diff options
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r-- | gnu/packages/patches/clisp-remove-failing-test.patch | 43 | ||||
-rw-r--r-- | gnu/packages/patches/cube-nocheck.patch | 16 | ||||
-rw-r--r-- | gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch | 210 | ||||
-rw-r--r-- | gnu/packages/patches/ocaml-graph-honor-source-date-epoch.patch | 34 | ||||
-rw-r--r-- | gnu/packages/patches/openocd-nrf52.patch | 64 | ||||
-rw-r--r-- | gnu/packages/patches/python-nose-timer-drop-ordereddict.patch | 44 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-13711.patch | 89 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-14167.patch | 69 | ||||
-rw-r--r-- | gnu/packages/patches/xorg-server-CVE-2017-10971.patch | 153 | ||||
-rw-r--r-- | gnu/packages/patches/xorg-server-CVE-2017-10972.patch | 35 |
10 files changed, 371 insertions, 386 deletions
diff --git a/gnu/packages/patches/clisp-remove-failing-test.patch b/gnu/packages/patches/clisp-remove-failing-test.patch new file mode 100644 index 0000000000..e44ce80f74 --- /dev/null +++ b/gnu/packages/patches/clisp-remove-failing-test.patch @@ -0,0 +1,43 @@ +This test doesn't ever complete or timeout + +--- + tests/socket.tst | 24 ------------------------ + 1 file changed, 24 deletions(-) + +diff --git a/tests/socket.tst b/tests/socket.tst +index 93c6310..1d976ff 100644 +--- a/tests/socket.tst ++++ b/tests/socket.tst +@@ -551,30 +551,6 @@ T + interfaces)) + ("0.0.0.0" "127.0.0.1" "0.0.0.0" "127.0.0.1") + +-(multiple-value-bind (run args) (cmd-args) +- (let ((se (socket:socket-server))) +- (ext:run-program run :arguments (append args (list "-q" "-q" "-x" (format nil "(close (socket:socket-connect ~D))" (socket:socket-server-port se)))) +- :wait nil :input nil :output nil) +- (unwind-protect +- (with-open-stream (so (socket:socket-accept se)) +- (list +- (socket:socket-status so) +- (write-line "foo" so) +- (socket:socket-status so) +- #+macos (handler-case (read-char so) +- (end-of-file (c) +- (princ 'read-char) (princ-error c) t)) +- #-macos (check-os-error (read-char so) (:ECONNRESET 104)) +- (null (member (socket:socket-status so) '(:EOF :APPEND))) +- #+macos (string= (write-line "bar" so) "bar") +- #-macos (check-os-error (write-line "bar" so) (:EPIPE 32)) +- (null (member (socket:socket-status so) '(:EOF :APPEND))) +- (handler-case (read-char so) +- (end-of-file (c) +- (princ 'read-char) (princ-error c) 'end-of-file)))) +- (socket:socket-server-close se)))) +-(:OUTPUT "foo" :OUTPUT T NIL T NIL END-OF-FILE) +- + ;; https://sourceforge.net/p/clisp/feature-requests/46/ + (check-os-error (socket:socket-connect 0) + #-(or win32 macos) (:ECONNREFUSED 111) +-- + diff --git a/gnu/packages/patches/cube-nocheck.patch b/gnu/packages/patches/cube-nocheck.patch new file mode 100644 index 0000000000..576044e622 --- /dev/null +++ b/gnu/packages/patches/cube-nocheck.patch @@ -0,0 +1,16 @@ +Unconditionally disable network check for new versions (from Fedora). + +diff -u /home/dlove/rpmbuild/BUILD/cube-4.3.4/src/GUI-qt/display/VersionCheckWidget.cpp\~ /home/dlove/rpmbuild/BUILD/cube-4.3.4/src/GUI-qt/display/VersionCheckWidget.cpp +--- cube-4.3.4/src/GUI-qt/display/VersionCheckWidget.cpp~ 2016-04-03 00:05:37.942066948 +0100 ++++ cube-4.3.4/src/GUI-qt/display/VersionCheckWidget.cpp 2016-05-06 17:16:31.648143908 +0100 +@@ -52,7 +52,8 @@ + url = QUrl( UPDATE_CHECK_URL ); + download = NULL; + update_Available = false; +- bool no_http = env_str2bool( getenv( "CUBE_DISABLE_HTTP_DOCS" ) ); ++ // bool no_http = env_str2bool( getenv( "CUBE_DISABLE_HTTP_DOCS" ) ); ++ bool no_http = true; + if ( !no_http ) + { + updateDescription = tr( "Check for update is not performed yet." ); + diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch new file mode 100644 index 0000000000..8e1166ba7a --- /dev/null +++ b/gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch @@ -0,0 +1,210 @@ +http://hg.code.sf.net/p/graphicsmagick/code/rev/358608a46f0a +http://www.openwall.com/lists/oss-security/2017/09/22/2 + +Some changes were made to make the patch apply. + +Notably, the DestroyJNG() function in the upstream diff has been replaced by +its equivalent, a series of calls to MagickFreeMemory(), DestroyImageInfo(), +and DestroyImage(). See +http://hg.code.sf.net/p/graphicsmagick/code/rev/d445af60a8d5. + +# HG changeset patch +# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com> +# Date 1504014487 14400 +# Node ID 358608a46f0a9c55e9bb8b37d09bf1ac9bc87f06 +# Parent 38c362f0ae5e7a914c3fe822284c6953f8e6eee2 +Fix Issue 439 + +diff -ru a/coders/png.c b/coders/png.c +--- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500 ++++ b/coders/png.c 2017-09-30 08:20:16.218944991 -0400 +@@ -1176,15 +1176,15 @@ + /* allocate space */ + if (length == 0) + { +- (void) ThrowException2(&image->exception,CoderWarning, +- "invalid profile length",(char *) NULL); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ "invalid profile length"); + return (MagickFail); + } + info=MagickAllocateMemory(unsigned char *,length); + if (info == (unsigned char *) NULL) + { +- (void) ThrowException2(&image->exception,CoderWarning, +- "unable to copy profile",(char *) NULL); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ "Unable to copy profile"); + return (MagickFail); + } + /* copy profile, skipping white space and column 1 "=" signs */ +@@ -1197,8 +1197,8 @@ + if (*sp == '\0') + { + MagickFreeMemory(info); +- (void) ThrowException2(&image->exception,CoderWarning, +- "ran out of profile data",(char *) NULL); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ "ran out of profile data"); + return (MagickFail); + } + sp++; +@@ -1234,8 +1234,9 @@ + if(SetImageProfile(image,profile_name,info,length) == MagickFail) + { + MagickFreeMemory(info); +- (void) ThrowException(&image->exception,ResourceLimitError, +- MemoryAllocationFailed,"unable to copy profile"); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ "unable to copy profile"); ++ return MagickFail; + } + MagickFreeMemory(info); + return MagickTrue; +@@ -3285,7 +3286,6 @@ + if (status == MagickFalse) + { + DestroyJNGInfo(color_image_info,alpha_image_info); +- DestroyImage(alpha_image); + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " could not allocate alpha_image blob"); + return ((Image *)NULL); +@@ -3534,7 +3534,7 @@ + CloseBlob(color_image); + if (logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), +- " Reading jng_image from color_blob."); ++ " Reading jng_image from color_blob."); + + FormatString(color_image_info->filename,"%.1024s",color_image->filename); + +@@ -3558,13 +3558,18 @@ + + if (logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), +- " Copying jng_image pixels to main image."); ++ " Copying jng_image pixels to main image."); + image->rows=jng_height; + image->columns=jng_width; + length=image->columns*sizeof(PixelPacket); ++ if ((jng_height == 0 || jng_width == 0) && logging) ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " jng_width=%lu jng_height=%lu", ++ (unsigned long)jng_width,(unsigned long)jng_height); + for (y=0; y < (long) image->rows; y++) + { +- s=AcquireImagePixels(jng_image,0,y,image->columns,1,&image->exception); ++ s=AcquireImagePixels(jng_image,0,y,image->columns,1, ++ &image->exception); + q=SetImagePixels(image,0,y,image->columns,1); + (void) memcpy(q,s,length); + if (!SyncImagePixels(image)) +@@ -3589,45 +3594,79 @@ + CloseBlob(alpha_image); + if (logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), +- " Reading opacity from alpha_blob."); ++ " Reading opacity from alpha_blob."); + + FormatString(alpha_image_info->filename,"%.1024s", + alpha_image->filename); + + jng_image=ReadImage(alpha_image_info,exception); + +- for (y=0; y < (long) image->rows; y++) ++ if (jng_image == (Image *)NULL) + { +- s=AcquireImagePixels(jng_image,0,y,image->columns,1, +- &image->exception); +- if (image->matte) +- { +- q=SetImagePixels(image,0,y,image->columns,1); +- for (x=(long) image->columns; x > 0; x--,q++,s++) +- q->opacity=(Quantum) MaxRGB-s->red; +- } +- else ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " jng_image is NULL."); ++ if (color_image_info) ++ DestroyImageInfo(color_image_info); ++ if (alpha_image_info) ++ DestroyImageInfo(alpha_image_info); ++ if (color_image) ++ DestroyImage(color_image); ++ if (alpha_image) ++ DestroyImage(alpha_image); ++ } ++ else ++ { ++ ++ if (logging) + { +- q=SetImagePixels(image,0,y,image->columns,1); +- for (x=(long) image->columns; x > 0; x--,q++,s++) +- { +- q->opacity=(Quantum) MaxRGB-s->red; +- if (q->opacity != OpaqueOpacity) +- image->matte=MagickTrue; +- } ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " Read jng_image."); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " jng_image->width=%lu, jng_image->height=%lu", ++ (unsigned long)jng_width,(unsigned long)jng_height); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " image->rows=%lu, image->columns=%lu", ++ (unsigned long)image->rows, ++ (unsigned long)image->columns); + } +- if (!SyncImagePixels(image)) +- break; +- } +- (void) LiberateUniqueFileResource(alpha_image->filename); +- DestroyImage(alpha_image); +- alpha_image = (Image *)NULL; +- DestroyImageInfo(alpha_image_info); +- alpha_image_info = (ImageInfo *)NULL; +- (void) LogMagickEvent(CoderEvent,GetMagickModule(), +- " Destroy the JNG image"); +- DestroyImage(jng_image); +- jng_image = (Image *)NULL; ++ ++ for (y=0; y < (long) image->rows; y++) ++ { ++ s=AcquireImagePixels(jng_image,0,y,image->columns,1, ++ &image->exception); ++ if (image->matte) ++ { ++ q=SetImagePixels(image,0,y,image->columns,1); ++ for (x=(long) image->columns; x > 0; x--,q++,s++) ++ q->opacity=(Quantum) MaxRGB-s->red; ++ } ++ else ++ { ++ q=SetImagePixels(image,0,y,image->columns,1); ++ for (x=(long) image->columns; x > 0; x--,q++,s++) ++ { ++ q->opacity=(Quantum) MaxRGB-s->red; ++ if (q->opacity != OpaqueOpacity) ++ image->matte=MagickTrue; ++ } ++ } ++ if (!SyncImagePixels(image)) ++ break; ++ } ++ (void) LiberateUniqueFileResource(alpha_image->filename); ++ if (color_image_info) ++ DestroyImageInfo(color_image_info); ++ if (alpha_image_info) ++ DestroyImageInfo(alpha_image_info); ++ if (color_image) ++ DestroyImage(color_image); ++ if (alpha_image) ++ DestroyImage(alpha_image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " Destroy the JNG image"); ++ DestroyImage(jng_image); ++ jng_image = (Image *)NULL; ++ } + } + } diff --git a/gnu/packages/patches/ocaml-graph-honor-source-date-epoch.patch