From fe4c4e5e3854dfd61ca075b960a6dda83de0fbd6 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 05 2020 06:10:27 +0000 Subject: import libX11-1.6.8-4.el8 --- diff --git a/SOURCES/0001-Fix-an-integer-overflow-in-init_om.patch b/SOURCES/0001-Fix-an-integer-overflow-in-init_om.patch new file mode 100644 index 0000000..cdb3de4 --- /dev/null +++ b/SOURCES/0001-Fix-an-integer-overflow-in-init_om.patch @@ -0,0 +1,37 @@ +From 2c67fab8415a1d32395de87f056bc5f3b37fedb0 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 13 Aug 2020 18:02:58 +0200 +Subject: [PATCH] Fix an integer overflow in init_om() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2020-14363 + +This can lead to a double free later, as reported by Jayden Rivers. + +Signed-off-by: Matthieu Herrb + +(cherry picked from commit acdaaadcb3d85c61fd43669fc5dddf0f8c3f911d) +Signed-off-by: Michel Dänzer +--- + modules/om/generic/omGeneric.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c +index 22f826ec..bcfb9ab8 100644 +--- a/modules/om/generic/omGeneric.c ++++ b/modules/om/generic/omGeneric.c +@@ -1908,7 +1908,8 @@ init_om( + char **required_list; + XOrientation *orientation; + char **value, buf[BUFSIZ], *bufptr; +- int count = 0, num = 0, length = 0; ++ int count = 0, num = 0; ++ unsigned int length = 0; + + _XlcGetResource(lcd, "XLC_FONTSET", "on_demand_loading", &value, &count); + if (count > 0 && _XlcCompareISOLatin1(*value, "True") == 0) +-- +2.28.0 + diff --git a/SPECS/libX11.spec b/SPECS/libX11.spec index 2bf1f9c..6e27686 100644 --- a/SPECS/libX11.spec +++ b/SPECS/libX11.spec @@ -5,7 +5,7 @@ Summary: Core X11 protocol client library Name: libX11 Version: 1.6.8 -Release: 3%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist} +Release: 4%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist} License: MIT Group: System Environment/Libraries URL: http://www.x.org @@ -22,6 +22,9 @@ Patch2: dont-forward-keycode-0.patch Patch3: 0001-Fix-XTS-regression-in-XCopyColormapAndFree.patch Patch4: 0001-Fix-poll_for_response-race-condition.patch +# CVE-2020-14363 +Patch5: 0001-Fix-an-integer-overflow-in-init_om.patch + BuildRequires: xorg-x11-util-macros >= 1.11 BuildRequires: pkgconfig(xproto) >= 7.0.15 BuildRequires: xorg-x11-xtrans-devel >= 1.0.3-4 @@ -64,6 +67,7 @@ libX11/libxcb interoperability library %patch2 -p1 -b .dont-forward-keycode-0 %patch3 -p1 -b .copycolormapandfree %patch4 -p1 -b .race +%patch5 -p1 -b .fix-an-integer-overflow-in-init_om %build autoreconf -v --install --force @@ -128,6 +132,9 @@ make %{?_smp_mflags} check %{_mandir}/man5/*.5* %changelog +* Tue Nov 3 2020 Michel Dänzer - 1.6.8-4 +- Fix CVE-2020-14363 (#1873923) + * Mon Feb 24 2020 Adam Jackson - 1.6.8-3 - Fix race condition in poll_for_reponse