirstExtensionRequest || -+ extension > LastExtensionRequest) { -+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", -+ extension); -+ return (WireToEventCookieType)_XUnknownWireEventCookie; -+ } - if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie; - LockDisplay (dpy); - oldproc = dpy->generic_event_vec[extension & 0x7F]; -@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie( - ) - { - CopyEventCookieType oldproc; -+ if (extension < FirstExtensionRequest || -+ extension > LastExtensionRequest) { -+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", -+ extension); -+ return (CopyEventCookieType)_XUnknownCopyEventCookie; -+ } - if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie; - LockDisplay (dpy); - oldproc = dpy->generic_event_copy_vec[extension & 0x7F]; -@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire( - EventToWireType proc) /* routine to call when converting event */ - { - register EventToWireType oldproc; -+ if (event_number < 0 || -+ event_number > LastExtensionEvent) { -+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", -+ event_number); -+ return (EventToWireType)_XUnknownNativeEvent; -+ } - if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent; - LockDisplay (dpy); - oldproc = dpy->wire_vec[event_number]; -@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError( - WireToErrorType proc) /* routine to call when converting error */ - { - register WireToErrorType oldproc = NULL; -+ if (error_number < 0 || -+ error_number > LastExtensionError) { -+ fprintf(stderr, "Xlib: ignoring invalid extension error %d\n", -+ error_number); -+ return (WireToErrorType)_XDefaultWireError; -+ } - if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError; - LockDisplay (dpy); - if (!dpy->error_vec) { --- -GitLab - |