diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5367795 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/libXdmcp-1.1.2.tar.bz2 diff --git a/.libXdmcp.metadata b/.libXdmcp.metadata new file mode 100644 index 0000000..1401e9b --- /dev/null +++ b/.libXdmcp.metadata @@ -0,0 +1 @@ +3c09eabb0617c275b5ab09fae021d279a4832cac SOURCES/libXdmcp-1.1.2.tar.bz2 diff --git a/SOURCES/0001-Use-getentropy-if-arc4random_buf-is-not-available.patch b/SOURCES/0001-Use-getentropy-if-arc4random_buf-is-not-available.patch new file mode 100644 index 0000000..fbe41ed --- /dev/null +++ b/SOURCES/0001-Use-getentropy-if-arc4random_buf-is-not-available.patch @@ -0,0 +1,90 @@ +From 0554324ec6bbc2071f5d1f8ad211a1643e29eb1f Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Tue, 4 Apr 2017 19:13:38 +0200 +Subject: [PATCH libXdmcp 1/3] Use getentropy() if arc4random_buf() is not + available + +This allows to fix CVE-2017-2625 on Linux platforms without pulling in +libbsd. +The libc getentropy() is available since glibc 2.25 but also on OpenBSD. +For Linux, we need at least a v3.17 kernel. If the recommended +arc4random_buf() function is not available, emulate it by first trying +to use getentropy() on a supported glibc and kernel. If the call fails, +fall back to the current (vulnerable) code. + +Signed-off-by: Benjamin Tissoires +Reviewed-by: Mark Kettenis +Reviewed-by: Alan Coopersmith +Signed-off-by: Peter Hutterer +--- + Key.c | 31 ++++++++++++++++++++++++++----- + configure.ac | 2 +- + 2 files changed, 27 insertions(+), 6 deletions(-) + +diff --git a/Key.c b/Key.c +index a09b316..70607d0 100644 +--- a/Key.c ++++ b/Key.c +@@ -62,10 +62,11 @@ getbits (long data, unsigned char *dst) + #define getpid(x) _getpid(x) + #endif + +-void +-XdmcpGenerateKey (XdmAuthKeyPtr key) +-{ + #ifndef HAVE_ARC4RANDOM_BUF ++ ++static void ++emulate_getrandom_buf (char *auth, int len) ++{ + long lowbits, highbits; + + srandom ((int)getpid() ^ time((Time_t *)0)); +@@ -73,9 +74,29 @@ XdmcpGenerateKey (XdmAuthKeyPtr key) + highbits = random (); + getbits (lowbits, key->data); + getbits (highbits, key->data + 4); +-#else ++} ++ ++static void ++arc4random_buf (void *auth, int len) ++{ ++ int ret; ++ ++#if HAVE_GETENTROPY ++ /* weak emulation of arc4random through the getentropy libc call */ ++ ret = getentropy (auth, len); ++ if (ret == 0) ++ return; ++#endif /* HAVE_GETENTROPY */ ++ ++ emulate_getrandom_buf (auth, len); ++} ++ ++#endif /* !defined(HAVE_ARC4RANDOM_BUF) */ ++ ++void ++XdmcpGenerateKey (XdmAuthKeyPtr key) ++{ + arc4random_buf(key->data, 8); +-#endif + } + + int +diff --git a/configure.ac b/configure.ac +index 2288502..d2b045d 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -65,7 +65,7 @@ esac + + # Checks for library functions. + AC_CHECK_LIB([bsd], [arc4random_buf]) +-AC_CHECK_FUNCS([srand48 lrand48 arc4random_buf]) ++AC_CHECK_FUNCS([srand48 lrand48 arc4random_buf getentropy]) + + # Obtain compiler/linker options for depedencies + PKG_CHECK_MODULES(XDMCP, xproto) +-- +2.9.3 + diff --git a/SOURCES/0002-Fix-compilation-error-when-arc4random_buf-is-not-ava.patch b/SOURCES/0002-Fix-compilation-error-when-arc4random_buf-is-not-ava.patch new file mode 100644 index 0000000..5cb8aef --- /dev/null +++ b/SOURCES/0002-Fix-compilation-error-when-arc4random_buf-is-not-ava.patch @@ -0,0 +1,53 @@ +From 95bef09f135a70ba1174a0021f441b0bb62a9bec Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Thu, 4 May 2017 11:05:15 +0200 +Subject: [PATCH libXdmcp 2/3] Fix compilation error when arc4random_buf is not + available + +Not sure how I missed that, but I did. + +Also rename emulate_getrandom_buf() into insecure_getrandom_buf() as +requested in the previous patch reviews. + +Last, getbits() expects an unsigned char, so remove the warning. + +Signed-off-by: Benjamin Tissoires +--- + Key.