diff options
Diffstat (limited to 'gnu/packages/patches')
35 files changed, 447 insertions, 3483 deletions
diff --git a/gnu/packages/patches/binutils-mips-bash-bug.patch b/gnu/packages/patches/binutils-mips-bash-bug.patch new file mode 100644 index 0000000000..08d3a79749 --- /dev/null +++ b/gnu/packages/patches/binutils-mips-bash-bug.patch @@ -0,0 +1,22 @@ +Bash 4.2.0(1)-release, which we use during bootstrap, does not yield the +"x" case in: + + case x"$EMULATION_NAME" in x) ;; *) ;; esac + +when 'EMULATION_NAME' is undefined. Bash 4.3.30(1)-release doesn't have this +problem. Work around it. + +This Bash bug was fixed +in <http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-007>. + +--- a/ld/emulparams/elf32bmipn32-defs.sh ++++ b/ld/emulparams/elf32bmipn32-defs.sh +@@ -13,7 +13,7 @@ LITTLE_OUTPUT_FORMAT="elf32-littlemips" + TEMPLATE_NAME=elf32 + EXTRA_EM_FILE=mipself + +-case x"$EMULATION_NAME" in ++case "x$EMULATION_NAME" in + xelf32*n32*) ELFSIZE=32 ;; + xelf64*) ELFSIZE=64 ;; + x) ;; diff --git a/gnu/packages/patches/cmake-fix-tests.patch b/gnu/packages/patches/cmake-fix-tests.patch index f59e2cd625..732b0023ab 100644 --- a/gnu/packages/patches/cmake-fix-tests.patch +++ b/gnu/packages/patches/cmake-fix-tests.patch @@ -1,6 +1,17 @@ ---- cmake-3.2.2.orig/Tests/CMakeLists.txt 2015-04-14 01:09:00.000000000 +0800 -+++ cmake-3.2.2/Tests/CMakeLists.txt 2015-04-28 15:02:34.913039742 +0800 -@@ -342,10 +342,12 @@ +From af0a62dadfb3db25880bc653e2e4c97435a604c9 Mon Sep 17 00:00:00 2001 +From: Efraim Flashner <efraim@flashner.co.il> +Date: Mon, 29 Aug 2016 20:07:58 +0300 +Subject: [PATCH] cmake-fix-tests + +--- + Tests/CMakeLists.txt | 83 ++++++++++++++++++++++++++++------------------------ + 1 file changed, 44 insertions(+), 39 deletions(-) + +diff --git a/Tests/CMakeLists.txt b/Tests/CMakeLists.txt +index f21e430..56014a2 100644 +--- a/Tests/CMakeLists.txt ++++ b/Tests/CMakeLists.txt +@@ -416,10 +416,12 @@ if(BUILD_TESTING) endif() # run test for BundleUtilities on supported platforms/compilers @@ -17,7 +28,7 @@ if(NOT "${CMAKE_GENERATOR}" STREQUAL "Watcom WMake") add_test(BundleUtilities ${CMAKE_CTEST_COMMAND} -@@ -2257,16 +2259,17 @@ +@@ -2481,30 +2483,32 @@ ${CMake_BINARY_DIR}/bin/cmake -DDIR=dev -P ${CMake_SOURCE_DIR}/Utilities/Release PASS_REGULAR_EXPRESSION "Could not find executable" FAIL_REGULAR_EXPRESSION "SegFault") @@ -31,6 +42,20 @@ - ) - set_tests_properties(CTestTestUpload PROPERTIES - PASS_REGULAR_EXPRESSION "Upload\\.xml") +- +- configure_file( +- "${CMake_SOURCE_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake.in" +- "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake" +- @ONLY ESCAPE_QUOTES) +- add_test(CTestCoverageCollectGCOV ${CMAKE_CTEST_COMMAND} +- -C \${CTEST_CONFIGURATION_TYPE} +- -S "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake" -VV +- --output-log "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/testOut.log" +- ) +- set_tests_properties(CTestCoverageCollectGCOV PROPERTIES +- PASS_REGULAR_EXPRESSION +- "PASSED with correct output.*Testing/CoverageInfo/main.cpp.gcov") +- set_property(TEST CTestCoverageCollectGCOV PROPERTY ENVIRONMENT CTEST_PARALLEL_LEVEL=) +# This test requires network connectivity: skip it. +# configure_file( +# "${CMake_SOURCE_DIR}/Tests/CTestTestUpload/test.cmake.in" @@ -42,6 +67,54 @@ +# ) +# set_tests_properties(CTestTestUpload PROPERTIES +# PASS_REGULAR_EXPRESSION "Upload\\.xml") ++ ++# This test times out ++# configure_file( ++# "${CMake_SOURCE_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake.in" ++# "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake" ++# @ONLY ESCAPE_QUOTES) ++# add_test(CTestCoverageCollectGCOV ${CMAKE_CTEST_COMMAND} ++# -C \${CTEST_CONFIGURATION_TYPE} ++# -S "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake" -VV ++# --output-log "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/testOut.log" ++# ) ++# set_tests_properties(CTestCoverageCollectGCOV PROPERTIES ++# PASS_REGULAR_EXPRESSION ++# "PASSED with correct output.*Testing/CoverageInfo/main.cpp.gcov") ++# set_property(TEST CTestCoverageCollectGCOV PROPERTY ENVIRONMENT CTEST_PARALLEL_LEVEL=) + + configure_file( + "${CMake_SOURCE_DIR}/Tests/CTestTestEmptyBinaryDirectory/test.cmake.in" +@@ -2860,17 +2864,18 @@ ${CMake_BINARY_DIR}/bin/cmake -DDIR=dev -P ${CMake_SOURCE_DIR}/Utilities/Release + set_tests_properties(CTestTestStopTime PROPERTIES + PASS_REGULAR_EXPRESSION "The stop time has been passed") + +- configure_file( +- "${CMake_SOURCE_DIR}/Tests/CTestTestSubdir/test.cmake.in" +- "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/test.cmake" +- @ONLY ESCAPE_QUOTES) +- add_test(CTestTestSubdir ${CMAKE_CTEST_COMMAND} +- -S "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/test.cmake" -V +- --output-log "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/testOutput.log" +- ) +- #make sure all 3 subdirs were added +- set_tests_properties(CTestTestSubdir PROPERTIES +- PASS_REGULAR_EXPRESSION "0 tests failed out of 3") ++# This test fails to build 2 of the 3 tests ++# configure_file( ++# "${CMake_SOURCE_DIR}/Tests/CTestTestSubdir/test.cmake.in" ++# "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/test.cmake" ++# @ONLY ESCAPE_QUOTES) ++# add_test(CTestTestSubdir ${CMAKE_CTEST_COMMAND} ++# -S "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/test.cmake" -V ++# --output-log "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/testOutput.log" ++# ) ++# #make sure all 3 subdirs were added ++# set_tests_properties(CTestTestSubdir PROPERTIES ++# PASS_REGULAR_EXPRESSION "0 tests failed out of 3") configure_file( - "${CMake_SOURCE_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake.in" + "${CMake_SOURCE_DIR}/Tests/CTestTestTimeout/test.cmake.in" +-- +2.9.3 + diff --git a/gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch b/gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch deleted file mode 100644 index edc43f84f1..0000000000 --- a/gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch +++ /dev/null @@ -1,142 +0,0 @@ -Fix CVE-2012-6702 and CVE-2016-5300. - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300 - -Patch copied from: -https://sources.debian.net/src/expat/2.1.0-6%2Bdeb8u3/debian/patches/cve-2012-6702-plus-cve-2016-5300-v1.patch/ - -From cb31522769d11a375078a073cba94e7176cb48a4 Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping <sebastian@pipping.org> -Date: Wed, 16 Mar 2016 15:30:12 +0100 -Subject: [PATCH] Resolve call to srand, use more entropy (patch version 1.0) - -Squashed backport against vanilla Expat 2.1.1, addressing: -* CVE-2012-6702 -- unanticipated internal calls to srand -* CVE-2016-5300 -- use of too little entropy - -Since commit e3e81a6d9f0885ea02d3979151c358f314bf3d6d -(released with Expat 2.1.0) Expat called srand by itself -from inside generate_hash_secret_salt for an instance -of XML_Parser if XML_SetHashSalt was either (a) not called -for that instance or if (b) salt 0 was passed to XML_SetHashSalt -prior to parsing. That call to srand passed (rather litle) -entropy extracted from the current time as a seed for srand. - -That call to srand (1) broke repeatability for code calling -srand with a non-random seed prior to parsing with Expat, -and (2) resulted in a rather small set of hashing salts in -Expat in total. - -For a short- to mid-term fix, the new approach avoids calling -srand altogether, extracts more entropy out of the clock and -other sources, too. - -For a long term fix, we may want to read sizeof(long) bytes -from a source like getrandom(..) on Linux, and from similar -sources on other supported architectures. - -https://bugzilla.redhat.com/show_bug.cgi?id=1197087 ---- - CMakeLists.txt | 3 +++ - lib/xmlparse.c | 48 +++++++++++++++++++++++++++++++++++++++++------- - 2 files changed, 44 insertions(+), 7 deletions(-) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 353627e..524d514 100755 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -41,6 +41,9 @@ include_directories(${CMAKE_BINARY_DIR} ${CMAKE_SOURCE_DIR}/lib) - if(MSVC)
- add_definitions(-D_CRT_SECURE_NO_WARNINGS -wd4996)
- endif(MSVC)
-+if(WIN32)
-+ add_definitions(-DCOMPILED_FROM_DSP)
-+endif(WIN32)
-
- set(expat_SRCS
- lib/xmlparse.c
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c -index e308c79..c5f942f 100644 ---- a/lib/xmlparse.c -+++ b/lib/xmlparse.c -@@ -6,7 +6,14 @@ - #include <string.h> /* memset(), memcpy() */ - #include <assert.h> - #include <limits.h> /* UINT_MAX */ --#include <time.h> /* time() */ -+ -+#ifdef COMPILED_FROM_DSP -+#define getpid GetCurrentProcessId -+#else -+#include <sys/time.h> /* gettimeofday() */ -+#include <sys/types.h> /* getpid() */ -+#include <unistd.h> /* getpid() */ -+#endif - - #define XML_BUILDING_EXPAT 1 - -@@ -432,7 +439,7 @@ static ELEMENT_TYPE * - getElementType(XML_Parser parser, const ENCODING *enc, - const char *ptr, const char *end); - --static unsigned long generate_hash_secret_salt(void); -+static unsigned long generate_hash_secret_salt(XML_Parser parser); - static XML_Bool startParsing(XML_Parser parser); - - static XML_Parser -@@ -691,11 +698,38 @@ static const XML_Char implicitContext[] = { - }; - - static unsigned long --generate_hash_secret_salt(void) -+gather_time_entropy(void) - { -- unsigned int seed = time(NULL) % UINT_MAX; -- srand(seed); -- return rand(); -+#ifdef COMPILED_FROM_DSP -+ FILETIME ft; -+ GetSystemTimeAsFileTime(&ft); /* never fails */ -+ return ft.dwHighDateTime ^ ft.dwLowDateTime; -+#else -+ struct timeval tv; -+ int gettimeofday_res; -+ -+ gettimeofday_res = gettimeofday(&tv, NULL); -+ assert (gettimeofday_res == 0); -+ -+ /* Microseconds time is <20 bits entropy */ -+ return tv.tv_usec; -+#endif -+} -+ -+static unsigned long -+generate_hash_secret_salt(XML_Parser parser) -+{ -+ /* Process ID is 0 bits entropy if attacker has local access -+ * XML_Parser address is few bits of entropy if attacker has local access */ -+ const unsigned long entropy = -+ gather_time_entropy() ^ getpid() ^ (unsigned long)parser; -+ -+ /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */ -+ if (sizeof(unsigned long) == 4) { -+ return entropy * 2147483647; -+ } else { -+ return entropy * 2305843009213693951; -+ } - } - - static XML_Bool /* only valid for root parser */ -@@ -703,7 +737,7 @@ startParsing(XML_Parser parser) - { - /* hash functions must be initialized before setContext() is called */ - if (hash_secret_salt == 0) -- hash_secret_salt = generate_hash_secret_salt(); -+ hash_secret_salt = generate_hash_secret_salt(parser); - if (ns) { - /* implicit context only set for root parser, since child - parsers (i.e. external entity parsers) will inherit it --- -2.8.2 - diff --git a/gnu/packages/patches/expat-CVE-2015-1283-refix.patch b/gnu/packages/patches/expat-CVE-2015-1283-refix.patch deleted file mode 100644 index fc8d6291f5..0000000000 --- a/gnu/packages/patches/expat-CVE-2015-1283-refix.patch +++ /dev/null @@ -1,39 +0,0 @@ -Follow-up upstream fix for CVE-2015-1283 to not rely on undefined -behavior. - -Adapted from a patch from Debian (found in Debian package version -2.1.0-6+deb8u2) to apply to upstream code: - -https://sources.debian.net/src/expat/2.1.0-6%2Bdeb8u2/debian/patches/CVE-2015-1283-refix.patch/ - ---- - lib/xmlparse.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/lib/xmlparse.c b/lib/xmlparse.c -index 0f6f4cd..5c70c17 100644 ---- a/lib/xmlparse.c -+++ b/lib/xmlparse.c -@@ -1727,7 +1727,8 @@ XML_GetBuffer(XML_Parser parser, int len) - } - - if (len > bufferLim - bufferEnd) { -- int neededSize = len + (int)(bufferEnd - bufferPtr); -+ /* Do not invoke signed arithmetic overflow: */ -+ int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr)); - if (neededSize < 0) { - errorCode = XML_ERROR_NO_MEMORY; - return NULL; -@@ -1759,7 +1760,8 @@ XML_GetBuffer(XML_Parser parser, int len) - if (bufferSize == 0) - bufferSize = INIT_BUFFER_SIZE; - do { -- bufferSize *= 2; -+ /* Do not invoke signed arithmetic overflow: */ -+ bufferSize = (int) (2U * (unsigned) bufferSize); - } while (bufferSize < neededSize && bufferSize > 0); - if (bufferSize <= 0) { - errorCode = XML_ERROR_NO_MEMORY; --- -2.8.3 - diff --git a/gnu/packages/patches/expat-CVE-2016-0718.patch b/gnu/packages/patches/expat-CVE-2016-0718.patch deleted file mode 100644 index 22436c20cc..0000000000 --- a/gnu/packages/patches/expat-CVE-2016-0718.patch +++ /dev/null @@ -1,761 +0,0 @@ -Fix CVE-2016-0718. - -Copied from Debian, as found in Debian package version 2.1.0-6+deb8u2. - -https://sources.debian.net/src/expat/2.1.0-6%2Bdeb8u2/debian/patches/CVE-2016-0718-v2-2-1.patch/ - -From cdfcb1b5c95e93b00ae9e9d25708b4a3bee72c15 Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping <sebastian@pipping.org> -Date: Mon, 2 May 2016 00:02:44 +0200 -Subject: [PATCH] Address CVE-2016-0718 (/patch/ version 2.2.1) - -* Out of bounds memory access when doing text conversion on malformed input -* Integer overflow related to memory allocation - -Reported by Gustavo Grieco - -Patch credits go to -* Christian Heimes -* Karl Waclawek -* Gustavo Grieco -* Sebastian Pipping -* Pascal Cuoq ---- - expat/lib/xmlparse.c | 34 +++++++++----- - expat/lib/xmltok.c | 115 +++++++++++++++++++++++++++++++++++------------- - expat/lib/xmltok.h | 10 ++++- - expat/lib/xmltok_impl.c | 62 +++++++++++++------------- - 4 files changed, 146 insertions(+), 75 deletions(-) - -diff --git a/lib/xmlparse.c b/lib/xmlparse.c -index e308c79..13e080d 100644 ---- a/lib/xmlparse.c -+++ b/lib/xmlparse.c -@@ -2436,11 +2436,11 @@ doContent(XML_Parser parser, - for (;;) { - int bufSize; - int convLen; -- XmlConvert(enc, -+ const enum XML_Convert_Result convert_res = XmlConvert(enc, - &fromPtr, rawNameEnd, - (ICHAR **)&toPtr, (ICHAR *)tag->bufEnd - 1); - convLen = (int)(toPtr - (XML_Char *)tag->buf); -- if (fromPtr == rawNameEnd) { -+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) { - tag->name.strLen = convLen; - break; - } -@@ -2661,11 +2661,11 @@ doContent(XML_Parser parser, - if (MUST_CONVERT(enc, s)) { - for (;;) { - ICHAR *dataPtr = (ICHAR *)dataBuf; -- XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd); -+ const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd); - *eventEndPP = s; - charDataHandler(handlerArg, dataBuf, - (int)(dataPtr - (ICHAR *)dataBuf)); -- if (s == next) -+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) - break; - *eventPP = s; - } -@@ -3269,11 +3269,11 @@ doCdataSection(XML_Parser parser, - if (MUST_CONVERT(enc, s)) { - for (;;) { - ICHAR *dataPtr = (ICHAR *)dataBuf; -- XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd); -+ const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd); - *eventEndPP = next; - charDataHandler(handlerArg, dataBuf, - (int)(dataPtr - (ICHAR *)dataBuf)); -- if (s == next) -+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) - break; - *eventPP = s; - } -@@ -5350,6 +5350,7 @@ reportDefault(XML_Parser parser, const ENCODING *enc, - const char *s, const char *end) - { - if (MUST_CONVERT(enc, s)) { -+ enum XML_Convert_Result convert_res; - const char **eventPP; - const char **eventEndPP; - if (enc == encoding) { -@@ -5362,11 +5363,11 @@ reportDefault(XML_Parser parser, const ENCODING *enc, - } - do { - ICHAR *dataPtr = (ICHAR *)dataBuf; -- XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd); -+ convert_res = XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd); - *eventEndPP = s; - defaultHandler(handlerArg, dataBuf, (int)(dataPtr - (ICHAR *)dataBuf)); - *eventPP = s; -- } while (s != end); -+ } while ((convert_res != XML_CONVERT_COMPLETED) && (convert_res != XML_CONVERT_INPUT_INCOMPLETE)); - } - else - defaultHandler(handlerArg, (XML_Char *)s, (int)((XML_Char *)end - (XML_Char *)s)); -@@ -6169,8 +6170,8 @@ poolAppend(STRING_POOL *pool, const ENCODING *enc, - if (!pool->ptr && !poolGrow(pool)) - return NULL; - for (;;) { -- XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end); -- if (ptr == end) -+ const enum XML_Convert_Result convert_res = XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end); -+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) - break; - if (!poolGrow(pool)) - return NULL; -@@ -6254,8 +6255,13 @@ poolGrow(STRING_POOL *pool) - } - } - if (pool->blocks && pool->start == pool->blocks->s) { -- int blockSize = (int)(pool->end - pool->start)*2; -- BLOCK *temp = (BLOCK *) -+ BLOCK *temp; -+ int blockSize = (int)((unsigned)(pool->end - pool->start)*2U); -+ -+ if (blockSize < 0) -+ return XML_FALSE; -+ -+ temp = (BLOCK *) - pool->mem->realloc_fcn(pool->blocks, - (offsetof(BLOCK, s) - + blockSize * sizeof(XML_Char))); -@@ -6270,6 +6276,10 @@ poolGrow(STRING_POOL *pool) - else { - BLOCK *tem; - int blockSize = (int)(pool->end - pool->start); -+ -+ if (blockSize < 0) -+ return XML_FALSE; -+ - if (blockSize < INIT_BLOCK_SIZE) - blockSize = INIT_BLOCK_SIZE; - else -diff --git a/lib/xmltok.c b/lib/xmltok.c -index bf09dfc..cb98ce1 100644 ---- a/lib/xmltok.c -+++ b/lib/xmltok.c -@@ -318,39 +318,55 @@ enum { /* UTF8_cvalN is value of masked first byte of N byte sequence */ - UTF8_cval4 = 0xf0 - }; - --static void PTRCALL -+static enum XML_Convert_Result PTRCALL - utf8_toUtf8(const ENCODING *enc, - const char **fromP, const char *fromLim, - char **toP, const char *toLim) - { -+ enum XML_Convert_Result res = XML_CONVERT_COMPLETED; - char *to; - const char *from; - if (fromLim - *fromP > toLim - *toP) { - /* Avoid copying partial characters. */ -+ res = XML_CONVERT_OUTPUT_EXHAUSTED; - for (fromLim = *fromP + (toLim - *toP); fromLim > *fromP; fromLim--) - if (((unsigned char)fromLim[-1] & 0xc0) != 0x80) - break; - } -- for (to = *toP, from = *fromP; from != fromLim; from++, to++) -+ for (to = *toP, from = *fromP; (from < fromLim) && (to < toLim); from++, to++) - *to = *from; - *fromP = from; - *toP = to; -+ -+ if ((to == toLim) && (from < fromLim)) -+ return XML_CONVERT_OUTPUT_EXHAUSTED; -+ else -+ return res; - } - --static void PTRCALL -+static enum XML_Convert_Result PTRCALL - utf8_toUtf16(const ENCODING *enc, - const char **fromP, const char *fromLim, - unsigned short **toP, const unsigned short *toLim) - { -+ enum XML_Convert_Result res = XML_CONVERT_COMPLETED; - unsigned short *to = *toP; - const char *from = *fromP; -- while (from != fromLim && to != toLim) { -+ while (from < fromLim && to < toLim) { - switch (((struct normal_encoding *)enc)->type[(unsigned char)*from]) { - case BT_LEAD2: -+ if (fromLim - from < 2) { -+ res = XML_CONVERT_INPUT_INCOMPLETE; -+ break; -+ } - *to++ = (unsigned short)(((from[0] & 0x1f) << 6) | (from[1] & 0x3f)); - from += 2; - break; - case BT_LEAD3: -+ if (fromLim - from < 3) { -+ res = XML_CONVERT_INPUT_INCOMPLETE; -+ break; -+ } - *to++ = (unsigned short)(((from[0] & 0xf) << 12) - | ((from[1] & 0x3f) << 6) | (from[2] & 0x3f)); - from += 3; -@@ -358,8 +374,14 @@ utf8_toUtf16(const ENCODING *enc, - case BT_LEAD4: - { - unsigned long n; -- if (to + 1 == toLim) -+ if (toLim - to < 2) { -+ res = XML_CONVERT_OUTPUT_EXHAUSTED; - goto after; -+ } -+ if (fromLim - from < 4) { -+ res = XML_CONVERT_INPUT_INCOMPLETE; -+ goto after; -+ } - n = ((from[0] & 0x7) << 18) | ((from[1] & 0x3f) << 12) - | ((from[2] & 0x3f) << 6) | (from[3] & 0x3f); - n -= 0x10000; -@@ -377,6 +399,7 @@ utf8_toUtf16(const ENCODING *enc, - after: - *fromP = from; - *toP = to; -+ return res; - } - - #ifdef XML_NS -@@ -425,7 +448,7 @@ static const struct normal_encoding internal_utf8_encoding = { - STANDARD_VTABLE(sb_) NORMAL_VTABLE(utf8_) - }; - --static void PTRCALL -+static enum XML_Convert_Result PTRCALL - latin1_toUtf8(const ENCODING *enc, - const char **fromP, const char *fromLim, - char **toP, const char *toLim) -@@ -433,30 +456,35 @@ latin1_toUtf8(const ENCODING *enc, - for (;;) { - unsigned char c; - if (*fromP == fromLim) -- break; -+ return XML_CONVERT_COMPLETED; - c = (unsigned