From owner-svn-ports-branches@freebsd.org Mon Oct 9 20:18:53 2017 Return-Path: Delivered-To: svn-ports-branches@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CD937E3ACD2; Mon, 9 Oct 2017 20:18:53 +0000 (UTC) (envelope-from kwm@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9A6887DD37; Mon, 9 Oct 2017 20:18:53 +0000 (UTC) (envelope-from kwm@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v99KIqm6060370; Mon, 9 Oct 2017 20:18:52 GMT (envelope-from kwm@FreeBSD.org) Received: (from kwm@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v99KIqmx060363; Mon, 9 Oct 2017 20:18:52 GMT (envelope-from kwm@FreeBSD.org) Message-Id: <201710092018.v99KIqmx060363@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kwm set sender to kwm@FreeBSD.org using -f From: Koop Mast Date: Mon, 9 Oct 2017 20:18:52 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r451638 - in branches/2017Q4/x11-servers: xorg-nestserver xorg-server xorg-server/files xorg-vfbserver xwayland X-SVN-Group: ports-branches X-SVN-Commit-Author: kwm X-SVN-Commit-Paths: in branches/2017Q4/x11-servers: xorg-nestserver xorg-server xorg-server/files xorg-vfbserver xwayland X-SVN-Commit-Revision: 451638 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-branches@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for all the branches of the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Oct 2017 20:18:53 -0000 Author: kwm Date: Mon Oct 9 20:18:52 2017 New Revision: 451638 URL: https://svnweb.freebsd.org/changeset/ports/451638 Log: MFH: r451632 Fix security issues: CVE-2017-13721 and CVE-2017-13723 in xorg-server. Bump all the slaves due to not being sure where the shared code is used. Security: 4f8ffb9c-f388-4fbd-b90f-b3131559d888 Approved by: ports-secteam (swills@) Added: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-13721 - copied unchanged from r451632, head/x11-servers/xorg-server/files/patch-CVE-2017-13721 branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-13723 - copied unchanged from r451632, head/x11-servers/xorg-server/files/patch-CVE-2017-13723 Modified: branches/2017Q4/x11-servers/xorg-nestserver/Makefile branches/2017Q4/x11-servers/xorg-server/Makefile branches/2017Q4/x11-servers/xorg-vfbserver/Makefile branches/2017Q4/x11-servers/xwayland/Makefile Directory Properties: branches/2017Q4/ (props changed) Modified: branches/2017Q4/x11-servers/xorg-nestserver/Makefile ============================================================================== --- branches/2017Q4/x11-servers/xorg-nestserver/Makefile Mon Oct 9 20:08:53 2017 (r451637) +++ branches/2017Q4/x11-servers/xorg-nestserver/Makefile Mon Oct 9 20:18:52 2017 (r451638) @@ -3,6 +3,7 @@ PORTNAME= xorg-nestserver PORTVERSION= 1.19.1 +PORTREVISION= 1 PORTEPOCH= 2 COMMENT= Nesting X server from X.Org @@ -25,6 +26,9 @@ CONFIGURE_ARGS+=--enable-xnest --disable-dmx --disable --disable-xwayland PLIST_FILES= bin/Xnest man/man1/Xnest.1.gz + +EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-13721 \ + ${MASTERDIR}/files/patch-CVE-2017-13723 do-install: cd ${WRKSRC}/hw/xnest; DESTDIR=${STAGEDIR} ${MAKE} install Modified: branches/2017Q4/x11-servers/xorg-server/Makefile ============================================================================== --- branches/2017Q4/x11-servers/xorg-server/Makefile Mon Oct 9 20:08:53 2017 (r451637) +++ branches/2017Q4/x11-servers/xorg-server/Makefile Mon Oct 9 20:18:52 2017 (r451638) @@ -3,7 +3,7 @@ PORTNAME?