diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ad04b75 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/libICE-1.0.9.tar.bz2 diff --git a/.libICE.metadata b/.libICE.metadata new file mode 100644 index 0000000..9d11229 --- /dev/null +++ b/.libICE.metadata @@ -0,0 +1 @@ +3c3a857a117ce48a1947a16860056e77cd494fdf SOURCES/libICE-1.0.9.tar.bz2 diff --git a/SOURCES/0001-Use-getentropy-if-arc4random_buf-is-not-available.patch b/SOURCES/0001-Use-getentropy-if-arc4random_buf-is-not-available.patch new file mode 100644 index 0000000..f7d6640 --- /dev/null +++ b/SOURCES/0001-Use-getentropy-if-arc4random_buf-is-not-available.patch @@ -0,0 +1,143 @@ +From 8044880840bcde6f15a078e267cf163072ac1878 Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Tue, 4 Apr 2017 19:12:53 +0200 +Subject: [PATCH libICE 1/2] Use getentropy() if arc4random_buf() is not + available + +This allows to fix CVE-2017-2626 on Linux platforms without pulling in +libbsd. +The libc getentropy() is available since glibc 2.25 but also on OpenBSD. +For Linux, we need at least a v3.17 kernel. If the recommended +arc4random_buf() function is not available, emulate it by first trying +to use getentropy() on a supported glibc and kernel. If the call fails, +fall back to the current (partly vulnerable) code. + +Signed-off-by: Benjamin Tissoires +Reviewed-by: Mark Kettenis +Reviewed-by: Alan Coopersmith +Signed-off-by: Peter Hutterer +--- + configure.ac | 2 +- + src/iceauth.c | 65 ++++++++++++++++++++++++++++++++++++++++++----------------- + 2 files changed, 47 insertions(+), 20 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 458882a..c971ab6 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -38,7 +38,7 @@ AC_DEFINE(ICE_t, 1, [Xtrans transport type]) + + # Checks for library functions. + AC_CHECK_LIB([bsd], [arc4random_buf]) +-AC_CHECK_FUNCS([asprintf arc4random_buf]) ++AC_CHECK_FUNCS([asprintf arc4random_buf getentropy]) + + # Allow checking code with lint, sparse, etc. + XORG_WITH_LINT +diff --git a/src/iceauth.c b/src/iceauth.c +index ef66626..9b77eac 100644 +--- a/src/iceauth.c ++++ b/src/iceauth.c +@@ -42,31 +42,19 @@ Author: Ralph Mor, X Consortium + + static int was_called_state; + +-/* +- * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by +- * the SI. It is not part of standard ICElib. +- */ ++#ifndef HAVE_ARC4RANDOM_BUF + +- +-char * +-IceGenerateMagicCookie ( ++static void ++emulate_getrandom_buf ( ++ char *auth, + int len + ) + { +- char *auth; +-#ifndef HAVE_ARC4RANDOM_BUF + long ldata[2]; + int seed; + int value; + int i; +-#endif + +- if ((auth = malloc (len + 1)) == NULL) +- return (NULL); +- +-#ifdef HAVE_ARC4RANDOM_BUF +- arc4random_buf(auth, len); +-#else + #ifdef ITIMER_REAL + { + struct timeval now; +@@ -74,13 +62,13 @@ IceGenerateMagicCookie ( + ldata[0] = now.tv_sec; + ldata[1] = now.tv_usec; + } +-#else ++#else /* ITIMER_REAL */ + { + long time (); + ldata[0] = time ((long *) 0); + ldata[1] = getpid (); + } +-#endif ++#endif /* ITIMER_REAL */ + seed = (ldata[0]) + (ldata[1] << 16); + srand (seed); + for (i = 0; i < len; i++) +@@ -88,7 +76,46 @@ IceGenerateMagicCookie ( + value = rand (); + auth[i] = value & 0xff; + } +-#endif ++} ++ ++static void ++arc4random_buf ( ++ char *auth, ++ int len ++) ++{ ++ int ret; ++ ++#if HAVE_GETENTROPY ++ /* weak emulation of arc4random through the entropy libc */ ++ ret = getentropy (auth, len); ++ if (ret == 0) ++ return; ++#endif /* HAVE_GETENTROPY */ ++ ++ emulate_getrandom_buf (auth, len); ++} ++ ++#endif /* !defined(HAVE_ARC4RANDOM_BUF) */ ++ ++/* ++ * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by ++ * the SI. It is not part of standard ICElib. ++ */ ++ ++ ++char * ++IceGenerateMagicCookie ( ++ int len ++) ++{ ++ char *auth; ++ ++ if ((auth = malloc (len + 1)) == NULL) ++ return (NULL); ++ ++ arc4random_buf (auth, len); ++ + auth[len] = '\0'; + return (auth); + } +-- +2.9.3 + diff --git a/SOURCES/0002-Add-getentropy-emulation-through-syscall.patch b/SOURCES/0002-Add-getentropy-emulation-through-syscall.patch new file mode 100644 index 0000000..b834230 --- /dev/null +++ b/SOURCES/0002-Add-getentropy-emulation-through-syscall.patch @@ -0,0 +1,75 @@ +From 6a92ea98544e0d03d4ce0563ad765ae21773b0fd Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Tue, 25 Apr 2017 11:00:36 +0200 +Subject: [PATCH libICE 2/2] Add getentropy emulation through syscall + +RHEL/f24/f25 only patch + +Signed-off-by: Benjamin Tissoires +--- + src/iceauth.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 49 insertions(+) + +diff --git a/src/iceauth.c b/src/iceauth.c +index 9b77eac..9af62f5 100644 +--- a/src/iceauth.c ++++ b/src/iceauth.c +@@ -78,6 +78,55 @@ emulate_getrandom_buf ( + } + } + ++#ifndef HAVE_GETENTROPY ++#include ++#include ++ ++/* code taken from libressl, license: */ ++/* ++ * Copyright (c) 2014 Theo de Raadt ++ * Copyright (c) 2014 Bob Beck ++ * ++ * Permission to use, copy, modify, and distribute this software for any ++ * purpose with or without fee is hereby granted, provided that the above ++ * copyright notice and this permission notice appear in all copies. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES ++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF ++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ++ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ++ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF ++ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++ * ++ * Emulation of getentropy(2) as documented at: ++ * http://man.openbsd.org/getentropy.2 ++ */ ++#ifdef __NR_getrandom ++static int ++getentropy(void *buf, size_t len) ++{ ++ int pre_errno = errno; ++ int ret; ++ if (len > 256) ++ return (-1); ++ do { ++ ret = syscall(__NR_getrandom, buf, len, 0); ++ } while (ret == -1 && errno == EINTR); ++ ++ if (ret != len) ++ return (-1); ++ errno = pre_errno; ++ ++ fprintf(stderr, "generating cookie with syscall\n"); ++ ++ return (0); ++} ++#define HAVE_GETENTROPY 1 ++#endif /* __NR_getrandom */ ++ ++#endif /* HAVE_GETENTROPY */ ++ + static void + arc4random_buf ( + char *auth, +-- +2.9.3 + diff --git a/SPECS/libICE.spec b/SPECS/libICE.spec new file mode 100644 index 0000000..2a85d88 --- /dev/null +++ b/SPECS/libICE.spec @@ -0,0 +1,258 @@ +Summary: X.Org X11 ICE runtime library +Name: libICE +Version: 1.0.9 +Release: 9%{?dist} +License: MIT +Group: System Environment/Libraries +URL: http://www.x.org + +Source0: ftp://ftp.x.org/pub/individual/lib/%{name}-%{version}.tar.bz2 + +Patch0: 0001-Use-getentropy-if-arc4random_buf-is-not-available.patch +Patch1: 0002-Add-getentropy-emulation-through-syscall.patch + +BuildRequires: xorg-x11-util-macros +BuildRequires: autoconf automake libtool +BuildRequires: pkgconfig +BuildRequires: xorg-x11-proto-devel +BuildRequires: xorg-x11-xtrans-devel >= 1.0.3-5 + +%description +The X.Org X11 ICE (Inter-Client Exchange) runtime library. + +%package devel +Summary: X.Org X11 ICE development package +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +The X.Org X11 ICE (Inter-Client Exchange) development package. + +%prep +%setup -q + +%patch0 -p1 -b .cve-2017-2626 +%patch1 -p1 -b .cve-2017-2626 + +%build +autoreconf -v --install --force +%configure --disable-static \ + --without-fop --without-xmlto +V=1 make %{?