From abc8d8acaec8a316476bd93cae035811fd31869c Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 28 2020 06:49:11 +0000 Subject: import libXdmcp-1.1.3-1.el8 --- diff --git a/.gitignore b/.gitignore index 5367795..031d3be 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libXdmcp-1.1.2.tar.bz2 +SOURCES/libXdmcp-1.1.3.tar.bz2 diff --git a/.libXdmcp.metadata b/.libXdmcp.metadata index 1401e9b..1f94774 100644 --- a/.libXdmcp.metadata +++ b/.libXdmcp.metadata @@ -1 +1 @@ -3c09eabb0617c275b5ab09fae021d279a4832cac SOURCES/libXdmcp-1.1.2.tar.bz2 +0a8f8a274f829331efb1e8e2027c38631b204dd0 SOURCES/libXdmcp-1.1.3.tar.bz2 diff --git a/SOURCES/0001-Use-getentropy-if-arc4random_buf-is-not-available.patch b/SOURCES/0001-Use-getentropy-if-arc4random_buf-is-not-available.patch deleted file mode 100644 index fbe41ed..0000000 --- a/SOURCES/0001-Use-getentropy-if-arc4random_buf-is-not-available.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 0554324ec6bbc2071f5d1f8ad211a1643e29eb1f Mon Sep 17 00:00:00 2001 -From: Benjamin Tissoires -Date: Tue, 4 Apr 2017 19:13:38 +0200 -Subject: [PATCH libXdmcp 1/3] Use getentropy() if arc4random_buf() is not - available - -This allows to fix CVE-2017-2625 on Linux platforms without pulling in -libbsd. -The libc getentropy() is available since glibc 2.25 but also on OpenBSD. -For Linux, we need at least a v3.17 kernel. If the recommended -arc4random_buf() function is not available, emulate it by first trying -to use getentropy() on a supported glibc and kernel. If the call fails, -fall back to the current (vulnerable) code. - -Signed-off-by: Benjamin Tissoires -Reviewed-by: Mark Kettenis -Reviewed-by: Alan Coopersmith -Signed-off-by: Peter Hutterer ---- - Key.c | 31 ++++++++++++++++++++++++++----- - configure.ac | 2 +- - 2 files changed, 27 insertions(+), 6 deletions(-) - -diff --git a/Key.c b/Key.c -index a09b316..70607d0 100644 ---- a/Key.c -+++ b/Key.c -@@ -62,10 +62,11 @@ getbits (long data, unsigned char *dst) - #define getpid(x) _getpid(x) - #endif - --void --XdmcpGenerateKey (XdmAuthKeyPtr key) --{ - #ifndef HAVE_ARC4RANDOM_BUF -+ -+static void -+emulate_getrandom_buf (char *auth, int len) -+{ - long lowbits, highbits; - - srandom ((int)getpid() ^ time((Time_t *)0)); -@@ -73,9 +74,29 @@ XdmcpGenerateKey (XdmAuthKeyPtr key) - highbits = random (); - getbits (lowbits, key->data); - getbits (highbits, key->data + 4); --#else -+} -+ -+static void -+arc4random_buf (void *auth, int len) -+{ -+ int ret; -+ -+#if HAVE_GETENTROPY -+ /* weak emulation of arc4random through the getentropy libc call */ -+ ret = getentropy (auth, len); -+ if (ret == 0) -+ return; -+#endif /* HAVE_GETENTROPY */ -+ -+ emulate_getrandom_buf (auth, len); -+} -+ -+#endif /* !defined(HAVE_ARC4RANDOM_BUF) */ -+ -+void -+XdmcpGenerateKey (XdmAuthKeyPtr key) -+{ - arc4random_buf(key->data, 8); --#endif - } - - int -diff --git a/configure.ac b/configure.ac -index 2288502..d2b045d 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -65,7 +65,7 @@ esac - - # Checks for library functions. - AC_CHECK_LIB([bsd], [arc4random_buf]) --AC_CHECK_FUNCS([srand48 lrand48 arc4random_buf]) -+AC_CHECK_FUNCS([srand48 lrand48 arc4random_buf getentropy]) - - # Obtain compiler/linker options for depedencies - PKG_CHECK_MODULES(XDMCP, xproto) --- -2.9.3 - diff --git a/SOURCES/0002-Fix-compilation-error-when-arc4random_buf-is-not-ava.patch b/SOURCES/0002-Fix-compilation-error-when-arc4random_buf-is-not-ava.patch deleted file mode 100644 index 5cb8aef..0000000 --- a/SOURCES/0002-Fix-compilation-error-when-arc4random_buf-is-not-ava.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 95bef09f135a70ba1174a0021f441b0bb62a9bec Mon Sep 17 00:00:00 2001 -From: Benjamin Tissoires -Date: Thu, 4 May 2017 11:05:15 +0200 -Subject: [PATCH libXdmcp 2/3] Fix compilation error when arc4random_buf is not - available - -Not sure how I missed that, but I did. - -Also rename emulate_getrandom_buf() into insecure_getrandom_buf() as -requested in the previous patch reviews. - -Last, getbits() expects an unsigned char, so remove the warning. - -Signed-off-by: Benjamin Tissoires ---- - Key.