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Key.c b/Key.c +index 70607d0..d61ad0e 100644 +--- a/Key.c ++++ b/Key.c +@@ -65,15 +65,15 @@ getbits (long data, unsigned char *dst) + #ifndef HAVE_ARC4RANDOM_BUF + + static void +-emulate_getrandom_buf (char *auth, int len) ++insecure_getrandom_buf (unsigned char *auth, int len) + { + long lowbits, highbits; + + srandom ((int)getpid() ^ time((Time_t *)0)); + lowbits = random (); + highbits = random (); +- getbits (lowbits, key->data); +- getbits (highbits, key->data + 4); ++ getbits (lowbits, auth); ++ getbits (highbits, auth + 4); + } + + static void +@@ -88,7 +88,7 @@ arc4random_buf (void *auth, int len) + return; + #endif /* HAVE_GETENTROPY */ + +- emulate_getrandom_buf (auth, len); ++ insecure_getrandom_buf (auth, len); + } + + #endif /* !defined(HAVE_ARC4RANDOM_BUF) */ +-- +2.9.3 + diff --git a/SOURCES/0003-Add-getentropy-emulation-through-syscall.patch b/SOURCES/0003-Add-getentropy-emulation-through-syscall.patch new file mode 100644 index 0000000..7f1c537 --- /dev/null +++ b/SOURCES/0003-Add-getentropy-emulation-through-syscall.patch @@ -0,0 +1,74 @@ +From 4e166987d7e7d37d1f5cc71c0eb7918dea4fe443 Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Thu, 4 May 2017 11:13:51 +0200 +Subject: [PATCH libXdmcp 3/3] Add getentropy emulation through syscall + +RHEL/f24/f25 only patch + +Signed-off-by: Benjamin Tissoires +--- + Key.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 48 insertions(+) + +diff --git a/Key.c b/Key.c +index d61ad0e..4b0e9c0 100644 +--- a/Key.c ++++ b/Key.c +@@ -76,6 +76,54 @@ insecure_getrandom_buf (unsigned char *auth, int len) + getbits (highbits, auth + 4); + } + ++#ifndef HAVE_GETENTROPY ++#include ++#include ++ ++/* code taken from libressl, license: */ ++/* ++ * Copyright (c) 2014 Theo de Raadt ++ * Copyright (c) 2014 Bob Beck ++ * ++ * Permission to use, copy, modify, and distribute this software for any ++ * purpose with or without fee is hereby granted, provided that the above ++ * copyright notice and this permission notice appear in all copies. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES ++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF ++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ++ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ++ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF ++ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++ * ++ * Emulation of getentropy(2) as documented at: ++ * http://man.openbsd.org/getentropy.2 ++ */ ++#ifdef __NR_getrandom ++ ++static int ++getentropy(void *buf, size_t len) ++{ ++ int pre_errno = errno; ++ int ret; ++ if (len > 256) ++ return (-1); ++ do { ++ ret = syscall(__NR_getrandom, buf, len, 0); ++ } while (ret == -1 && errno == EINTR); ++ ++ if (ret != len) ++ return (-1); ++ errno = pre_errno; ++ ++ return (0); ++} ++#define HAVE_GETENTROPY 1 ++#endif /* __NR_getrandom */ ++ ++#endif /* HAVE_GETENTROPY */ ++ + static void + arc4random_buf (void *auth, int len) + { +-- +2.9.3 + diff --git a/SOURCES/fips-docs.patch b/SOURCES/fips-docs.patch new file mode 100644 index 0000000..c529261 --- /dev/null +++ b/SOURCES/fips-docs.patch @@ -0,0 +1,12 @@ +diff -up libXdmcp-1.1.1/README~ libXdmcp-1.1.1/README +--- libXdmcp-1.1.1/README~ 2012-03-07 22:46:35.000000000 -0500 ++++ libXdmcp-1.1.1/README 2013-12-17 12:59:45.680345588 -0500 +@@ -1,3 +1,8 @@ ++-=-=-=- ++Please note that