_smp_mflags} + +%install +rm -rf $RPM_BUILD_ROOT + +make install DESTDIR=$RPM_BUILD_ROOT + +# We intentionally don't ship *.la files +rm -f $RPM_BUILD_ROOT%{_libdir}/*.la + +# adding to installed docs in order to avoid using %%doc magic +for f in AUTHORS ChangeLog COPYING ; do + cp -p $f ${RPM_BUILD_ROOT}%{_docdir}/%{name}/${f} +done + +%clean +rm -rf $RPM_BUILD_ROOT + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + +%files +%{_libdir}/libICE.so.6 +%{_libdir}/libICE.so.6.3.0 +# not using %%doc because of side-effect (#1001256) +%dir %{_docdir}/%{name} +%{_docdir}/%{name}/AUTHORS +%{_docdir}/%{name}/ChangeLog +%{_docdir}/%{name}/COPYING + +%files devel +%{_docdir}/%{name}/*.xml +%{_includedir}/X11/ICE +%{_libdir}/libICE.so +%{_libdir}/pkgconfig/ice.pc + +%changelog +* Wed May 03 2017 Benjamin Tissoires 1.0.9-9 +- Add upstream patch to not pull libbsd +- Add custom patch for Fedora 24 & 25 + +* Wed Mar 01 2017 Benjamin Tissoires 1.0.9-8 +- Fix changelog + +* Wed Mar 01 2017 Benjamin Tissoires 1.0.9-7 +- Use libbsd for randoms (CVE-2017-2626, rhbz#1427715) + +* Fri Feb 10 2017 Fedora Release Engineering - 1.0.9-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Mar 25 2016 Benjamin Tissoires 1.0.9-5 +- Force disable documentation generation + +* Thu Feb 04 2016 Fedora Release Engineering - 1.0.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jun 17 2015 Fedora Release Engineering - 1.0.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sun Aug 17 2014 Fedora Release Engineering - 1.0.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Jul 25 2014 Benjamin Tissoires 1.0.9-1 +- libICE 1.0.9 + +* Sat Jun 07 2014 Fedora Release Engineering - 1.0.8-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Fri Dec 13 2013 Michael Schwendt - 1.0.8-6 +- Fix duplicate documentation (#1001256) by not using %%doc +- Turn on verbose build output via V=1 make +- Use %%?_isa in -devel base package dep + +* Sat Aug 03 2013 Fedora Release Engineering - 1.0.8-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu Mar 07 2013 Peter Hutterer - 1.0.8-5 +- autoreconf needs xorg-x11-util-macros + +* Thu Mar 07 2013 Peter Hutterer - 1.0.8-4 +- autoreconf for aarch64 + +* Thu Feb 14 2013 Fedora Release Engineering - 1.0.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Thu Jul 19 2012 Fedora Release Engineering - 1.0.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon Mar 05 2012 Adam Jackson 1.0.8-1 +- libICE 1.0.8 + +* Fri Jan 13 2012 Fedora Release Engineering - 1.0.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Jun 21 2011 Adam Jackson 1.0.7-1 +- libICE 1.0.7 + +* Mon Feb 07 2011 Fedora Release Engineering - 1.0.