diff --git a/SOURCES/0001-parser-Don-t-set-more-maps-when-we-don-t-have-any.patch b/SOURCES/0001-parser-Don-t-set-more-maps-when-we-don-t-have-any.patch new file mode 100644 index 0000000..11390af --- /dev/null +++ b/SOURCES/0001-parser-Don-t-set-more-maps-when-we-don-t-have-any.patch @@ -0,0 +1,43 @@ +From 8b11c418417d36b6f818fd52882a051977c152a1 Mon Sep 17 00:00:00 2001 +From: Daniel Stone +Date: Mon, 26 Jun 2017 16:45:16 +0100 +Subject: [PATCH 01/10] parser: Don't set more maps when we don't have any + +If the scanner indicates that we might have something which looks like a +map, but the parser in fact fails to create that map, we will try to +access the map regardless. Stop doing that. + +testcase: 'xkb_keymap {' -> '#kb_keymap' + +Signed-off-by: Daniel Stone +(cherry picked from commit a8ea7a1d3daa7bdcb877615ae0a252c189153bd2) +--- + src/xkbcomp/parser.y | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/xkbcomp/parser.y b/src/xkbcomp/parser.y +index 7ff6f92..b5b0c2c 100644 +--- a/src/xkbcomp/parser.y ++++ b/src/xkbcomp/parser.y +@@ -239,9 +239,9 @@ resolve_keysym(const char *name, xkb_keysym_t *sym_rtrn) + */ + + XkbFile : XkbCompositeMap +- { $$ = param->rtrn = $1; param->more_maps = true; } ++ { $$ = param->rtrn = $1; param->more_maps = !!param->rtrn; } + | XkbMapConfig +- { $$ = param->rtrn = $1; param->more_maps = true; YYACCEPT; } ++ { $$ = param->rtrn = $1; param->more_maps = !!param->rtrn; YYACCEPT; } + | END_OF_FILE + { $$ = param->rtrn = NULL; param->more_maps = false; } + ; +@@ -779,6 +779,7 @@ parse(struct xkb_context *ctx, struct scanner *scanner, const char *map) + .scanner = scanner, + .ctx = ctx, + .rtrn = NULL, ++ .more_maps = false, + }; + + /* +-- +2.20.1 diff --git a/SOURCES/0002-xkbcomp-Don-t-crash-on-no-op-modmask-expressions.patch b/SOURCES/0002-xkbcomp-Don-t-crash-on-no-op-modmask-expressions.patch new file mode 100644 index 0000000..3a3f4e7 --- /dev/null +++ b/SOURCES/0002-xkbcomp-Don-t-crash-on-no-op-modmask-expressions.patch @@ -0,0 +1,30 @@ +From c544a0174669ac2f3b2730f838d36dc8f642079d Mon Sep 17 00:00:00 2001 +From: Daniel Stone +Date: Mon, 26 Jun 2017 17:12:29 +0100 +Subject: [PATCH 02/10] xkbcomp: Don't crash on no-op modmask expressions + +If we have an expression of the form 'l1' in an interp section, we +unconditionally try to dereference its args, even if it has none. + +Signed-off-by: Daniel Stone +(cherry picked from commit 96df3106d49438e442510c59acad306e94f3db4d) +--- + src/xkbcomp/compat.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/xkbcomp/compat.c b/src/xkbcomp/compat.c +index 9ae26cd..bd587c8 100644 +--- a/src/xkbcomp/compat.c ++++ b/src/xkbcomp/compat.c +@@ -264,7 +264,8 @@ ResolveStateAndPredicate(ExprDef *expr, enum xkb_match_operation *pred_rtrn, + *pred_rtrn = MATCH_EXACTLY; + if (expr->expr.op == EXPR_ACTION_DECL) { + const char *pred_txt = xkb_atom_text(info->ctx, expr->action.name); +- if (!LookupString(symInterpretMatchMaskNames, pred_txt, pred_rtrn)) { ++ if (!LookupString(symInterpretMatchMaskNames, pred_txt, pred_rtrn) || ++ !expr->action.args) { + log_err(info->ctx, + "Illegal modifier predicate \"%s\"; Ignored\n", pred_txt); + return false; +-- +2.20.1 diff --git a/SOURCES/0003-xkbcomp-Don-t-explode-on-invalid-virtual-modifiers.patch