= xorg-server PORTVERSION?= 1.18.4 -PORTREVISION?= 3 +PORTREVISION?= 4 PORTEPOCH?= 1 CATEGORIES= x11-servers MASTER_SITES= XORG/individual/xserver Copied: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-13721 (from r451632, head/x11-servers/xorg-server/files/patch-CVE-2017-13721) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-13721 Mon Oct 9 20:18:52 2017 (r451638, copy of r451632, head/x11-servers/xorg-server/files/patch-CVE-2017-13721) @@ -0,0 +1,26 @@ +From b95f25af141d33a65f6f821ea9c003f66a01e1f1 Mon Sep 17 00:00:00 2001 +From: Michal Srb +Date: Fri, 28 Jul 2017 16:27:10 +0200 +Subject: Xext/shm: Validate shmseg resource id (CVE-2017-13721) + +Otherwise it can belong to a non-existing client and abort X server with +FatalError "client not in use", or overwrite existing segment of another +existing client. + +Signed-off-by: Julien Cristau + +diff --git a/Xext/shm.c b/Xext/shm.c +index 91ea90b..2f9a788 100644 +--- Xext/shm.c ++++ Xext/shm.c +@@ -1238,6 +1238,7 @@ ProcShmCreateSegment(ClientPtr client) + }; + + REQUEST_SIZE_MATCH(xShmCreateSegmentReq); ++ LEGAL_NEW_RESOURCE(stuff->shmseg, client); + if ((stuff->readOnly != xTrue) && (stuff->readOnly != xFalse)) { + client->errorValue = stuff->readOnly; + return BadValue; +-- +cgit v0.10.2 + Copied: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-13723 (from r451632, head/x11-servers/xorg-server/files/patch-CVE-2017-13723) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-13723 Mon Oct 9 20:18:52 2017 (r451638, copy of r451632, head/x11-servers/xorg-server/files/patch-CVE-2017-13723) @@ -0,0 +1,115 @@ +From 94f11ca5cf011ef123bd222cabeaef6f424d76ac Mon Sep 17 00:00:00 2001 +From: Keith Packard +Date: Thu, 27 Jul 2017 10:08:32 -0700 +Subject: xkb: Handle xkb formated string output safely (CVE-2017-13723) + +Generating strings for XKB data used a single shared static buffer, +which offered several opportunities for errors. Use a ring of +resizable buffers instead, to avoid problems when strings end up +longer than anticipated. + +Reviewed-by: Michal Srb +Signed-off-by: Keith Packard +Signed-off-by: Julien Cristau + +diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c +index ead2b1a..d2a2567 100644 +--- xkb/xkbtext.c ++++ xkb/xkbtext.c +@@ -47,23 +47,27 @@ + + /***====================================================================***/ + +-#define BUFFER_SIZE 512 +- +-static char textBuffer[BUFFER_SIZE]; +-static int tbNext = 0; ++#define NUM_BUFFER 8 ++static struct textBuffer { ++ int size; ++ char *buffer; ++} textBuffer[NUM_BUFFER]; ++static int textBufferIndex; + + static char * + tbGetBuffer(unsigned size) + { +- char *rtrn; ++ struct textBuffer *tb; + +- if (size >= BUFFER_SIZE) +- return NULL; +- if ((BUFFER_SIZE - tbNext) <= size) +- tbNext = 0; +- rtrn = &textBuffer[tbNext]; +- tbNext += size; +- return rtrn; ++ tb = &textBuffer[textBufferIndex]; ++ textBufferIndex = (textBufferIndex + 1) % NUM_BUFFER; ++ ++ if (size > tb->size) { ++ free(tb->buffer); ++ tb->buffer = xnfalloc(size); ++ tb->size = size; ++ } ++ return tb->buffer; + } + + /***====================================================================***/ +@@ -79,8 +83,6 @@ XkbAtomText(Atom atm, unsigned format) + int len; + + len = strlen(atmstr) + 1; +- if (len > BUFFER_SIZE) +- len = BUFFER_SIZE - 2; + rtrn = tbGetBuffer(len); + strlcpy(rtrn, atmstr, len); + } +@@ -128,8 +130,6 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format) + len = strlen(tmp) + 1; + if (format == XkbCFile) + len += 4; +- if (len >= BUFFER_SIZE) +- len = BUFFER_SIZE - 1; + rtrn = tbGetBuffer(len); + if (format == XkbCFile) { + strcpy(rtrn, "vmod_"); +@@ -140,6 +140,8 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format) + return rtrn; + } + ++#define VMOD_BUFFER_SIZE 512 ++ + char * + XkbVModMaskText(XkbDescPtr xkb, + unsigned modMask, unsigned mask, unsigned format) +@@ -147,7 +149,7 @@ XkbVModMaskText(XkbDescPtr xkb, + register int i, bit; + int len; + char *mm, *rtrn; +- char *str, buf[BUFFER_SIZE]; ++ char *str, buf[VMOD_BUFFER_SIZE]; + + if ((modMask == 0) && (mask == 0)) { + rtrn = tbGetBuffer(5); +@@ -173,7 +175,7 @@ XkbVModMaskText(XkbDescPtr xkb, + len = strlen(tmp) + 1 + (str == buf ? 0 : 1); + if (format == XkbCFile) + len += 4; +- if ((str - (buf + len)) <= BUFFER_SIZE) { ++ if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) { + if (str != buf) { + if (format == XkbCFile) + *str++ = '|'; +@@ -199,8 +201,6 @@ XkbVModMaskText(XkbDescPtr xkb, + len = 0; + if (str) + len += strlen(str) + (mm == NULL ? 0 : 1); +- if (len >= BUFFER_SIZE) +- len = BUFFER_SIZE - 1; + rtrn = tbGetBuffer(len + 1); + rtrn[0] = '\0'; + +-- +cgit v0.10.2 + Modified: branches/2017Q4/x11-servers/xorg-vfbserver/Makefile ============================================================================== --- branches/2017Q4/x11-servers/xorg-vfbserver/Makefile Mon Oct 9 20:08:53 2017 (r451637) +++ branches/2017Q4/x11-servers/xorg-vfbserver/Makefile Mon Oct 9 20:18:52 2017 (r451638) @@ -3,6 +3,7 @@ PORTNAME= xorg-vfbserver PORTVERSION= 1.19.1 +PORTREVISION= 1 PORTEPOCH= 1 COMMENT= X virtual framebuffer server from X.Org @@ -23,6 +24,9 @@ CONFIGURE_ARGS+=--enable-xvfb --disable-dmx --disable- --disable-xwayland PLIST_FILES= bin/Xvfb man/man1/Xvfb.1.gz + +EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-13721 \ + ${MASTERDIR}/files/patch-CVE-2017-13723 do-install: cd ${WRKSRC}/hw/vfb; DESTDIR=${STAGEDIR} ${MAKE} install Modified: branches/2017Q4/x11-servers/xwayland/Makefile ============================================================================== --- branches/2017Q4/x11-servers/xwayland/Makefile Mon Oct 9 20:08:53 2017 (r451637) +++ branches/2017Q4/x11-servers/xwayland/Makefile Mon Oct 9 20:18:52 2017 (r451638) @@ -2,6 +2,7 @@ PORTNAME= xwayland PORTVERSION= 1.19.1 +PORTREVISION= 1 COMMENT= X Clients under Wayland @@ -27,6 +28,9 @@ CONFIGURE_ARGS+= --disable-docs --disable-devel-docs \ --disable-xquartz --disable-xwin PLIST_FILES= bin/Xwayland + +EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-13721 \ + ${MASTERDIR}/files/patch-CVE-2017-13723 do-install: cd ${WRKSRC}/hw/xwayland; DESTDIR=${STAGEDIR} ${MAKE_CMD} install