char)**fromP; - if (c & 0x80) { - if (toLim - *toP < 2) -- break; -+ return XML_CONVERT_OUTPUT_EXHAUSTED; - *(*toP)++ = (char)((c >> 6) | UTF8_cval2); - *(*toP)++ = (char)((c & 0x3f) | 0x80); - (*fromP)++; - } - else { - if (*toP == toLim) -- break; -+ return XML_CONVERT_OUTPUT_EXHAUSTED; - *(*toP)++ = *(*fromP)++; - } - } - } - --static void PTRCALL -+static enum XML_Convert_Result PTRCALL - latin1_toUtf16(const ENCODING *enc, - const char **fromP, const char *fromLim, - unsigned short **toP, const unsigned short *toLim) - { -- while (*fromP != fromLim && *toP != toLim) -+ while (*fromP < fromLim && *toP < toLim) - *(*toP)++ = (unsigned char)*(*fromP)++; -+ -+ if ((*toP == toLim) && (*fromP < fromLim)) -+ return XML_CONVERT_OUTPUT_EXHAUSTED; -+ else -+ return XML_CONVERT_COMPLETED; - } - - #ifdef XML_NS -@@ -483,13 +511,18 @@ static const struct normal_encoding latin1_encoding = { - STANDARD_VTABLE(sb_) - }; - --static void PTRCALL -+static enum XML_Convert_Result PTRCALL - ascii_toUtf8(const ENCODING *enc, - const char **fromP, const char *fromLim, - char **toP, const char *toLim) - { -- while (*fromP != fromLim && *toP != toLim) -+ while (*fromP < fromLim && *toP < toLim) - *(*toP)++ = *(*fromP)++; -+ -+ if ((*toP == toLim) && (*fromP < fromLim)) -+ return XML_CONVERT_OUTPUT_EXHAUSTED; -+ else -+ return XML_CONVERT_COMPLETED; - } - - #ifdef XML_NS -@@ -536,13 +569,14 @@ unicode_byte_type(char hi, char lo) - } - - #define DEFINE_UTF16_TO_UTF8(E) \ --static void PTRCALL \ -+static enum XML_Convert_Result PTRCALL \ - E ## toUtf8(const ENCODING *enc, \ - const char **fromP, const char *fromLim, \ - char **toP, const char *toLim) \ - { \ -- const char *from; \ -- for (from = *fromP; from != fromLim; from += 2) { \ -+ const char *from = *fromP; \ -+ fromLim = from + (((fromLim - from) >> 1) << 1); /* shrink to even */ \ -+ for (; from < fromLim; from += 2) { \ - int plane; \ - unsigned char lo2; \ - unsigned char lo = GET_LO(from); \ -@@ -552,7 +586,7 @@ E ## toUtf8(const ENCODING *enc, \ - if (lo < 0x80) { \ - if (*toP == toLim) { \ - *fromP = from; \ -- return; \ -+ return XML_CONVERT_OUTPUT_EXHAUSTED; \ - } \ - *(*toP)++ = lo; \ - break; \ -@@ -562,7 +596,7 @@ E ## toUtf8(const ENCODING *enc, \ - case 0x4: case 0x5: case 0x6: case 0x7: \ - if (toLim - *toP < 2) { \ - *fromP = from; \ -- return; \ -+ return XML_CONVERT_OUTPUT_EXHAUSTED; \ - } \ - *(*toP)++ = ((lo >> 6) | (hi << 2) | UTF8_cval2); \ - *(*toP)++ = ((lo & 0x3f) | 0x80); \ -@@ -570,7 +604,7 @@ E ## toUtf8(const ENCODING *enc, \ - default: \ - if (toLim - *toP < 3) { \ - *fromP = from; \ -- return; \ -+ return XML_CONVERT_OUTPUT_EXHAUSTED; \ - } \ - /* 16 bits divided 4, 6, 6 amongst 3 bytes */ \ - *(*toP)++ = ((hi >> 4) | UTF8_cval3); \ -@@ -580,7 +614,11 @@ E ## toUtf8(const ENCODING *enc, \ - case 0xD8: case 0xD9: case 0xDA: case 0xDB: \ - if (toLim - *toP < 4) { \ - *fromP = from; \ -- return; \ -+ return XML_CONVERT_OUTPUT_EXHAUSTED; \ -+ } \ -+ if (fromLim - from < 4) { \ -+ *fromP = from; \ -+ return XML_CONVERT_INPUT_INCOMPLETE; \ - } \ - plane = (((hi & 0x3) << 2) | ((lo >> 6) & 0x3)) + 1; \ - *(*toP)++ = ((plane >> 2) | UTF8_cval4); \ -@@ -596,20 +634,32 @@ E ## toUtf8(const ENCODING *enc, \ - } \ - } \ - *fromP = from; \ -+ if (from < fromLim) \ -+ return XML_CONVERT_INPUT_INCOMPLETE; \ -+ else \ -+ return XML_CONVERT_COMPLETED; \ - } - - #define DEFINE_UTF16_TO_UTF16(E) \ --static void PTRCALL \ -+static enum XML_Convert_Result PTRCALL \ - E ## toUtf16(const ENCODING *enc, \ - const char **fromP, const char *fromLim, \ - unsigned short **toP, const unsigned short *toLim) \ - { \ -+ enum XML_Convert_Result res = XML_CONVERT_COMPLETED; \ -+ fromLim = *fromP + (((fromLim - *fromP) >> 1) << 1); /* shrink to even */ \ - /* Avoid copying first half only of surrogate */ \ - if (fromLim - *fromP > ((toLim - *toP) << 1) \ -- && (GET_HI(fromLim - 2) & 0xF8) == 0xD8) \ -+ && (GET_HI(fromLim - 2) & 0xF8) == 0xD8) { \ - fromLim -= 2; \ -- for (; *fromP != fromLim && *toP != toLim; *fromP += 2) \ -+ res = XML_CONVERT_INPUT_INCOMPLETE; \ -+ } \ -+ for (; *fromP < fromLim && *toP < toLim; *fromP += 2) \ - *(*toP)++ = (GET_HI(*fromP) << 8) | GET_LO(*fromP); \ -+ if ((*toP == toLim) && (*fromP < fromLim)) \ -+ return XML_CONVERT_OUTPUT_EXHAUSTED; \ -+ else \ -+ return res; \ - } - - #define SET2(ptr, ch) \ -@@ -1288,7 +1338,7 @@ unknown_isInvalid(const ENCODING *enc, const char *p) - return (c & ~0xFFFF) || checkCharRefNumber(c) < 0; - } - --static void PTRCALL -+static enum XML_Convert_Result PTRCALL - unknown_toUtf8(const ENCODING *enc, - const char **fromP, const char *fromLim, - char **toP, const char *toLim) -@@ -1299,21 +1349,21 @@ unknown_toUtf8(const ENCODING *enc, - const char *utf8; - int n; - if (*fromP == fromLim) -- break; -+ return XML_CONVERT_COMPLETED; - utf8 = uenc->utf8[(unsigned char)**fromP]; - n = *utf8++; - if (n == 0) { - int c = uenc->convert(uenc->userData, *fromP); - n = XmlUtf8Encode(c, buf); - if (n > toLim - *toP) -- break; -+ return XML_CONVERT_OUTPUT_EXHAUSTED; - utf8 = buf; - *fromP += (AS_NORMAL_ENCODING(enc)->type[(unsigned char)**fromP] - - (BT_LEAD2 - 2)); - } - else { - if (n > toLim - *toP) -- break; -+ return XML_CONVERT_OUTPUT_EXHAUSTED; - (*fromP)++; - } - do { -@@ -1322,13 +1372,13 @@ unknown_toUtf8(const ENCODING *enc, - } - } - --static void PTRCALL -+static enum XML_Convert_Result PTRCALL - unknown_toUtf16(const ENCODING *enc, - const char **fromP, const char *fromLim, - unsigned short **toP, const unsigned short *toLim) - { - const struct unknown_encoding *uenc = AS_UNKNOWN_ENCODING(enc); -- while (*fromP != fromLim && *toP != toLim) { -+ while (*fromP < fromLim && *toP < toLim) { - unsigned short c = uenc->utf16[(unsigned char)**fromP]; - if (c == 0) { - c = (unsigned short) -@@ -1340,6 +1390,11 @@ unknown_toUtf16(const ENCODING *enc, - (*fromP)++; - *(*toP)++ = c; - } -+ -+ if ((*toP == toLim) && (*fromP < fromLim)) -+ return XML_CONVERT_OUTPUT_EXHAUSTED; -+ else -+ return XML_CONVERT_COMPLETED; - } - - ENCODING * -@@ -1503,7 +1558,7 @@ initScan(const ENCODING * const *encodingTable, - { - const ENCODING **encPtr; - -- if (ptr == end) -+ if (ptr >= end) - return XML_TOK_NONE; - encPtr = enc->encPtr; - if (ptr + 1 == end) { -diff --git a/lib/xmltok.h b/lib/xmltok.h -index ca867aa..752007e 100644 ---- a/lib/xmltok.h -+++ b/lib/xmltok.h -@@ -130,6 +130,12 @@ typedef int (PTRCALL *SCANNER)(const ENCODING *, - const char *, - const char **); - -+enum XML_Convert_Result { -+ XML_CONVERT_COMPLETED = 0, -+ XML_CONVERT_INPUT_INCOMPLETE = 1, -+ XML_CONVERT_OUTPUT_EXHAUSTED = 2 /* and