b/SOURCES/0003-xkbcomp-Don-t-explode-on-invalid-virtual-modifiers.patch new file mode 100644 index 0000000..0d49389 --- /dev/null +++ b/SOURCES/0003-xkbcomp-Don-t-explode-on-invalid-virtual-modifiers.patch @@ -0,0 +1,28 @@ +From 55f9df15b30deb0477b8dbcb837f525773705273 Mon Sep 17 00:00:00 2001 +From: Daniel Stone +Date: Mon, 26 Jun 2017 17:18:16 +0100 +Subject: [PATCH 03/10] xkbcomp: Don't explode on invalid virtual modifiers + +testcase: 'virtualModifiers=LevelThreC' + +Signed-off-by: Daniel Stone +(cherry picked from commit 4e2ee9c3f6050d773f8bbe05bc0edb17f1ff8371) +--- + src/xkbcomp/expr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/xkbcomp/expr.c b/src/xkbcomp/expr.c +index a85f460..d5dd62f 100644 +--- a/src/xkbcomp/expr.c ++++ b/src/xkbcomp/expr.c +@@ -101,6 +101,8 @@ LookupModMask(struct xkb_context *ctx, const void *priv, xkb_atom_t field, + return false; + + str = xkb_atom_text(ctx, field); ++ if (!str) ++ return false; + + if (istreq(str, "all")) { + *val_rtrn = MOD_REAL_MASK_ALL; +-- +2.20.1 diff --git a/SOURCES/0004-xkbcomp-Don-t-falsely-promise-from-ExprResolveLhs.patch b/SOURCES/0004-xkbcomp-Don-t-falsely-promise-from-ExprResolveLhs.patch new file mode 100644 index 0000000..0459426 --- /dev/null +++ b/SOURCES/0004-xkbcomp-Don-t-falsely-promise-from-ExprResolveLhs.patch @@ -0,0 +1,32 @@ +From 69f69b943d9f4777192b6cd9632ab41a363c62ae Mon Sep 17 00:00:00 2001 +From: Daniel Stone +Date: Mon, 26 Jun 2017 17:21:45 +0100 +Subject: [PATCH 04/10] xkbcomp: Don't falsely promise from ExprResolveLhs + +Every user of ExprReturnLhs goes on to unconditionally dereference the +field return, which can be NULL if xkb_intern_atom fails. Return false +if this is the case, so we fail safely. + +testcase: splice geometry data into interp + +Signed-off-by: Daniel Stone +(cherry picked from commit 38e1766bc6e20108948aec8a0b222a4bad0254e9) +--- + src/xkbcomp/expr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/xkbcomp/expr.c b/src/xkbcomp/expr.c +index d5dd62f..07d67e9 100644 +--- a/src/xkbcomp/expr.c ++++ b/src/xkbcomp/expr.c +@@ -42,7 +42,7 @@ ExprResolveLhs(struct xkb_context *ctx, const ExprDef *expr, + *elem_rtrn = NULL; + *field_rtrn = xkb_atom_text(ctx, expr->ident.ident); + *index_rtrn = NULL; +- return true; ++ return (*field_rtrn != NULL); + case EXPR_FIELD_REF: + *elem_rtrn = xkb_atom_text(ctx, expr->field_ref.element); + *field_rtrn = xkb_atom_text(ctx, expr->field_ref.field); +-- +2.20.1 diff --git a/SOURCES/0005-xkbcomp-fix-pointer-value-for-FreeStmt.patch b/SOURCES/0005-xkbcomp-fix-pointer-value-for-FreeStmt.patch new file mode 100644 index 0000000..577e41c --- /dev/null +++ b/SOURCES/0005-xkbcomp-fix-pointer-value-for-FreeStmt.patch @@ -0,0 +1,26 @@ +From a098d71ca877c8834727b478fd053433f43e0cd0 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 30 Jul 2018 14:11:46 +1000 +Subject: [PATCH 05/10] xkbcomp: fix pointer value for FreeStmt + +Signed-off-by: Peter Hutterer +(cherry picked from commit c1e5ac16e77a21f87bdf3bc4dea61b037a17dddb) +--- + src/xkbcomp/ast-build.