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Sat Dec 12 2009 Robert Scheck 1.0.6-2 +- Own the /usr/include/X11/ICE directory including its content + +* Fri Aug 28 2009 Peter Hutterer 1.0.6-1 +- libICE 1.0.6 + +* Fri Jul 24 2009 Fedora Release Engineering - 1.0.4-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Jul 23 2009 Adam Jackson 1.0.4-8 +- Remove useless %%dir + +* Wed Feb 25 2009 Fedora Release Engineering - 1.0.4-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Sat Feb 21 2009 Jason L Tibbitts III - 1.0.4-6 +- Minor tweaks to summaries and descriptions. +- Don't own /usr/include/X11. +- Use a regular, unversioned dep on xorg-x11-filesystem. + +* Sat Feb 21 2009 Adam Jackson 1.0.4-5 +- Merge review cleanups. (#226027) + +* Tue Jul 15 2008 Adam Jackson 1.0.4-4 +- Fix license tag. + +* Tue Feb 19 2008 Fedora Release Engineering - 1.0.4-3 +- Autorebuild for GCC 4.3 + +* Mon Oct 01 2007 Adam Jackson 1.0.4-2 +- Rebuild against xtrans 1.0.3-5 to pick up gethostname() avoidance. + +* Mon Sep 24 2007 Adam Jackson 1.0.4-1 +- libICE 1.0.4 + +* Thu Sep 20 2007 Adam Jackson 1.0.3-5 +- Update xtrans dep and rebuild. + +* Mon Sep 17 2007 Adam Jackson 1.0.3-4 +- Rebuild for abstract socket support. + +* Tue Aug 21 2007 Adam Jackson - 1.0.3-3 +- Rebuild for build id + +* Sat Apr 21 2007 Matthias Clasen 1.0.3-2 +- Don't install INSTALL + +* Fri Jan 05 2007 Adam Jackson 1.0.3-1 +- Update to 1.0.3 + +* Mon Nov 20 2006 Adam Jackson 1.0.2-1 +- Update to 1.0.2. + +* Wed Jul 12 2006 Jesse Keating 1.0.1-2.1 +- rebuild + +* Mon Jun 05 2006 Mike A. Harris 1.0.1-2 +- Added "Requires: xorg-x11-proto-devel" +- Replace "makeinstall" with "make install DESTDIR=..." +- Remove package ownership of mandir/libdir/etc. + +* Thu Apr 27 2006 Adam Jackson 1.0.1-1 +- Update to 1.0.1 + +* Fri Feb 10 2006 Jesse Keating 1.0.0-2.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating 1.0.0-2.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Mon Jan 23 2006 Mike A. Harris 1.0.0-2 +- Bumped and rebuilt + +* Fri Dec 16 2005 Mike A. Harris 1.0.0-1 +- Updated libICE to version 1.0.0 from X11R7 RC4 + +* Tue Dec 13 2005 Mike A. Harris 0.99.2-1 +- Updated libICE to version 0.99.2 from X11R7 RC3 +- Added "Requires(pre): xorg-x11-filesystem >= 0.99.2-3", to ensure + that /usr/lib/X11 and /usr/include/X11 pre-exist. +- Removed 'x' suffix from manpage directories to match RC3 upstream. + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Fri Nov 11 2005 Mike A. Harris 0.99.1-1 +- Updated libICE to version 0.99.1 from X11R7 RC2 +- Changed 'Conflicts: XFree86-devel, xorg-x11-devel' to 'Obsoletes' +- Changed 'Conflicts: XFree86-libs, xorg-x11-libs' to 'Obsoletes' + + +* Mon Oct 24 2005 Mike A. Harris 0.99.0-5 +- Updated libICE to version 0.99.0 from X11R7 RC1 + +* Thu Sep 29 2005 Mike A. Harris 0.99.0-4 +- Added BuildRequires: pkgconfig + +* Thu Sep 29 2005 Mike A. Harris 0.99.0-3 +- Renamed package to remove "xorg-x11" from the name due to unanimous decision + between developers. +- Use Fedora Extras style BuildRoot tag. +- Disable static library creation by default. +- Add missing defattr to devel subpackage +- Add missing documentation files to doc macro + +* Tue Aug 23 2005 Mike A. Harris 0.99.0-2 +- Renamed package to prepend "xorg-x11" to the name for consistency with + the rest of the X11R7 packages. +- Added "Requires: %%{name} = %%{version}-%%{release}" dependency to devel + subpackage to ensure the devel package matches the installed shared libs. +- Added virtual "Provides: lib" and "Provides: lib-devel" to + allow applications to use implementation agnostic dependencies. +- Added post/postun scripts which call ldconfig. +- Added Conflicts with XFree86-libs and xorg-x11-libs to runtime package, + and Conflicts with XFree86-devel and xorg-x11-devel to devel package. + +* Mon Aug 22 2005 Mike A. Harris 0.99.0-1 +- Initial build.