b/gnu/packages/patches/ocaml-graph-honor-source-date-epoch.patch new file mode 100644 index 0000000000..9f8713e3d3 --- /dev/null +++ b/gnu/packages/patches/ocaml-graph-honor-source-date-epoch.patch @@ -0,0 +1,34 @@ +From 354ef78aac0b887fae3c10b28eb2b0d83f66bdfe Mon Sep 17 00:00:00 2001 +From: Julien Lepiller <julien@lepiller.eu> +Date: Mon, 2 Jan 2017 17:05:24 +0100 +Subject: [PATCH] Honor SOURCE_DATE_EPOCH + +--- + Makefile.in | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/Makefile.in b/Makefile.in +index a32b4b8..ef4c174 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -113,11 +113,16 @@ graph.cmx: $(CMI) $(CMX) + $(OCAMLOPT) $(INCLUDES) -pack -o $@ $^ + + VERSION=1.8.7 ++ifdef SOURCE_DATE_EPOCH ++BUILD_DATE=$(shell date -u -d "@$(SOURCE_DATE_EPOCH)" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" 2>/dev/null || date) ++else ++BUILD_DATE=$(shell date) ++endif + + src/version.ml: Makefile + rm -f $@ + echo "let version = \""$(VERSION)"\"" > $@ +- echo "let date = \""`date`"\"" >> $@ ++ echo "let date = \""$(BUILD_DATE)"\"" >> $@ + + # gtk2 graph editor + ################### +-- +2.11.0 + diff --git a/gnu/packages/patches/openocd-nrf52.patch b/gnu/packages/patches/openocd-nrf52.patch index 792575df78..0ec4348cb4 100644 --- a/gnu/packages/patches/openocd-nrf52.patch +++ b/gnu/packages/patches/openocd-nrf52.patch @@ -21,19 +21,19 @@ Signed-off-by: Michael Dietz <mjdietzx@gmail.com> --- diff --git a/src/flash/nor/Makefile.am b/src/flash/nor/Makefile.am -index c167e8f..b6a2be3 100644 +index 727e4f2..839667c 100644 --- a/src/flash/nor/Makefile.am +++ b/src/flash/nor/Makefile.am -@@ -37,6 +37,7 @@ NOR_DRIVERS = \ - niietcm4.c \ - non_cfi.c \ - nrf51.c \ -+ nrf52.c \ - numicro.c \ - ocl.c \ - pic32mx.c \ +@@ -36,6 +36,7 @@ NOR_DRIVERS = \ + %D%/niietcm4.c \ + %D%/non_cfi.c \ + %D%/nrf51.c \ ++ %D%/nrf52.c \ + %D%/numicro.c \ + %D%/ocl.c \ + %D%/pic32mx.c \ diff --git a/src/flash/nor/drivers.c b/src/flash/nor/drivers.c -index 56a5cb2..3e071bd 100644 +index 56a5cb2..071273e 100644 --- a/src/flash/nor/drivers.c +++ b/src/flash/nor/drivers.c @@ -48,6 +48,7 @@ extern struct flash_driver mdr_flash; @@ -48,7 +48,7 @@ index 56a5cb2..3e071bd 100644 &mrvlqspi_flash, &niietcm4_flash, &nrf51_flash, -+ &nrf52_flash, ++ &nrf52_flash, &numicro_flash, &ocl_flash, &pic32mx_flash, @@ -792,47 +792,31 @@ index 0000000..7f2bd35 + .protect_check = nrf52_protect_check, +}; diff --git a/tcl/target/nrf52.cfg b/tcl/target/nrf52.cfg -index c1cbf1a..a2567ff 100644 +index c1cbf1a..41a22ff 100644 --- a/tcl/target/nrf52.cfg +++ b/tcl/target/nrf52.cfg -@@ -5,15 +5,22 @@ - source [find target/swj-dp.tcl] +@@ -10,6 +10,13 @@ if { [info exists CHIPNAME] } { + set _CHIPNAME nrf52 + } - if { [info exists CHIPNAME] } { -- set _CHIPNAME $CHIPNAME -+ set _CHIPNAME $CHIPNAME - } else { -- set _CHIPNAME nrf52 -+ set _CHIPNAME nrf52 -+} -+ +# Work-area is a space in RAM used for flash programming, by default use 16kB. +if { [info exists WORKAREASIZE] } { -+ set _WORKAREASIZE $WORKAREASIZE ++ set _WORKAREASIZE $WORKAREASIZE +} else { -+ set _WORKAREASIZE 0x4000 - } - ++ set _WORKAREASIZE 0x4000 ++} ++ if { [info exists CPUTAPID] } { -- set _CPUTAPID $CPUTAPID -+ set _CPUTAPID $CPUTAPID + set _CPUTAPID $CPUTAPID } else { -- set _CPUTAPID 0x2ba01477 -+ set _CPUTAPID 0x2ba01477 - } - - swj_newdap $_CHIPNAME cpu -expected-id $_CPUTAPID -@@ -21,8 +28,15 @@ swj_newdap $_CHIPNAME cpu -expected-id $_CPUTAPID - set _TARGETNAME $_CHIPNAME.cpu +@@ -22,7 +29,15 @@ set _TARGETNAME $_CHIPNAME.cpu target create $_TARGETNAME cortex_m -chain-position $_TARGETNAME --adapter_khz 10000 + adapter_khz 10000 +$_TARGETNAME configure -work-area-phys 0x20000000 -work-area-size $_WORKAREASIZE -work-area-backup 0 --if { ![using_hla] } { -- cortex_m reset_config sysresetreq -+if {![using_hla]} { -+ cortex_m reset_config sysresetreq + if { ![using_hla] } { + cortex_m reset_config sysresetreq } + +flash bank $_CHIPNAME.flash nrf52 0x00000000 0 1 1 $_TARGETNAME diff --git a/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch b/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch new file mode 100644 index 0000000000..e1e71a332a --- /dev/null +++ b/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch @@ -0,0 +1,44 @@ +From 700076019b5aff72aac7651cc830aaef21ee9a47 Mon Sep 17 00:00:00 2001 +From: jakirkham <jakirkham@gmail.com> +Date: Fri, 7 Jul 2017 05:57:56 -0400 +Subject: [PATCH] Drop ordereddict requirement (#84) + +* Drop ordereddict requirement + +As Python 2.7 is the minimum Python supported, every version of Python +should have `ordereddict` preincluded in the standard library one way or +another. So we can drop this dependency and just handle the differences +between Python 2 and Python 3. +--- + nosetimer/plugin.py | 5 +---- + setup.py | 1 - + 2 files changed, 1 insertion(+), 5 deletions(-) + +diff --git a/nosetimer/plugin.py b/nosetimer/plugin.py +index ef28e11..d093a51 100644 +--- a/nosetimer/plugin.py ++++ b/nosetimer/plugin.py +@@ -12,10 +12,7 @@ + except ImportError: + import queue as Queue + +-try: +- from collections import OrderedDict +-except ImportError: +- from ordereddict import OrderedDict ++from collections import OrderedDict + + + # define constants +diff --git a/setup.py b/setup.py +index 6a55b82..d249325 100755 +--- a/setup.py ++++ b/setup.py +@@ -27,7 +27,6 @@ + install_requires=[ + 'nose', + 'termcolor', +- 'ordereddict', + ], + license='MIT', + entry_points={ diff --git a/gnu/packages/patches/qemu-CVE-2017-13711.patch b/gnu/packages/patches/qemu-CVE-2017-13711.patch deleted file mode 100644 index 4070115419..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-13711.patch +++ /dev/null @@ -1,89 +0,0 @@ -Fix CVE-2017-13711: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13711 - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=qemu.git;a=commitdiff;h=1201d308519f1e915866d7583d5136d03cc1d384 - -From 1201d308519f1e915866d7583d5136d03cc1d384 Mon Sep 17 00:00:00 2001 -From: Samuel Thibault <samuel.thibault@ens-lyon.org> -Date: Fri, 25 Aug 2017 01:35:53 +0200 -Subject: [PATCH] slirp: fix clearing ifq_so from pending packets -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The if_fastq and if_batchq contain not only packets, but queues of packets -for the same socket. When sofree frees a socket, it thus has to clear ifq_so -from all the packets from the queues, not only the first. - -Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> -Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> -Cc: qemu-stable@nongnu.org -Signed-off-by: Peter Maydell <peter.maydell@linaro.org> ---- - slirp/socket.c | 39 +++++++++++++++++++++++---------------- - 1 file changed, 23 insertions(+), 16 deletions(-) - -diff --git a/slirp/socket.c b/slirp/socket.c -index ecec0295a9..cb7b5b608d 100644 ---- a/slirp/socket.c -+++ b/slirp/socket.c -@@ -59,6 +59,27 @@ socreate(Slirp *slirp) - return(so); - } - -+/* -+ * Remove references to so from the given message queue. -+ */ -+static void -+soqfree(struct socket *so, struct quehead *qh) -+{ -+ struct mbuf *ifq; -+ -+ for (ifq = (struct mbuf *) qh->qh_link; -+ (struct quehead *) ifq != qh; -+ ifq = ifq->ifq_next) { -+ if (ifq->ifq_so == so) { -+ struct mbuf *ifm; -+ ifq->ifq_so = NULL; -+ for (ifm = ifq->ifs_next; ifm != ifq; ifm = ifm->ifs_next) { -+ ifm->ifq_so = NULL; -+ } -+ } -+ } -+} -+ - /* - * remque and free a socket, clobber cache - */ -@@ -66,23 +87,9 @@ void - sofree(struct socket *so) - { - Slirp *slirp = so->slirp; -- struct mbuf *ifm; - -- for (ifm = (struct mbuf *) slirp->if_fastq.qh_link; -- (struct quehead *) ifm != &slirp->if_fastq; -- ifm = ifm->ifq_next) { -- if (ifm->ifq_so == so) { -- ifm->ifq_so = NULL; -- } -- } -- -- for (ifm = (struct mbuf *) slirp->if_batchq.qh_link; -- (struct quehead *) ifm != &slirp->if_batchq; -- ifm = ifm->ifq_next) { -- if (ifm->ifq_so == so) { -- ifm->ifq_so = NULL; -- } -- } -+ soqfree(so, &slirp->if_fastq); -+ soqfree(so, &slirp->if_batchq); - - if (so->so_emu==EMU_RSH && so->extra) { - sofree(so->extra); --- -2.14.1 - diff --git a/gnu/packages/patches/qemu-CVE-2017-14167.patch b/gnu/packages/patches/qemu-CVE-2017-14167.patch deleted file mode 100644 index a6007ac082..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-14167.patch +++ /dev/null @@ -1,69 +0,0 @@ -Fix CVE-2017-14167: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14167 -http://seclists.org/oss-sec/2017/q3/407 - -Patch copied from upstream development mailing list: - -https://lists.nongnu.org/archive/html/qemu-devel/2017-09/msg01483.html - -From: Prasad J Pandit <address@hidden> - -While loading kernel via multiboot-v1 image, (flags & 0x00010000) -indicates that multiboot header contains valid addresses to load -the kernel image. These addresses are used to compute kernel -size and kernel text offset in the OS image. Validate these -address values to avoid an OOB access issue. - -This is CVE-2017-14167. - -Reported-by: Thomas Garnier <address@hidden> -Signed-off-by: Prasad J Pandit <address@hidden> ---- - hw/i386/multiboot.c | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -Update: add CVE-ID to the commit message. - -diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c -index 6001f4caa2..c7b70c91d5 100644 ---- a/hw/i386/multiboot.c -+++ b/hw/i386/multiboot.c -@@ -221,15 +221,34 @@ int load_multiboot(FWCfgState *fw_cfg, - uint32_t mh_header_addr = ldl_p(header+i+12); - uint32_t mh_load_end_addr = ldl_p(header+i+20); - uint32_t mh_bss_end_addr = ldl_p(header+i+24); -+ - mh_load_addr = ldl_p(header+i+16); -+ if (mh_header_addr < mh_load_addr) { -+ fprintf(stderr, "invalid mh_load_addr address\n"); -+ exit(1); -+ } -+ - uint32_t mb_kernel_text_offset = i - (mh_header_addr - mh_load_addr); - uint32_t mb_load_size = 0; - mh_entry_addr = ldl_p(header+i+28); - - if (mh_load_end_addr) { -+ if (mh_bss_end_addr < mh_load_addr) { -+ fprintf(stderr, "invalid mh_bss_end_addr address\n"); -+ exit(1); -+ } - mb_kernel_size = mh_bss_end_addr - mh_load_addr; -+ -+ if (mh_load_end_addr < mh_load_addr) { -+ fprintf(stderr, "invalid mh_load_end_addr address\n"); -+ exit(1); -+ } - mb_load_size = mh_load_end_addr - mh_load_addr; - } else { -+ if (kernel_file_size < mb_kernel_text_offset) { -+ fprintf(stderr, "invalid kernel_file_size\n"); -+ exit(1); -+ } - mb_kernel_size = kernel_file_size - mb_kernel_text_offset; - mb_load_size = mb_kernel_size; - } --- -2.13.5 - diff --git a/gnu/packages/patches/xorg-server-CVE-2017-10971.patch