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/Key.c b/Key.c -index 70607d0..d61ad0e 100644 ---- a/Key.c -+++ b/Key.c -@@ -65,15 +65,15 @@ getbits (long data, unsigned char *dst) - #ifndef HAVE_ARC4RANDOM_BUF - - static void --emulate_getrandom_buf (char *auth, int len) -+insecure_getrandom_buf (unsigned char *auth, int len) - { - long lowbits, highbits; - - srandom ((int)getpid() ^ time((Time_t *)0)); - lowbits = random (); - highbits = random (); -- getbits (lowbits, key->data); -- getbits (highbits, key->data + 4); -+ getbits (lowbits, auth); -+ getbits (highbits, auth + 4); - } - - static void -@@ -88,7 +88,7 @@ arc4random_buf (void *auth, int len) - return; - #endif /* HAVE_GETENTROPY */ - -- emulate_getrandom_buf (auth, len); -+ insecure_getrandom_buf (auth, len); - } - - #endif /* !defined(HAVE_ARC4RANDOM_BUF) */ --- -2.9.3 - diff --git a/SOURCES/0003-Add-getentropy-emulation-through-syscall.patch b/SOURCES/0003-Add-getentropy-emulation-through-syscall.patch deleted file mode 100644 index 7f1c537..0000000 --- a/SOURCES/0003-Add-getentropy-emulation-through-syscall.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 4e166987d7e7d37d1f5cc71c0eb7918dea4fe443 Mon Sep 17 00:00:00 2001 -From: Benjamin Tissoires -Date: Thu, 4 May 2017 11:13:51 +0200 -Subject: [PATCH libXdmcp 3/3] Add getentropy emulation through syscall - -RHEL/f24/f25 only patch - -Signed-off-by: Benjamin Tissoires ---- - Key.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 48 insertions(+) - -diff --git a/Key.c b/Key.c -index d61ad0e..4b0e9c0 100644 ---- a/Key.c -+++ b/Key.c -@@ -76,6 +76,54 @@ insecure_getrandom_buf (unsigned char *auth, int len) - getbits (highbits, auth + 4); - } - -+#ifndef HAVE_GETENTROPY -+#include -+#include -+ -+/* code taken from libressl, license: */ -+/* -+ * Copyright (c) 2014 Theo de Raadt -+ * Copyright (c) 2014 Bob Beck -+ * -+ * Permission to use, copy, modify, and distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -+ * -+ * Emulation of getentropy(2) as documented at: -+ * http://man.openbsd.org/getentropy.2 -+ */ -+#ifdef __NR_getrandom -+ -+static int -+getentropy(void *buf, size_t len) -+{ -+ int pre_errno = errno; -+ int ret; -+ if (len > 256) -+ return (-1); -+ do { -+ ret = syscall(__NR_getrandom, buf, len, 0); -+ } while (ret == -1 && errno == EINTR); -+ -+ if (ret != len) -+ return (-1); -+ errno = pre_errno; -+ -+ return (0); -+} -+#define HAVE_GETENTROPY 1 -+#endif /* __NR_getrandom */ -+ -+#endif /* HAVE_GETENTROPY */ -+ - static void - arc4random_buf (void *auth, int len) - { --- -2.9.3 - diff --git a/SPECS/libXdmcp.spec b/SPECS/libXdmcp.spec index f70922a..be6def0 100644 --- a/SPECS/libXdmcp.spec +++ b/SPECS/libXdmcp.spec @@ -1,7 +1,7 @@ Summary: X Display Manager Control Protocol library Name: libXdmcp -Version: 1.1.2 -Release: 11%{?dist} +Version: 1.1.3 +Release: 1%{?dist} License: MIT Group: System Environment/Libraries URL: http://www.x.org @@ -13,10 +13,6 @@ BuildRequires: autoconf automake libtool BuildRequires: xorg-x11-proto-devel BuildRequires: xmlto -Patch0: 0001-Use-getentropy-if-arc4random_buf-is-not-available.patch -Patch1: 0002-Fix-compilation-error-when-arc4random_buf-is-not-ava.patch -Patch2: 0003-Add-getentropy-emulation-through-syscall.patch - %description X Display Manager Control Protocol library. @@ -29,10 +25,7 @@ Requires: %{name} = %{version}-%{release} libXdmcp development package. %prep -%setup -q -%patch0 -p1 -b .cve-2017-2625 -%patch1 -p1 -b .cve-2017-2625 -%patch2 -p1 -b .cve-2017-2625 +%autosetup %build autoreconf -v --install --force @@ -59,12 +52,15 @@ rm -rf $RPM_BUILD_ROOT%{_docdir} %{_libdir}/libXdmcp.so.6.0.0 %files devel -%doc README +%doc README.md %{_includedir}/X11/Xdmcp.h %{_libdir}/libXdmcp.so %{_libdir}/pkgconfig/xdmcp.pc %changelog +* Wed Jun 03 2020 Benjamin Tissoires - 1.1.3-1 +- libXdmcp 1.1.3 + * Thu Jul 05 2018 Adam Jackson - 1.1.2-11 - Drop useless %%defattr