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/xkbcomp/ast-build.c b/src/xkbcomp/ast-build.c +index eeef76a..b5e5616 100644 +--- a/src/xkbcomp/ast-build.c ++++ b/src/xkbcomp/ast-build.c +@@ -235,7 +235,7 @@ ExprAppendMultiKeysymList(ExprDef *expr, ExprDef *append) + darray_steal(append->keysym_list.syms, &syms, NULL); + darray_append_items(expr->keysym_list.syms, syms, numEntries); + +- FreeStmt((ParseCommon *) &append); ++ FreeStmt((ParseCommon *) append); + + return expr; + } +-- +2.20.1 diff --git a/SOURCES/0006-compose-fix-infinite-loop-in-parser-on-some-inputs.patch b/SOURCES/0006-compose-fix-infinite-loop-in-parser-on-some-inputs.patch new file mode 100644 index 0000000..dc8900f --- /dev/null +++ b/SOURCES/0006-compose-fix-infinite-loop-in-parser-on-some-inputs.patch @@ -0,0 +1,31 @@ +From dee0bb2936fc3c968fa4f5cd7bac21d2c22c2b78 Mon Sep 17 00:00:00 2001 +From: Ran Benita +Date: Mon, 12 Mar 2018 09:43:55 +0200 +Subject: [PATCH 06/10] compose: fix infinite loop in parser on some inputs + +The parser would enter an infinite loop if an unterminated keysym +literal occurs at EOF. + +Found with the afl fuzzer. + +Signed-off-by: Ran Benita +(cherry picked from commit 842e4351c2c97de6051cab6ce36b4a81e709a0e1) +--- + src/compose/parser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/compose/parser.c b/src/compose/parser.c +index fd2dca9..0e46c95 100644 +--- a/src/compose/parser.c ++++ b/src/compose/parser.c +@@ -144,7 +144,7 @@ skip_more_whitespace_and_comments: + + /* LHS Keysym. */ + if (chr(s, '<')) { +- while (peek(s) != '>' && !eol(s)) ++ while (peek(s) != '>' && !eol(s) && !eof(s)) + buf_append(s, next(s)); + if (!chr(s, '>')) { + scanner_err(s, "unterminated keysym literal"); +-- +2.20.1 diff --git a/SOURCES/0007-xkbcomp-fix-crash-when-parsing-an-xkb_geometry-secti.patch b/SOURCES/0007-xkbcomp-fix-crash-when-parsing-an-xkb_geometry-secti.patch new file mode 100644 index 0000000..6cdf780 --- /dev/null +++ b/SOURCES/0007-xkbcomp-fix-crash-when-parsing-an-xkb_geometry-secti.patch @@ -0,0 +1,61 @@ +From da964532709cceb3a1e69c6eb8eb89a384649858 Mon Sep 17 00:00:00 2001 +From: Ran Benita +Date: Sun, 11 Mar 2018 17:07:06 +0200 +Subject: [PATCH 07/10] xkbcomp: fix crash when parsing an xkb_geometry section + +xkb_geometry sections are ignored; previously the had done so by +returning NULL for the section's XkbFile, however some sections of the +code do not expect this. Instead, create an XkbFile for it, it will +never be processes and discarded later. + +Caught with the afl fuzzer. + +Signed-off-by: Ran Benita +(cherry picked from commit 917636b1d0d70205a13f89062b95e3a0fc31d4ff) +--- + src/xkbcomp/keymap.c | 9 +++++++-- + src/xkbcomp/parser.y | 9 +-------- + 2 files changed, 8 insertions(+), 10 deletions(-) + +diff --git a/src/xkbcomp/keymap.c b/src/xkbcomp/keymap.c +index 45098c2..e95e50c 100644 +--- a/src/xkbcomp/keymap.c ++++ b/src/xkbcomp/keymap.c +@@ -241,8 +241,13 @@ CompileKeymap(XkbFile *file, struct xkb_keymap *keymap, enum merge_mode merge) + file = (XkbFile *) file->common.next) { + if (file->file_type < FIRST_KEYMAP_FILE_TYPE || + file->file_type > LAST_KEYMAP_FILE_TYPE) { +- log_err(ctx, "Cannot define %s in a keymap file\n", +- xkb_file_type_to_string(file->file_type)); ++ if (file->file_type == FILE_TYPE_GEOMETRY) { ++ log_vrb(ctx, 1, ++ "Geometry sections are not supported; ignoring\n"); ++ } else { ++ log_err(ctx, "Cannot define %s in a keymap file\n", ++ xkb_file_type_to_string(file->file_type)); ++ } + continue; + } + +diff --git