therefore potentially input remaining as well */ -+}; -+ - struct encoding { - SCANNER scanners[XML_N_STATES]; - SCANNER literalScanners[XML_N_LITERAL_TYPES]; -@@ -158,12 +164,12 @@ struct encoding { - const char *ptr, - const char *end, - const char **badPtr); -- void (PTRCALL *utf8Convert)(const ENCODING *enc, -+ enum XML_Convert_Result (PTRCALL *utf8Convert)(const ENCODING *enc, - const char **fromP, - const char *fromLim, - char **toP, - const char *toLim); -- void (PTRCALL *utf16Convert)(const ENCODING *enc, -+ enum XML_Convert_Result (PTRCALL *utf16Convert)(const ENCODING *enc, - const char **fromP, - const char *fromLim, - unsigned short **toP, -diff --git a/lib/xmltok_impl.c b/lib/xmltok_impl.c -index 9c2895b..6c5a3ba 100644 ---- a/lib/xmltok_impl.c -+++ b/lib/xmltok_impl.c -@@ -93,13 +93,13 @@ static int PTRCALL - PREFIX(scanComment)(const ENCODING *enc, const char *ptr, - const char *end, const char **nextTokPtr) - { -- if (ptr != end) { -+ if (ptr < end) { - if (!CHAR_MATCHES(enc, ptr, ASCII_MINUS)) { - *nextTokPtr = ptr; - return XML_TOK_INVALID; - } - ptr += MINBPC(enc); -- while (ptr != end) { -+ while (ptr < end) { - switch (BYTE_TYPE(enc, ptr)) { - INVALID_CASES(ptr, nextTokPtr) - case BT_MINUS: -@@ -147,7 +147,7 @@ PREFIX(scanDecl)(const ENCODING *enc, const char *ptr, - *nextTokPtr = ptr; - return XML_TOK_INVALID; - } -- while (ptr != end) { -+ while (ptr < end) { - switch (BYTE_TYPE(enc, ptr)) { - case BT_PERCNT: - if (ptr + MINBPC(enc) == end) -@@ -233,7 +233,7 @@ PREFIX(scanPi)(const ENCODING *enc, const char *ptr, - *nextTokPtr = ptr; - return XML_TOK_INVALID; - } -- while (ptr != end) { -+ while (ptr < end) { - switch (BYTE_TYPE(enc, ptr)) { - CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) - case BT_S: case BT_CR: case BT_LF: -@@ -242,7 +242,7 @@ PREFIX(scanPi)(const ENCODING *enc, const char *ptr, - return XML_TOK_INVALID; - } - ptr += MINBPC(enc); -- while (ptr != end) { -+ while (ptr < end) { - switch (BYTE_TYPE(enc, ptr)) { - INVALID_CASES(ptr, nextTokPtr) - case BT_QUEST: -@@ -305,7 +305,7 @@ static int PTRCALL - PREFIX(cdataSectionTok)(const ENCODING *enc, const char *ptr, - const char *end, const char **nextTokPtr) - { -- if (ptr == end) -+ if (ptr >= end) - return XML_TOK_NONE; - if (MINBPC(enc) > 1) { - size_t n = end - ptr; -@@ -348,7 +348,7 @@ PREFIX(cdataSectionTok)(const ENCODING *enc, const char *ptr, - ptr += MINBPC(enc); - break; - } -- while (ptr != end) { -+ while (ptr < end) { - switch (BYTE_TYPE(enc, ptr)) { - #define LEAD_CASE(n) \ - case BT_LEAD ## n: \ -@@ -391,11 +391,11 @@ PREFIX(scanEndTag)(const ENCODING *enc, const char *ptr, - *nextTokPtr = ptr; - return XML_TOK_INVALID; - } -- while (ptr != end) { -+ while (ptr < end) { - switch (BYTE_TYPE(enc, ptr)) { - CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) - case BT_S: case BT_CR: case BT_LF: -- for (ptr += MINBPC(enc); ptr != end; ptr += MINBPC(enc)) { -+ for (ptr += MINBPC(enc); ptr < end; ptr += MINBPC(enc)) { - switch (BYTE_TYPE(enc, ptr)) { - case BT_S: case BT_CR: case BT_LF: - break; -@@ -432,7 +432,7 @@ static int PTRCALL - PREFIX(scanHexCharRef)(const ENCODING *enc, const char *ptr, - const char *end, const char **nextTokPtr) - { -- if (ptr != end) { -+ if (ptr < end) { - switch (BYTE_TYPE(enc, ptr)) { - case BT_DIGIT: - case BT_HEX: -@@ -441,7 +441,7 @@ PREFIX(scanHexCharRef)(const ENCODING *enc, const char *ptr, - *nextTokPtr = ptr; - return XML_TOK_INVALID; - } -- for (ptr += MINBPC(enc); ptr != end; ptr += MINBPC(enc)) { -+ for (ptr += MINBPC(enc); ptr < end; ptr += MINBPC(enc)) { - switch (BYTE_TYPE(enc, ptr)) { - case BT_DIGIT: - case BT_HEX: -@@ -464,7 +464,7 @@ static int PTRCALL - PREFIX(scanCharRef)(const ENCODING *enc, const char *ptr, - const char *end, const char **nextTokPtr) - { -- if (ptr != end) { -+ if (ptr < end) { - if (CHAR_MATCHES(enc, ptr, ASCII_x)) - return PREFIX(scanHexCharRef)(enc, ptr + MINBPC(enc), end, nextTokPtr); - switch (BYTE_TYPE(enc, ptr)) { -@@ -474,7 +474,7 @@ PREFIX(scanCharRef)(const ENCODING *enc, const char *ptr, - *nextTokPtr = ptr; - return XML_TOK_INVALID; - } -- for (ptr += MINBPC(enc); ptr != end; ptr += MINBPC(enc)) { -+ for (ptr += MINBPC(enc); ptr < end; ptr += MINBPC(enc)) { - switch (BYTE_TYPE(enc, ptr)) { - case BT_DIGIT: - break; -@@ -506,7 +506,7 @@ PREFIX(scanRef)(const ENCODING *enc, const char *ptr, const char *end, - *nextTokPtr = ptr; - return XML_TOK_INVALID; - } -- while (ptr != end) { -+ while (ptr < end) { - switch (BYTE_TYPE(enc, ptr)) { - CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) - case BT_SEMI: -@@ -529,7 +529,7 @@ PREFIX(scanAtts)(const ENCODING *enc, const char *ptr, const char *end, - #ifdef XML_NS - int hadColon = 0; - #endif -- while (ptr != end) { -+ while (ptr < end) { - switch (BYTE_TYPE(enc, ptr)) { - CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) - #ifdef XML_NS -@@ -716,7 +716,7 @@ PREFIX(scanLt)(const ENCODING *enc, const char *ptr, const char *end, - hadColon = 0; - #endif - /* we have a start-tag */ -- while (ptr != end) { -+ while (ptr < end) { - switch (BYTE_TYPE(enc, ptr)) { - CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) - #ifdef XML_NS -@@ -740,7 +740,7 @@ PREFIX(scanLt)(const ENCODING *enc, const char *ptr, const char *end, - case BT_S: case BT_CR: case BT_LF: - { - ptr += MINBPC(enc); -- while (ptr != end) { -+ while (ptr < end) { - switch (BYTE_TYPE(enc, ptr)) { - CHECK_NMSTRT_CASES(enc, ptr, end, nextTokPtr) - case BT_GT: -@@ -785,7 +785,7 @@ static int PTRCALL - PREFIX(contentTok)(const ENCODING *enc, const char *ptr, const char *end, - const char **nextTokPtr) - { -- if (ptr == end) -+ if (ptr >= end) - return XML_TOK_NONE; - if (MINBPC(enc) > 1) { - size_t n = end - ptr; -@@ -832,7 +832,7 @@ PREFIX(contentTok)(const ENCODING *enc, const char *ptr, const char *end, - ptr += MINBPC(enc); - break; - } -- while (ptr != end) { -+ while (ptr < end) { - switch (BYTE_TYPE(enc, ptr)) { - #define LEAD_CASE(n) \ - case BT_LEAD ## n: \ -@@ -895,7 +895,7 @@ PREFIX(scanPercent)(const ENCODING *enc, const char *ptr, const char *end, - *nextTokPtr = ptr; - return XML_TOK_INVALID; - } -- while (ptr != end) { -+ while (ptr < end) { - switch (BYTE_TYPE(enc, ptr)) { - CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) - case BT_SEMI: -@@ -921,7 +921,7 @@ PREFIX(scanPoundName)(const ENCODING *enc, const char *ptr, const char *end, - *nextTokPtr = ptr; - return XML_TOK_INVALID; - } -- while (ptr != end) { -+ while (ptr < end) { - switch (BYTE_TYPE(enc, ptr)) { - CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) - case BT_CR: case BT_LF: case BT_S: -@@ -941,7 +941,7 @@ PREFIX(scanLit)(int open, const ENCODING *enc, - const char *ptr, const char *end, - const char **nextTokPtr) - { -- while (ptr != end) { -+ while (ptr < end) { - int t = BYTE_TYPE(enc, ptr); - switch (t) { - INVALID_CASES(ptr, nextTokPtr) -@@ -973,7 +973,7 @@ PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end, - const char **nextTokPtr) - { - int tok; -- if (ptr == end) -+ if (ptr >= end) - return XML_TOK_NONE; - if (MINBPC(enc) > 1) { - size_t n = end - ptr; -@@ -1141,7 +1141,7 @@ PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end, - *nextTokPtr = ptr; - return XML_TOK_INVALID; - } -- while (ptr != end) { -+ while (ptr < end) { - switch (BYTE_TYPE(enc, ptr)) { - CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) - case BT_GT: case BT_RPAR: case BT_COMMA: -@@ -1204,10 +1204,10 @@ PREFIX(attributeValueTok)(const ENCODING *enc, const char *ptr, - const char *end, const char **nextTokPtr) - { - const char *start; -- if (ptr == end) -+ if (ptr >= end) - return XML_TOK_NONE; - start = ptr; -- while (ptr != end) { -+ while (ptr < end) { - switch (BYTE_TYPE(enc, ptr)) { - #define LEAD_CASE(n) \ - case BT_LEAD ## n: ptr += n; break; -@@ -1262,10 +1262,10 @@ PREFIX(entityValueTok)(const ENCODING *enc, const char *ptr, - const char *end, const char **nextTokPtr) - { - const char *start; -- if (ptr == end) -+ if (ptr >= end) - return XML_TOK_NONE; - start = ptr; -- while (ptr != end) { -+ while (ptr < end) { - switch (BYTE_TYPE(enc, ptr)) { - #define LEAD_CASE(n) \ - case BT_LEAD ## n: ptr += n; break; -@@ -1326,7 +1326,7 @@ PREFIX(ignoreSectionTok)(const ENCODING *enc, const char *ptr, - end = ptr + n; - } - } -- while (ptr != end) { -+ while (ptr < end) { - switch (BYTE_TYPE(enc, ptr)) { - INVALID_CASES(ptr, nextTokPtr) - case BT_LT: -@@ -1373,7 +1373,7 @@ PREFIX(isPublicId)(const ENCODING *enc, const char *ptr, const char *end, - { - ptr += MINBPC(enc); - end -= MINBPC(enc); -- for (; ptr != end; ptr += MINBPC(enc)) { -+ for (; ptr < end; ptr += MINBPC(enc)) { - switch (BYTE_TYPE(enc, ptr)) { - case BT_DIGIT: - case BT_HEX: -@@ -1760,7 +1760,7 @@ PREFIX(updatePosition)(const ENCODING *enc, - case BT_CR: - pos->lineNumber++; - ptr += MINBPC(enc); -- if (ptr != end && BYTE_TYPE(enc, ptr) == BT_LF) -+ if (ptr < end && BYTE_TYPE(enc, ptr) == BT_LF) - ptr += MINBPC(enc); - pos->columnNumber = (XML_Size)-1; - break; --- -2.8.2 - diff --git a/gnu/packages/patches/flex-CVE-2016-6354.patch b/gnu/packages/patches/flex-CVE-2016-6354.patch new file mode 100644 index 0000000000..1f3cb028d4 --- /dev/null +++ b/gnu/packages/patches/flex-CVE-2016-6354.patch @@ -0,0 +1,30 @@ +Fix CVE-2016-6354 (Buffer overflow in generated code (yy_get_next_buffer). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6354 +https://security-tracker.debian.org/tracker/CVE-2016-6354 + +Patch copied from upstream source repository: +https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466 + +From a5cbe929ac3255d371e698f62dc256afe7006466 Mon Sep 17 00:00:00 2001 +From: Will Estes <westes575@gmail.com> +Date: Sat, 27 Feb 2016 11:56:05 -0500 +Subject: [PATCH] Fixed incorrect integer type + +--- + src/flex.skl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/flex.skl b/src/flex.skl +index 36a526a..64f853d 100644 +--- a/src/flex.skl ++++ b/src/flex.skl +@@ -1703,7 +1703,7 @@ int yyFlexLexer::yy_get_next_buffer() + + else + { +- yy_size_t num_to_read = ++ int num_to_read = + YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; + + while ( num_to_read <= 0 ) diff --git a/gnu/packages/patches/fontconfig-CVE-2016-5384.patch b/gnu/packages/patches/fontconfig-CVE-2016-5384.patch deleted file mode 100644 index 617d5afbaf..0000000000 --- a/gnu/packages/patches/fontconfig-CVE-2016-5384.patch +++ /dev/null @@ -1,170 +0,0 @@ -Fix CVE-2016-5384 (double-free resulting in arbitrary code execution): - -<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5384> - -Copied from upstream code repository: - -<https://cgit.freedesktop.org/fontconfig/commit/?id=7a4a5bd7897d216f0794ca9dbce0a4a5c9d14940> - -From 7a4a5bd7897d216f0794ca9dbce0a4a5c9d14940 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann <tobias@stoeckmann.org> -Date: Sat, 25 Jun 2016 19:18:53 +0200 -Subject: Properly validate offsets in cache files. - -The cache files are insufficiently validated. Even though the magic -number at the beginning of the file as well as time stamps are checked, -it is not verified if contained offsets are in legal ranges or are -even pointers. - -The lack of validation allows an attacker to trigger arbitrary free() -calls, which in turn allows double free attacks and therefore arbitrary -code execution. Due to the conversion from offsets into pointers through -macros, this even allows to circumvent ASLR protections. - -This attack vector allows privilege escalation when used with setuid -binaries like fbterm. A user can create ~/.fonts or any other -system-defined user-private font directory, run fc-cache and adjust -cache files in ~/.cache/fontconfig. The execution of setuid binaries will -scan these files and therefore are prone to attacks. - -If it's not about code execution, an endless loop can be created by -letting linked lists become circular linked lists. - -This patch verifies that: - -- The file is not larger than the maximum addressable space, which - basically only affects 32 bit systems. This allows out of boundary - access into unallocated memory. -- Offsets are always positive or zero -- Offsets do not point outside file boundaries -- No pointers are allowed in cache files, every "pointer or offset" - field must be an offset or NULL -- Iterating linked lists must not take longer than the amount of elements - specified. A violation of this rule can break a possible endless loop. - -If one or more of these points are violated, the cache is recreated. -This is current behaviour. - -Even though this patch fixes many issues, the use of mmap() shall be -forbidden in setuid binaries. It is impossible to guarantee with these -checks that a malicious user does not change cache files after -verification. This should be handled in a different patch. - -Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> - -diff --git a/src/fccache.c b/src/fccache.c -index 71e8f03..02ec301 100644 ---- a/src/fccache.c -+++ b/src/fccache.c -@@ -27,6 +27,7 @@ - #include <fcntl.h> - #include <dirent.h> - #include <string.h> -+#include <limits.h> - #include <sys/types.h> - #include <sys/stat.h> - #include <assert.h> -@@ -587,6 +588,82 @@ FcCacheTimeValid (FcConfig *config, FcCache *cache, struct