DMCP authentications with this library use the DES ++and are therefore not FIPS compliant. ++-=-=-=- ++ + libXdmcp - X Display Manager Control Protocol library + + All questions regarding this software should be directed at the diff --git a/SPECS/libXdmcp.spec b/SPECS/libXdmcp.spec new file mode 100644 index 0000000..c0eddce --- /dev/null +++ b/SPECS/libXdmcp.spec @@ -0,0 +1,236 @@ +Summary: X Display Manager Control Protocol library +Name: libXdmcp +Version: 1.1.2 +Release: 6%{?dist} +License: MIT +Group: System Environment/Libraries +URL: http://www.x.org + +Source0: ftp://ftp.x.org/pub/individual/lib/%{name}-%{version}.tar.bz2 + +BuildRequires: xorg-x11-util-macros +BuildRequires: autoconf automake libtool +BuildRequires: xorg-x11-proto-devel +BuildRequires: xmlto + +Patch0: fips-docs.patch +Patch1: 0001-Use-getentropy-if-arc4random_buf-is-not-available.patch +Patch2: 0002-Fix-compilation-error-when-arc4random_buf-is-not-ava.patch +Patch3: 0003-Add-getentropy-emulation-through-syscall.patch + +%description +X Display Manager Control Protocol library. + +%package devel +Summary: Development files for %{name} +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} + +%description devel +libXdmcp development package. + +%prep +%setup -q + +%patch0 -p1 -b .fips-docs +%patch1 -p1 -b .cve-2017-2625 +%patch2 -p1 -b .cve-2017-2625 +%patch3 -p1 -b .cve-2017-2625 + +%build +autoreconf -v --install --force +%configure --disable-static +make V=1 %{?_smp_mflags} + +%install +rm -rf $RPM_BUILD_ROOT + +make install DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" + +# We intentionally don't ship *.la files +rm -f $RPM_BUILD_ROOT%{_libdir}/*.la + +# manual fixup later +rm -rf $RPM_BUILD_ROOT%{_docdir} + +%clean +rm -rf $RPM_BUILD_ROOT + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + +%files +%defattr(-,root,root,-) +%doc AUTHORS COPYING ChangeLog Wraphelp.README.crypto +%{_libdir}/libXdmcp.so.6 +%{_libdir}/libXdmcp.so.6.0.0 + +%files devel +%defattr(-,root,root,-) +%doc README +%{_includedir}/X11/Xdmcp.h +%{_libdir}/libXdmcp.so +%{_libdir}/pkgconfig/xdmcp.pc + +%changelog +* Tue Mar 28 2017 Benjamin Tissoires 1.1.2-6 +- Do not pull libbsd, use getentropy or getrandom syscall instead + +* Wed Mar 01 2017 Benjamin Tissoires 1.1.2-5 +- Use libbsd for randoms (CVE-2017-2625, rhbz#1427716) + +* Fri Feb 10 2017 Fedora Release Engineering - 1.1.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Feb 04 2016 Fedora Release Engineering - 1.1.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jun 17 2015 Fedora Release Engineering - 1.1.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Mar 23 2015 Benjamin Tissoires 1.1.2-1 +- libXdmcp 1.1.2 + +* Sun Aug 17 2014 Fedora Release Engineering - 1.1.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Wed Feb 12 2014 Adam Jackson 1.1.1-6.1 +- Mass rebuild + +* Fri Dec 27 2013 Daniel Mach - 1.1.1-6 +- Mass rebuild 2013-12-27 + +* Tue Dec 17 2013 Soren Sandmann - 1.1.4-5 +- Add note to README about the lack of FIPS compliance for DMCP + authentications. + Bug 994193 + +* Thu Mar 07 2013 Peter Hutterer - 1.1.1-4 +- autoreconf for aarch64 + +* Thu Feb 14 2013 Fedora Release Engineering - 1.1.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Thu Jul 19 2012 Fedora Release Engineering - 1.1.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Mar 08 2012 Adam Jackson 1.1.1-1 +- libXdmcp 1.1.1 + +* Fri Jan 13 2012 Fedora Release Engineering - 1.1.