a/src/xkbcomp/parser.y b/src/xkbcomp/parser.y +index b5b0c2c..cedb8fa 100644 +--- a/src/xkbcomp/parser.y ++++ b/src/xkbcomp/parser.y +@@ -273,14 +273,7 @@ XkbMapConfig : OptFlags FileType OptMapName OBRACE + DeclList + CBRACE SEMI + { +- if ($2 == FILE_TYPE_GEOMETRY) { +- free($3); +- FreeStmt($5); +- $$ = NULL; +- } +- else { +- $$ = XkbFileCreate($2, $3, $5, $1); +- } ++ $$ = XkbFileCreate($2, $3, $5, $1); + } + ; + +-- +2.20.1 diff --git a/SOURCES/0008-xkbcomp-fix-crashes-in-the-parser-when-geometry-toke.patch b/SOURCES/0008-xkbcomp-fix-crashes-in-the-parser-when-geometry-toke.patch new file mode 100644 index 0000000..c855cbf --- /dev/null +++ b/SOURCES/0008-xkbcomp-fix-crashes-in-the-parser-when-geometry-toke.patch @@ -0,0 +1,125 @@ +From 6fa9f581eda2bc790937f347df4976f02d45240b Mon Sep 17 00:00:00 2001 +From: Ran Benita +Date: Sat, 10 Mar 2018 23:32:12 +0200 +Subject: [PATCH 08/10] xkbcomp: fix crashes in the parser when geometry tokens + appear + +In the XKB format, floats and various keywords can only be used in the +xkb_geometry section. xkbcommon removed support xkb_geometry, but still +parses it for backward compatibility. As part of ignoring it, the float +AST node and various keywords were removed, and instead NULL was +returned by their parsing actions. However, the rest of the code does +not handle NULLs, and so when they appear crashes usually ensue. + +To fix this, restore the float AST node and the ignored keywords. None +of the evaluating code expects them, so nice error are displayed. + +Caught with the afl fuzzer. + +Signed-off-by: Ran Benita +(cherry picked from commit e3cacae7b1bfda0d839c280494f23284a1187adf) +--- + src/xkbcomp/ast-build.c | 8 ++++++++ + src/xkbcomp/ast-build.h | 3 +++ + src/xkbcomp/ast.h | 7 +++++++ + src/xkbcomp/parser.y | 10 +++++----- + 4 files changed, 23 insertions(+), 5 deletions(-) + +diff --git a/src/xkbcomp/ast-build.c b/src/xkbcomp/ast-build.c +index b5e5616..c3e3279 100644 +--- a/src/xkbcomp/ast-build.c ++++ b/src/xkbcomp/ast-build.c +@@ -105,6 +105,13 @@ ExprCreateInteger(int ival) + return expr; + } + ++ExprDef * ++ExprCreateFloat(void) ++{ ++ EXPR_CREATE(ExprFloat, expr, EXPR_VALUE, EXPR_TYPE_FLOAT); ++ return expr; ++} ++ + ExprDef * + ExprCreateBoolean(bool set) + { +@@ -785,6 +792,7 @@ static const char *expr_value_type_strings[_EXPR_TYPE_NUM_VALUES] = { + [EXPR_TYPE_UNKNOWN] = "unknown", + [EXPR_TYPE_BOOLEAN] = "boolean", + [EXPR_TYPE_INT] = "int", ++ [EXPR_TYPE_FLOAT] = "float", + [EXPR_TYPE_STRING] = "string", + [EXPR_TYPE_ACTION] = "action", + [EXPR_TYPE_KEYNAME] = "keyname", +diff --git a/src/xkbcomp/ast-build.h b/src/xkbcomp/ast-build.h +index b57e4cd..6c76f38 100644 +--- a/src/xkbcomp/ast-build.h ++++ b/src/xkbcomp/ast-build.h +@@ -36,6 +36,9 @@ ExprCreateString(xkb_atom_t str); + ExprDef * + ExprCreateInteger(int ival); + ++ExprDef * ++ExprCreateFloat(void); ++ + ExprDef * + ExprCreateBoolean(bool set); + +diff --git a/src/xkbcomp/ast.h b/src/xkbcomp/ast.h +index 9778884..49c5ada 100644 +--- a/src/xkbcomp/ast.h ++++ b/src/xkbcomp/ast.h +@@ -95,6 +95,7 @@ enum expr_value_type { + EXPR_TYPE_UNKNOWN = 0, + EXPR_TYPE_BOOLEAN, + EXPR_TYPE_INT, ++ EXPR_TYPE_FLOAT, + EXPR_TYPE_STRING, + EXPR_TYPE_ACTION, + EXPR_TYPE_KEYNAME, +@@ -186,6 +187,12 @@ typedef struct { + int