stat *dir_stat) - return cache->checksum == (int) dir_stat->st_mtime && fnano; - } - -+static FcBool -+FcCacheOffsetsValid (FcCache *cache) -+{ -+ char *base = (char *)cache; -+ char *end = base + cache->size; -+ intptr_t *dirs; -+ FcFontSet *fs; -+ int i, j; -+ -+ if (cache->dir < 0 || cache->dir > cache->size - sizeof (intptr_t) || -+ memchr (base + cache->dir, '\0', cache->size - cache->dir) == NULL) -+ return FcFalse; -+ -+ if (cache->dirs < 0 || cache->dirs >= cache->size || -+ cache->dirs_count < 0 || -+ cache->dirs_count > (cache->size - cache->dirs) / sizeof (intptr_t)) -+ return FcFalse; -+ -+ dirs = FcCacheDirs (cache); -+ if (dirs) -+ { -+ for (i = 0; i < cache->dirs_count; i++) -+ { -+ FcChar8 *dir; -+ -+ if (dirs[i] < 0 || -+ dirs[i] > end - (char *) dirs - sizeof (intptr_t)) -+ return FcFalse; -+ -+ dir = FcOffsetToPtr (dirs, dirs[i], FcChar8); -+ if (memchr (dir, '\0', end - (char *) dir) == NULL) -+ return FcFalse; -+ } -+ } -+ -+ if (cache->set < 0 || cache->set > cache->size - sizeof (FcFontSet)) -+ return FcFalse; -+ -+ fs = FcCacheSet (cache); -+ if (fs) -+ { -+ if (fs->nfont > (end - (char *) fs) / sizeof (FcPattern)) -+ return FcFalse; -+ -+ if (fs->fonts != 0 && !FcIsEncodedOffset(fs->fonts)) -+ return FcFalse; -+ -+ for (i = 0; i < fs->nfont; i++) -+ { -+ FcPattern *font = FcFontSetFont (fs, i); -+ FcPatternElt *e; -+ FcValueListPtr l; -+ -+ if ((char *) font < base || -+ (char *) font > end - sizeof (FcFontSet) || -+ font->elts_offset < 0 || -+ font->elts_offset > end - (char *) font || -+ font->num > (end - (char *) font - font->elts_offset) / sizeof (FcPatternElt)) -+ return FcFalse; -+ -+ -+ e = FcPatternElts(font); -+ if (e->values != 0 && !FcIsEncodedOffset(e->values)) -+ return FcFalse; -+ -+ for (j = font->num, l = FcPatternEltValues(e); j >= 0 && l; j--, l = FcValueListNext(l)) -+ if (l->next != NULL && !FcIsEncodedOffset(l->next)) -+ break; -+ if (j < 0) -+ return FcFalse; -+ } -+ } -+ -+ return FcTrue; -+} -+ - /* - * Map a cache file into memory - */ -@@ -596,7 +673,8 @@ FcDirCacheMapFd (FcConfig *config, int fd, struct stat *fd_stat, struct stat *di - FcCache *cache; - FcBool allocated = FcFalse; - -- if (fd_stat->st_size < (int) sizeof (FcCache)) -+ if (fd_stat->st_size > INTPTR_MAX || -+ fd_stat->st_size < (int) sizeof (FcCache)) - return NULL; - cache = FcCacheFindByStat (fd_stat); - if (cache) -@@ -652,6 +730,7 @@ FcDirCacheMapFd (FcConfig *config, int fd, struct stat *fd_stat, struct stat *di - if (cache->magic != FC_CACHE_MAGIC_MMAP || - cache->version < FC_CACHE_VERSION_NUMBER || - cache->size != (intptr_t) fd_stat->st_size || -+ !FcCacheOffsetsValid (cache) || - !FcCacheTimeValid (config, cache, dir_stat) || - !FcCacheInsert (cache, fd_stat)) - { --- -cgit v0.10.2 - diff --git a/gnu/packages/patches/gawk-fts-test.patch b/gnu/packages/patches/gawk-fts-test.patch deleted file mode 100644 index de1f5c431c..0000000000 --- a/gnu/packages/patches/gawk-fts-test.patch +++ /dev/null @@ -1,51 +0,0 @@ -This is upstream commit c9a018c. We have observed random failures of -this test on i686 that seem related to load. - -2015-05-21 Arnold D. Robbins <arnold@skeeve.com> - - * fts.awk: Really remove atime from the output. - This avoids spurious failures on heavily loaded systems. - -diff --git a/test/fts.awk b/test/fts.awk -index b1df060..dea5b68 100644 ---- a/test/fts.awk -+++ b/test/fts.awk -@@ -50,6 +50,11 @@ function sort_traverse(data, sorted, i) - { - asorti(data, sorted) - for (i = 1; i in sorted; i++) { -+ # 5/2015: skip for atime, since there can -+ # occasionally be small differences. -+ if (sorted[i] == "atime") -+ continue -+ - indent() - printf("%s --> %s\n", sorted[i], data[sorted[i]]) > output - } -@@ -63,17 +68,20 @@ function traverse(data, i) - printf("%s:\n", i) > output - - Level++ -- if (("mtime" in data[i]) && ! isarray(data[i][mtime])) { -+ if (("mtime" in data[i]) && ! isarray(data[i]["mtime"])) { - sort_traverse(data[i]) - } else { - traverse(data[i]) - } - Level-- -- } else if (data[i] != "atime") { -- # 4/2015: skip for atime, since there can -- # occasionally be small differences. -- indent() -- printf("%s --> %s\n", i, data[i]) > output -+# } else { -+# JUNK = 1 -+# if (i != "atime") { -+# # 4/2015: skip for atime, since there can -+# # occasionally be small differences. -+# indent() -+# printf("%s --> %s\n", i, data[i]) > output -+# } - } - } - } diff --git a/gnu/packages/patches/gcc-arm-bug-71399.patch b/gnu/packages/patches/gcc-arm-bug-71399.patch new file mode 100644 index 0000000000..6f04fece0e --- /dev/null +++ b/gnu/packages/patches/gcc-arm-bug-71399.patch @@ -0,0 +1,55 @@ +Revert the following commit to work around a bootstrap comparison failure on +ARMv7, as reported at <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71399>. + +commit f6ab85b7049a03962ea98924d00802da357a1ad3 +Author: renlin <renlin@138bc75d-0d04-0410-961f-82ee72b054a4> +Date: Wed Dec 2 14:06:31 2015 +0000 + + [PR67383][ARM][4.9]Backport of "Allow any register for DImode values in Thumb2" + + This partially fix PR67383. It allows the reload more flexibility to choose + spilling pseudo registers. + + + gcc/ChangeLog: + + 2015-12-02 Renlin Li <renlin.li@arm.com> + + Backport from mainline. + 2014-04-22 Ramana Radhakrishnan <ramana.radhakrishnan@arm.com> + + * config/arm/arm.c (arm_hard_regno_mode_ok): Loosen + restrictions on core registers for DImode values in Thumb2. + + + git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-4_9-branch@231177 138bc75d-0d04-0410-961f-82ee72b054a4 + +diff --git a/gcc/config/arm/arm.c b/gcc/config/arm/arm.c +index 8ba6060..d9028a1 100644 +--- b/gcc/config/arm/arm.c ++++ a/gcc/config/arm/arm.c +@@ -22624,19 +22624,12 @@ + } + + /* We allow almost any value to be stored in the general registers. +- Restrict doubleword quantities to even register pairs in ARM state +- so that we can use ldrd. Do not allow very large Neon structure +- opaque modes in general registers; they would use too many. */ ++ Restrict doubleword quantities to even register pairs so that we can ++ use ldrd. Do not allow very large Neon structure opaque modes in ++ general registers; they would use too many. */ + if (regno <= LAST_ARM_REGNUM) +- { +- if (ARM_NUM_REGS (mode) > 4) +- return FALSE; +- +- if (TARGET_THUMB2) +- return TRUE; +- +- return !(TARGET_LDRD && GET_MODE_SIZE (mode) > 4 && (regno & 1) != 0); +- } ++ return !