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Feb 07 2011 Fedora Release Engineering - 1.1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Nov 08 2010 Adam Jackson 1.1.0-1 +- libXdmcp 1.1.0 + +* Wed Oct 21 2009 Parag - 1.0.3-3 +- Merge-Review #226068 +- make is not verbose + +* Thu Oct 08 2009 Parag - 1.0.3-2 +- Merge-Review #226068 +- Removed BR:pkgconfig +- Few spec cleanups. + +* Thu Sep 24 2009 Peter Hutterer 1.0.3-1 +- libXdmcp 1.0.3 +- libXdmcp-1.0.2-namespace-pollution.patch: drop + +* Fri Jul 24 2009 Fedora Release Engineering - 1.0.2-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Jul 23 2009 Adam Jackson 1.0.2-10 +- Un-require xorg-x11-filesystem + +* Thu Jul 23 2009 Adam Jackson 1.0.2-9 +- Remove useless %%dir + +* Wed Feb 25 2009 Fedora Release Engineering - 1.0.2-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Sat Feb 21 2009 Adam Jackson 1.0.2-7 +- Merge review cleanups. (#226068) + +* Tue Jul 15 2008 Adam Jackson 1.0.2-6 +- Fix license tag. + +* Tue Feb 19 2008 Fedora Release Engineering - 1.0.2-5 +- Autorebuild for GCC 4.3 + +* Tue Aug 21 2007 Adam Jackson - 1.0.2-4 +- Rebuild for build id + +* Sat Apr 21 2007 Matthias Clasen 1.0.2-3 +- Don't install INSTALL + +* Mon Nov 20 2006 Adam Jackson 1.0.2-2.fc7 +- libXdmcp-1.0.2-namespace-pollution.patch: Hide Xalloc and friends from the + dynamic linker. + +* Mon Nov 20 2006 Adam Jackson 1.0.2-1 +- Update to 1.0.2 + +* Wed Jul 12 2006 Jesse Keating 1.0.1-2.1 +- rebuild + +* Wed Jun 07 2006 Mike A. Harris 1.0.1-2 +- Added "BuildRequires: xorg-x11-proto-devel" +- Added "Requires: xorg-x11-proto-devel" to devel package, needed by xdmcp.pc +- Replace "makeinstall" with "make install DESTDIR=..." +- Remove package ownership of mandir/libdir/etc. + +* Thu Apr 27 2006 Adam Jackson 1.0.1-1 +- Update to 1.0.1 + +* Fri Feb 10 2006 Jesse Keating - 1.0.0-2.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 1.0.0-2.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Mon Jan 23 2006 Mike A. Harris 1.0.0-2 +- Bumped and rebuilt + +* Fri Dec 16 2005 Mike A. Harris 1.0.0-1 +- Updated libXdmcp to version 1.0.0 from X11R7 RC4 + +* Tue Dec 13 2005 Mike A. Harris 0.99.2-1 +- Updated libXdmcp to version 0.99.2 from X11R7 RC3 +- Added "Requires(pre): xorg-x11-filesystem >= 0.99.2-3", to ensure + that /usr/lib/X11 and /usr/include/X11 pre-exist. +- Removed 'x' suffix from manpage directories to match RC3 upstream. + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Fri Nov 11 2005 Mike A. Harris 0.99.1-2 +- Changed 'Conflicts: XFree86-devel, xorg-x11-devel' to 'Obsoletes' +- Changed 'Conflicts: XFree86-libs, xorg-x11-libs' to 'Obsoletes' + +* Fri Oct 21 2005 Mike A. Harris 0.99.1-1 +- Update to libXdmcp-0.99.1 from X11R7 RC1 release. + +* Thu Sep 29 2005 Mike A. Harris 0.99.0-3 +- Renamed package to remove xorg-x11 from the name due to unanimous decision + between developers. +- Use Fedora Extras style BuildRoot tag. +- Disable static library creation by default. +- Add missing defattr to devel subpackage +- Add missing documentation files to doc macro + +* Tue Aug 23 2005 Mike A. Harris 0.99.0-2 +- Renamed package to prepend "xorg-x11" to the name for consistency with + the rest of the X11R7 packages. +- Added "Requires: %%{name} = %%{version}-%%{release}" dependency to devel + subpackage to ensure the devel package matches the installed shared libs. +- Added virtual "Provides: lib" and "Provides: lib-devel" to + allow applications to use implementation agnostic dependencies. +- Added post/postun scripts which call ldconfig. +- Added Conflicts with XFree86-libs and xorg-x11-libs to runtime package, + and Conflicts with XFree86-devel and xorg-x11-devel to devel package. + +* Mon Aug 22 2005 Mike A. Harris 0.99.0-1 +- Initial build.