b/gnu/packages/patches/xorg-server-CVE-2017-10971.patch deleted file mode 100644 index 2696033e58..0000000000 --- a/gnu/packages/patches/xorg-server-CVE-2017-10971.patch +++ /dev/null @@ -1,153 +0,0 @@ -From 215f894965df5fb0bb45b107d84524e700d2073c Mon Sep 17 00:00:00 2001 -From: Michal Srb <msrb@suse.com> -Date: Wed, 24 May 2017 15:54:40 +0300 -Subject: dix: Disallow GenericEvent in SendEvent request. - -The SendEvent request holds xEvent which is exactly 32 bytes long, no more, -no less. Both ProcSendEvent and SProcSendEvent verify that the received data -exactly match the request size. However nothing stops the client from passing -in event with xEvent::type = GenericEvent and any value of -xGenericEvent::length. - -In the case of ProcSendEvent, the event will be eventually passed to -WriteEventsToClient which will see that it is Generic event and copy the -arbitrary length from the receive buffer (and possibly past it) and send it to -the other client. This allows clients to copy unitialized heap memory out of X -server or to crash it. - -In case of SProcSendEvent, it will attempt to swap the incoming event by -calling a swapping function from the EventSwapVector array. The swapped event -is written to target buffer, which in this case is local xEvent variable. The -xEvent variable is 32 bytes long, but the swapping functions for GenericEvents -expect that the target buffer has size matching the size of the source -GenericEvent. This allows clients to cause stack buffer overflows. - -Signed-off-by: Michal Srb <msrb@suse.com> -Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> -Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> - -diff --git a/dix/events.c b/dix/events.c -index 3e3a01e..d3a33ea 100644 ---- a/dix/events.c -+++ b/dix/events.c -@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client) - client->errorValue = stuff->event.u.u.type; - return BadValue; - } -+ /* Generic events can have variable size, but SendEvent request holds -+ exactly 32B of event data. */ -+ if (stuff->event.u.u.type == GenericEvent) { -+ client->errorValue = stuff->event.u.u.type; -+ return BadValue; -+ } - if (stuff->event.u.u.type == ClientMessage && - stuff->event.u.u.detail != 8 && - stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) { -diff --git a/dix/swapreq.c b/dix/swapreq.c -index 719e9b8..6785059 100644 ---- a/dix/swapreq.c -+++ b/dix/swapreq.c -@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client) - swapl(&stuff->destination); - swapl(&stuff->eventMask); - -+ /* Generic events can have variable size, but SendEvent request holds -+ exactly 32B of event data. */ -+ if (stuff->event.u.u.type == GenericEvent) { -+ client->errorValue = stuff->event.u.u.type; -+ return BadValue; -+ } -+ - /* Swap event */ - proc = EventSwapVector[stuff->event.u.u.type & 0177]; - if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */ --- -cgit v0.10.2 - -From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001 -From: Michal Srb <msrb@suse.com> -Date: Wed, 24 May 2017 15:54:41 +0300 -Subject: Xi: Verify all events in ProcXSendExtensionEvent. - -The requirement is that events have type in range -EXTENSION_EVENT_BASE..lastEvent, but it was tested -only for first event of all. - -Signed-off-by: Michal Srb <msrb@suse.com> -Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> -Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> - -diff --git a/Xi/sendexev.c b/Xi/sendexev.c -index 1cf118a..5e63bfc 100644 ---- a/Xi/sendexev.c -+++ b/Xi/sendexev.c -@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client) - int - ProcXSendExtensionEvent(ClientPtr client) - { -- int ret; -+ int ret, i; - DeviceIntPtr dev; - xEvent *first; - XEventClass *list; -@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client) - /* The client's event type must be one defined by an extension. */ - - first = ((xEvent *) &stuff[1]); -- if (!