From 87597971a8202f7054a6b6de1bd2694f66e49157 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Wed, 1 Nov 2023 08:50:11 +0100 Subject: main/libx11: security upgrade to 1.8.7 - CVE-2023-43785 - CVE-2023-43786 - CVE-2023-43787 ref: https://gitlab.alpinelinux.org/alpine/aports/-/issues/15425 (cherry picked from commit 659ef3a25fa07768ad1cd89570951dee794fc8bf) (cherry picked from commit 746e74770ab323ae42ce36afc41c7a368a89b020) --- main/libx11/APKBUILD | 15 +++--- main/libx11/CVE-2023-3138.patch | 110 ---------------------------------------- 2 files changed, 8 insertions(+), 117 deletions(-) delete mode 100644 main/libx11/CVE-2023-3138.patch diff --git a/main/libx11/APKBUILD b/main/libx11/APKBUILD index 9fc97e2f5d1..04b7ba2af4b 100644 --- a/main/libx11/APKBUILD +++ b/main/libx11/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa pkgname=libx11 -pkgver=1.8 -pkgrel=1 +pkgver=1.8.7 +pkgrel=0 pkgdesc="X11 client-side library" url="http://xorg.freedesktop.org/" arch="all" @@ -9,12 +9,14 @@ license="custom:XFREE86" subpackages="$pkgname-static $pkgname-dev $pkgname-doc" depends_dev="libxcb-dev xtrans" makedepends="$depends_dev xorgproto util-macros xmlto" -source="https://www.x.org/releases/individual/lib/libX11-$pkgver.tar.xz - CVE-2023-3138.patch - " +source="https://www.x.org/releases/individual/lib/libX11-$pkgver.tar.xz" builddir="$srcdir"/libX11-$pkgver # secfixes: +# 1.8.7-r0: +# - CVE-2023-43785 +# - CVE-2023-43786 +# - CVE-2023-43787 # 1.8-r1: # - CVE-2023-3138 # 1.7.1-r0: @@ -50,6 +52,5 @@ package() { } sha512sums=" -64899ba9efbda00211daf08534a2a98eba86bb377980d21ce319106075cd36b511b17245d02e8ebd1045e7c2147f2c005004bcf579121138be7a7b879eeca83b libX11-1.8.tar.xz -6bd3cd9d50c9b7fc46c0ac769fe2b7a1b819ff828dda477368e07aa7bb6020c4efe75d8d63c4c9778879010add31e82fc0fe33d376e8cd6957ed097d77426e0f CVE-2023-3138.patch +d53bfc18f38d339a6a695b09835b2ae96b323881678bfe7ddca697605e3bdf4102ff49cc3078880a6c55b5977fcdd0aadaf5429086132de3a5bda302f79a2fa6 libX11-1.8.7.tar.xz " diff --git a/main/libx11/CVE-2023-3138.patch b/main/libx11/CVE-2023-3138.patch deleted file mode 100644 index 18a18653a87..00000000000 --- a/main/libx11/CVE-2023-3138.patch +++ /dev/null @@ -1,110 +0,0 @@ -Patch-Source: https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/304a654a0d57bf0f00d8998185f0360332cfa36c --- -From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 10 Jun 2023 16:30:07 -0700 -Subject: [PATCH] InitExt.c: Add bounds checks for extension request, event, & - error codes - -Fixes CVE-2023-3138: X servers could return values from XQueryExtension -that would cause Xlib to write entries out-of-bounds of the arrays to -store them, though this would only overwrite other parts of the Display -struct, not outside the bounds allocated for that structure. - -Reported-by: Gregory James DUCK -Signed-off-by: Alan Coopersmith ---- - src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 42 insertions(+) - -diff --git a/src/InitExt.c b/src/InitExt.c -index 4de46f15..afc00a6b 100644 ---- a/src/InitExt.c -+++ b/src/InitExt.c -@@ -33,6 +33,18 @@ from The Open Group. - #include - #include - -+/* The X11 protocol spec reserves events 64 through 127 for extensions */ -+#ifndef LastExtensionEvent -+#define LastExtensionEvent 127 -+#endif -+ -+/* The X11 protocol spec reserves requests 128 through 255 for extensions */ -+#ifndef LastExtensionRequest -+#define FirstExtensionRequest 128 -+#define LastExtensionRequest 255 -+#endif -+ -+ - /* - * This routine is used to link a extension in so it will be called - * at appropriate times. -@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent( - WireToEventType proc) /* routine to call when converting event */ - { - register WireToEventType oldproc; -+ if (event_number < 0 || -+ event_number > LastExtensionEvent) { -+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", -+ event_number); -+ return (WireToEventType)_XUnknownWireEvent; -+ } - if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent; - LockDisplay (dpy); - oldproc = dpy->event_vec[event_number]; -@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie( - ) - { - WireToEventCookieType oldproc; -+ if (extension < FirstExtensionRequest || -+ extension > LastExtensionRequest) { -+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", -+ extension); -+ return (WireToEventCookieType)_XUnknownWireEventCookie; -+ } - if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie; - LockDisplay (dpy); - oldproc = dpy->generic_event_vec[extension & 0x7F]; -@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie( - ) - { - CopyEventCookieType oldproc; -+ if (extension < FirstExtensionRequest || -+ extension > LastExtensionRequest) { -+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", -+ extension); -+ return (CopyEventCookieType)_XUnknownCopyEventCookie; -+ } - if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie; - LockDisplay (dpy); - oldproc = dpy->generic_event_copy_vec[extension & 0x7F]; -@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire( - EventToWireType proc) /* routine to call when converting event */ - { - register EventToWireType oldproc; -+ if (event_number < 0 || -+ event_number > LastExtensionEvent) { -+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", -+ event_number); -+ return (EventToWireType)_XUnknownNativeEvent; -+ } - if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent; - LockDisplay (dpy); - oldproc = dpy->wire_vec[event_number]; -@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError( - WireToErrorType proc) /* routine to call when converting error */ - { - register WireToErrorType oldproc = NULL; -+ if (error_number < 0 || -+ error_number > LastExtensionError) { -+ fprintf(stderr, "Xlib: ignoring invalid extension error %d\n", -+ error_number); -+ return (WireToErrorType)_XDefaultWireError; -+ } - if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError; - LockDisplay (dpy); - if (!dpy->error_vec) { --- -GitLab - -- cgit v1.2.3