ival; + } ExprInteger; + ++typedef struct { ++ ExprCommon expr; ++ /* We don't support floats, but we still represnt them in the AST, in ++ * order to provide proper error messages. */ ++} ExprFloat; ++ + typedef struct { + ExprCommon expr; + xkb_atom_t key_name; +diff --git a/src/xkbcomp/parser.y b/src/xkbcomp/parser.y +index cedb8fa..bda7f64 100644 +--- a/src/xkbcomp/parser.y ++++ b/src/xkbcomp/parser.y +@@ -584,13 +584,13 @@ Element : ACTION_TOK + | INDICATOR + { $$ = xkb_atom_intern_literal(param->ctx, "indicator"); } + | SHAPE +- { $$ = XKB_ATOM_NONE; } ++ { $$ = xkb_atom_intern_literal(param->ctx, "shape"); } + | ROW +- { $$ = XKB_ATOM_NONE; } ++ { $$ = xkb_atom_intern_literal(param->ctx, "row"); } + | SECTION +- { $$ = XKB_ATOM_NONE; } ++ { $$ = xkb_atom_intern_literal(param->ctx, "section"); } + | TEXT +- { $$ = XKB_ATOM_NONE; } ++ { $$ = xkb_atom_intern_literal(param->ctx, "text"); } + ; + + OptMergeMode : MergeMode { $$ = $1; } +@@ -680,7 +680,7 @@ Terminal : String + | Integer + { $$ = ExprCreateInteger($1); } + | Float +- { $$ = NULL; } ++ { $$ = ExprCreateFloat(/* Discard $1 */); } + | KEYNAME + { $$ = ExprCreateKeyName($1); } + ; +-- +2.20.1 diff --git a/SOURCES/0009-xkbcomp-fix-stack-overflow-when-evaluating-boolean-n.patch b/SOURCES/0009-xkbcomp-fix-stack-overflow-when-evaluating-boolean-n.patch new file mode 100644 index 0000000..ac94296 --- /dev/null +++ b/SOURCES/0009-xkbcomp-fix-stack-overflow-when-evaluating-boolean-n.patch @@ -0,0 +1,36 @@ +From 29cfb4789d5b194f1b6f296ce4b4756a259ae0c4 Mon Sep 17 00:00:00 2001 +From: Ran Benita +Date: Sat, 10 Mar 2018 23:10:47 +0200 +Subject: [PATCH 09/10] xkbcomp: fix stack overflow when evaluating boolean + negation + +The expression evaluator would go into an infinite recursion when +evaluating something like this as a boolean: `!True`. Instead of +recursing to just `True` and negating, it recursed to `!True` itself +again. + +Bug inherited from xkbcomp. + +Caught with the afl fuzzer. + +Signed-off-by: Ran Benita +(cherry picked from commit 1f9d1248c07cda8aaff762429c0dce146de8632a) +--- + src/xkbcomp/expr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/xkbcomp/expr.c b/src/xkbcomp/expr.c +index 07d67e9..6640ed0 100644 +--- a/src/xkbcomp/expr.c ++++ b/src/xkbcomp/expr.c +@@ -167,7 +167,7 @@ ExprResolveBoolean(struct xkb_context *ctx, const ExprDef *expr, + + case EXPR_INVERT: + case EXPR_NOT: +- ok = ExprResolveBoolean(ctx, expr, set_rtrn); ++ ok = ExprResolveBoolean(ctx, expr->unary.child, set_rtrn); + if (ok) + *set_rtrn = !*set_rtrn; + return ok; +-- +2.20.1 diff --git a/SOURCES/0010-Fail-expression-lookup-on-invalid-atoms.patch b/SOURCES/0010-Fail-expression-lookup-on-invalid-atoms.patch new file mode 100644 index 0000000..784c632 --- /dev/null +++ b/SOURCES/0010-Fail-expression-lookup-on-invalid-atoms.patch @@ -0,0 +1,37 @@ +From 926df1e859345dc9e404ebf6d76599cf5b1e9b25 Mon Sep 17 00:00:00 2001 +From: Daniel Stone +Date: Mon, 30 Oct 2017 11:21:55 +0000 +Subject: [PATCH 10/10] Fail expression lookup on invalid atoms + +If we fail atom lookup, then we should not claim that we successfully +looked up the expression. + +Signed-off-by: Daniel Stone +(cherry picked from commit bb4909d2d8fa6b08155e449986a478101e2b2634) +--- + src/xkbcomp/expr.