((EXTENSION_EVENT_BASE <= first->u.u.type) && -- (first->u.u.type < lastEvent))) { -- client->errorValue = first->u.u.type; -- return BadValue; -+ for (i = 0; i < stuff->num_events; i++) { -+ if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) && -+ (first[i].u.u.type < lastEvent))) { -+ client->errorValue = first[i].u.u.type; -+ return BadValue; -+ } - } - - list = (XEventClass *) (first + stuff->num_events); --- -cgit v0.10.2 - -From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001 -From: Michal Srb <msrb@suse.com> -Date: Wed, 24 May 2017 15:54:42 +0300 -Subject: Xi: Do not try to swap GenericEvent. - -The SProcXSendExtensionEvent must not attempt to swap GenericEvent because -it is assuming that the event has fixed size and gives the swapping function -xEvent-sized buffer. - -A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway. - -Signed-off-by: Michal Srb <msrb@suse.com> -Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> -Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> - -diff --git a/Xi/sendexev.c b/Xi/sendexev.c -index 5e63bfc..5c2e0fc 100644 ---- a/Xi/sendexev.c -+++ b/Xi/sendexev.c -@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client) - - eventP = (xEvent *) &stuff[1]; - for (i = 0; i < stuff->num_events; i++, eventP++) { -+ if (eventP->u.u.type == GenericEvent) { -+ client->errorValue = eventP->u.u.type; -+ return BadValue; -+ } -+ - proc = EventSwapVector[eventP->u.u.type & 0177]; -- if (proc == NotImplemented) /* no swapping proc; invalid event type? */ -+ /* no swapping proc; invalid event type? */ -+ if (proc == NotImplemented) { -+ client->errorValue = eventP->u.u.type; - return BadValue; -+ } - (*proc) (eventP, &eventT); - *eventP = eventT; - } --- -cgit v0.10.2 - diff --git a/gnu/packages/patches/xorg-server-CVE-2017-10972.patch b/gnu/packages/patches/xorg-server-CVE-2017-10972.patch deleted file mode 100644 index f24e9c0ae6..0000000000 --- a/gnu/packages/patches/xorg-server-CVE-2017-10972.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001 -From: Michal Srb <msrb@suse.com> -Date: Wed, 24 May 2017 15:54:39 +0300 -Subject: Xi: Zero target buffer in SProcXSendExtensionEvent. - -Make sure that the xEvent eventT is initialized with zeros, the same way as -in SProcSendEvent. - -Some event swapping functions do not overwrite all 32 bytes of xEvent -structure, for example XSecurityAuthorizationRevoked. Two cooperating -clients, one swapped and the other not, can send -XSecurityAuthorizationRevoked event to each other to retrieve old stack data -from X server. This can be potentialy misused to go around ASLR or -stack-protector. - -Signed-off-by: Michal Srb <msrb@suse.com> -Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> -Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> - -diff --git a/Xi/sendexev.c b/Xi/sendexev.c -index 11d8202..1cf118a 100644 ---- a/Xi/sendexev.c -+++ b/Xi/sendexev.c -@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client) - { - CARD32 *p; - int i; -- xEvent eventT; -+ xEvent eventT = { .u.u.type = 0 }; - xEvent *eventP; - EventSwapPtr proc; - --- -cgit v0.10.2 - |