From 39366733c3fe943363566756e2e152c45a1b3cb2 Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Fri, 25 May 2018 23:29:36 +0000 Subject: Fri May 25 23:29:36 UTC 2018 patches/packages/glibc-zoneinfo-2018e-noarch-2_slack14.2.txz: Rebuilt. Handle removal of US/Pacific-New timezone. If we see that the machine is using this, it will be automatically switched to US/Pacific. --- .../xorg-server/xorg-server.CVE-2017-13723.diff | 116 +++++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13723.diff (limited to 'patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13723.diff') diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13723.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13723.diff new file mode 100644 index 000000000..6e37be485 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13723.diff @@ -0,0 +1,116 @@ +From 94f11ca5cf011ef123bd222cabeaef6f424d76ac Mon Sep 17 00:00:00 2001 +From: Keith Packard +Date: Thu, 27 Jul 2017 10:08:32 -0700 +Subject: xkb: Handle xkb formated string output safely (CVE-2017-13723) + +Generating strings for XKB data used a single shared static buffer, +which offered several opportunities for errors. Use a ring of +resizable buffers instead, to avoid problems when strings end up +longer than anticipated. + +Reviewed-by: Michal Srb +Signed-off-by: Keith Packard +Signed-off-by: Julien Cristau + +diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c +index ead2b1a..d2a2567 100644 +--- a/xkb/xkbtext.c ++++ b/xkb/xkbtext.c +@@ -47,23 +47,27 @@ + + /***====================================================================***/ + +-#define BUFFER_SIZE 512 +- +-static char textBuffer[BUFFER_SIZE]; +-static int tbNext = 0; ++#define NUM_BUFFER 8 ++static struct textBuffer { ++ int size; ++ char *buffer; ++} textBuffer[NUM_BUFFER]; ++static int textBufferIndex; + + static char * + tbGetBuffer(unsigned size) + { +- char *rtrn; ++ struct textBuffer *tb; + +- if (size >= BUFFER_SIZE) +- return NULL; +- if ((BUFFER_SIZE - tbNext) <= size) +- tbNext = 0; +- rtrn = &textBuffer[tbNext]; +- tbNext += size; +- return rtrn; ++ tb = &textBuffer[textBufferIndex]; ++ textBufferIndex = (textBufferIndex + 1) % NUM_BUFFER; ++ ++ if (size > tb->size) { ++ free(tb->buffer); ++ tb->buffer = xnfalloc(size); ++ tb->size = size; ++ } ++ return tb->buffer; + } + + /***====================================================================***/ +@@ -79,8 +83,6 @@ XkbAtomText(Atom atm, unsigned format) + int len; + + len = strlen(atmstr) + 1; +- if (len > BUFFER_SIZE) +- len = BUFFER_SIZE - 2; + rtrn = tbGetBuffer(len); + strlcpy(rtrn, atmstr, len); + } +@@ -128,8 +130,6 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format) + len = strlen(tmp) + 1; + if (format == XkbCFile) + len += 4; +- if (len >= BUFFER_SIZE) +- len = BUFFER_SIZE - 1; + rtrn = tbGetBuffer(len); + if (format == XkbCFile) { + strcpy(rtrn, "vmod_"); +@@ -140,6 +140,8 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format) + return rtrn; + } + ++#define VMOD_BUFFER_SIZE 512 ++ + char * + XkbVModMaskText(XkbDescPtr xkb, + unsigned modMask, unsigned mask, unsigned format) +@@ -147,7 +149,7 @@ XkbVModMaskText(XkbDescPtr xkb, + register int i, bit; + int len; + char *mm, *rtrn; +- char *str, buf[BUFFER_SIZE]; ++ char *str, buf[VMOD_BUFFER_SIZE]; + + if ((modMask == 0) && (mask == 0)) { + rtrn = tbGetBuffer(5); +@@ -173,7 +175,7 @@ XkbVModMaskText(XkbDescPtr xkb, + len = strlen(tmp) + 1 + (str == buf ? 0 : 1); + if (format == XkbCFile) + len += 4; +- if ((str - (buf + len)) <= BUFFER_SIZE) { ++ if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) { + if (str != buf) { + if (format == XkbCFile) + *str++ = '|'; +@@ -199,8 +201,6 @@ XkbVModMaskText(XkbDescPtr xkb, + len = 0; + if (str) + len += strlen(str) + (mm == NULL ? 0 : 1); +- if (len >= BUFFER_SIZE) +- len = BUFFER_SIZE - 1; + rtrn = tbGetBuffer(len + 1); + rtrn[0] = '\0'; + +-- +cgit v0.10.2 + + -- cgit v1.2.3