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/xkbcomp/expr.c b/src/xkbcomp/expr.c +index 6640ed0..1b61ae5 100644 +--- a/src/xkbcomp/expr.c ++++ b/src/xkbcomp/expr.c +@@ -47,11 +47,15 @@ ExprResolveLhs(struct xkb_context *ctx, const ExprDef *expr, + *elem_rtrn = xkb_atom_text(ctx, expr->field_ref.element); + *field_rtrn = xkb_atom_text(ctx, expr->field_ref.field); + *index_rtrn = NULL; +- return true; ++ return (*elem_rtrn != NULL && *field_rtrn != NULL); + case EXPR_ARRAY_REF: + *elem_rtrn = xkb_atom_text(ctx, expr->array_ref.element); + *field_rtrn = xkb_atom_text(ctx, expr->array_ref.field); + *index_rtrn = expr->array_ref.entry; ++ if (expr->array_ref.element != XKB_ATOM_NONE && *elem_rtrn == NULL) ++ return false; ++ if (*field_rtrn == NULL) ++ return false; + return true; + default: + break; +-- +2.20.1 diff --git a/SPECS/libxkbcommon.spec b/SPECS/libxkbcommon.spec index 4cf3725..7aaa104 100644 --- a/SPECS/libxkbcommon.spec +++ b/SPECS/libxkbcommon.spec @@ -2,7 +2,7 @@ Name: libxkbcommon Version: 0.7.1 -Release: 1%{?gitdate:.%{gitdate}}%{?dist} +Release: 3%{?gitdate:.%{gitdate}}%{?dist} Summary: X.Org X11 XKB parsing library License: MIT URL: http://www.x.org @@ -14,6 +14,27 @@ Source0: http://xkbcommon.org/download/%{name}-%{version}.tar.xz %endif Source1: make-git-snapshot.sh +# Bug 1623033 - CVE-2018-15864 +Patch01: 0001-parser-Don-t-set-more-maps-when-we-don-t-have-any.patch +# Bug 1643488 - CVE-2018-15863 +Patch02: 0002-xkbcomp-Don-t-crash-on-no-op-modmask-expressions.patch +# Bug 1623029 - CVE-2018-15862 +Patch03: 0003-xkbcomp-Don-t-explode-on-invalid-virtual-modifiers.patch +# Bug 1643480 - CVE-2018-15861 +Patch04: 0004-xkbcomp-Don-t-falsely-promise-from-ExprResolveLhs.patch +# Bug 1643153 - CVE-2018-15857 +Patch05: 0005-xkbcomp-fix-pointer-value-for-FreeStmt.patch +# Bug 1643141 - CVE-2018-15856 +Patch06: 0006-compose-fix-infinite-loop-in-parser-on-some-inputs.patch +# Bug 1643073 - CVE-2018-15855 +Patch07: 0007-xkbcomp-fix-crash-when-parsing-an-xkb_geometry-secti.patch +# Bug 1642880 - CVE-2018-15854 +Patch08: 0008-xkbcomp-fix-crashes-in-the-parser-when-geometry-toke.patch +# Bug 1642853 - CVE-2018-15853 +Patch09: 0009-xkbcomp-fix-stack-overflow-when-evaluating-boolean-n.patch +# Bug 1643477 - CVE-2018-15859 +Patch10: 0010-Fail-expression-lookup-on-invalid-atoms.patch + BuildRequires: autoconf automake libtool BuildRequires: xorg-x11-util-macros byacc flex bison BuildRequires: xorg-x11-proto-devel libX11-devel @@ -52,6 +73,16 @@ X.Org X11 XKB keymap creation library development package %setup -q -n %{name}-%{?gitdate:%{gitdate}}%{!?gitdate:%{version}} autoreconf -v --install || exit 1 +%patch01 -p1 +%patch02 -p1 +%patch03 -p1 +%patch04 -p1 +%patch05 -p1 +%patch06 -p1 +%patch07 -p1 +%patch08 -p1 +%patch09 -p1 +%patch10 -p1 %build %configure \ @@ -98,6 +129,15 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';' %{_libdir}/pkgconfig/xkbcommon-x11.pc %changelog +* Wed Mar 06 2019 Peter Hutterer 0.7.1-3 +- Actually apply the patch files + +* Mon Feb 11 2019 Peter Hutterer 0.7.1-2 +- Fixes for + CVE-2018-15864, CVE-2018-15863, CVE-2018-15862, CVE-2018-15861, + CVE-2018-15859 CVE-2018-15857, CVE-2018-15856, CVE-2018-15855, + CVE-2018-15854, CVE-2018-15853 + * Thu Jan 19 2017 Peter Hutterer 0.7.1-1 - xkbcommon 0.7.1