(TARGET_LDRD && GET_MODE_SIZE (mode) > 4 && (regno & 1) != 0) ++ && ARM_NUM_REGS (mode) <= 4; + + if (regno == FRAME_POINTER_REGNUM + || regno == ARG_POINTER_REGNUM) diff --git a/gnu/packages/patches/guile-relocatable.patch b/gnu/packages/patches/guile-relocatable.patch index 077394cdde..2431495f24 100644 --- a/gnu/packages/patches/guile-relocatable.patch +++ b/gnu/packages/patches/guile-relocatable.patch @@ -1,8 +1,6 @@ This patch changes Guile to use a default search path relative to the location of the `guile' binary, allowing it to be relocated. -diff --git a/libguile/load.c b/libguile/load.c -index af2ca45..19dd338 100644 --- a/libguile/load.c +++ b/libguile/load.c @@ -26,6 +26,7 @@ @@ -12,8 +10,8 @@ index af2ca45..19dd338 100644 +#include <libgen.h> #include "libguile/_scm.h" - #include "libguile/private-gc.h" /* scm_getenv_int */ -@@ -255,6 +256,32 @@ scm_init_load_path () + #include "libguile/alist.h" +@@ -325,6 +326,32 @@ SCM cpath = SCM_EOL; #ifdef SCM_LIBRARY_DIR @@ -43,10 +41,10 @@ index af2ca45..19dd338 100644 + strcpy (ccache_dir, prefix); + strcat (ccache_dir, "/lib/guile/2.0/ccache"); + - env = getenv ("GUILE_SYSTEM_PATH"); + env = scm_i_mirror_backslashes (getenv ("GUILE_SYSTEM_PATH")); if (env && strcmp (env, "") == 0) /* special-case interpret system-path=="" as meaning no system path instead -@@ -263,10 +290,7 @@ scm_init_load_path () +@@ -333,10 +360,7 @@ else if (env) path = scm_parse_path (scm_from_locale_string (env), path); else @@ -56,9 +54,9 @@ index af2ca45..19dd338 100644 - scm_from_locale_string (SCM_PKGDATA_DIR)); + path = scm_list_1 (scm_from_locale_string (module_dir)); - env = getenv ("GUILE_SYSTEM_COMPILED_PATH"); + env = scm_i_mirror_backslashes (getenv ("GUILE_SYSTEM_COMPILED_PATH")); if (env && strcmp (env, "") == 0) -@@ -276,8 +300,7 @@ scm_init_load_path () +@@ -346,8 +370,7 @@ cpath = scm_parse_path (scm_from_locale_string (env), cpath); else { diff --git a/gnu/packages/patches/isl-0.11.1-aarch64-support.patch b/gnu/packages/patches/isl-0.11.1-aarch64-support.patch new file mode 100644 index 0000000000..c5607fc80d --- /dev/null +++ b/gnu/packages/patches/isl-0.11.1-aarch64-support.patch @@ -0,0 +1,40 @@ +Add aarch64 support to config.guess and config.sub, as would be found if using +a more recent version of autoconf. +--- + config.guess | 7 +++++++ + config.sub | 1 + + 2 files changed, 8 insertions(+) + +diff --git a/config.guess b/config.guess +index 40eaed4..baad294 100755 +--- a/config.guess ++++ b/config.guess +@@ -861,6 +861,13 @@ EOF + i*86:Minix:*:*) + echo ${UNAME_MACHINE}-pc-minix + exit ;; ++ aarch64:Linux:*:*) ++ echo ${UNAME_MACHINE}-unknown-linux-gnu ++ exit ;; ++ aarch64_be:Linux:*:*) ++ UNAME_MACHINE=aarch64_be ++ echo ${UNAME_MACHINE}-unknown-linux-gnu ++ exit ;; + alpha:Linux:*:*) + case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in + EV5) UNAME_MACHINE=alphaev5 ;; +diff --git a/config.sub b/config.sub +index 30fdca8..8f5b018 100755 +--- a/config.sub ++++ b/config.sub +@@ -247,6 +247,7 @@ case $basic_machine in + # Some are omitted here because they have special meanings below. + 1750a | 580 \ + | a29k \ ++ | aarch64 | aarch64_be \ + | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ + | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ + | am33_2.0 \ +-- +2.9.0 + diff --git a/gnu/packages/patches/libx11-CVE-2016-7942.patch b/gnu/packages/patches/libx11-CVE-2016-7942.patch deleted file mode 100644 index 75770235ef..0000000000 --- a/gnu/packages/patches/libx11-CVE-2016-7942.patch +++ /dev/null @@ -1,76 +0,0 @@ -Fix CVE-2016-7942: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7942 - -Patch copied from upstream source repository: - -https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8ea762f94f4c942d898fdeb590a1630c83235c17 - -From 8ea762f94f4c942d898fdeb590a1630c83235c17 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann <tobias@stoeckmann.org> -Date: Sun, 25 Sep 2016 21:25:25 +0200 -Subject: [PATCH] Validation of server responses in XGetImage() - -Check if enough bytes were received for specified image type and -geometry. Otherwise GetPixel and other functions could trigger an -out of boundary read later on. - -Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> -Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> ---- - src/GetImage.c | 29 ++++++++++++++++++++--------- - 1 file changed, 20 insertions(+), 9 deletions(-) - -diff --git a/src/GetImage.c b/src/GetImage.c -index c461abc..ff32d58 100644 ---- a/src/GetImage.c -+++ b/src/GetImage.c -@@ -59,6 +59,7 @@ XImage *XGetImage ( - char *data; - unsigned long nbytes; - XImage *image; -+ int planes; - LockDisplay(dpy); - GetReq (GetImage, req); - /* -@@ -91,18 +92,28 @@ XImage *XGetImage ( - return (XImage *) NULL; - } - _XReadPad (dpy, data, nbytes); -- if (format == XYPixmap) -- image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual), -- Ones (plane_mask & -- (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))), -- format, 0, data, width, height, dpy->bitmap_pad, 0); -- else /* format == ZPixmap */ -- image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual), -- rep.depth, ZPixmap, 0, data, width, height, -- _XGetScanlinePad(dpy, (int) rep.depth), 0); -+ if (format == XYPixmap) { -+ image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual), -+ Ones (plane_mask & -+ (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))), -+ format, 0, data, width, height, dpy->bitmap_pad, 0); -+ planes = image->depth; -+ } else { /* format == ZPixmap */ -+ image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual), -+ rep.depth, ZPixmap, 0, data, width, height, -+ _XGetScanlinePad(dpy, (int) rep.depth), 0); -+ planes = 1; -+ } - - if (!image) - Xfree(data); -+ if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 || -+ INT_MAX / image->height <= image->bytes_per_line || -+ INT_MAX / planes <= image->height * image->bytes_per_line || -+ nbytes < planes * image->height * image->bytes_per_line) { -+ XDestroyImage(image); -+ image = NULL; -+ } - UnlockDisplay(dpy); - SyncHandle(); - return (image); --- -2.10.1 - diff --git a/gnu/packages/patches/libx11-CVE-2016-7943.patch b/gnu/packages/patches/libx11-CVE-2016-7943.patch deleted file mode 100644 index 7bcbc58dd4..0000000000 --- a/gnu/packages/patches/libx11-CVE-2016-7943.patch +++ /dev/null @@ -1,113 +0,0 @@ -Fix CVE-2016-7943: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7943. - -Patch copied from upstream source repository: - -https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8c29f1607a31dac0911e45a0dd3d74173822b3c9 - -From 8c29f1607a31dac0911e45a0dd3d74173822b3c9 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann <tobias@stoeckmann.org> -Date: Sun, 25 Sep 2016 21:22:57 +0200 -Subject: [PATCH] The validation of server responses avoids out of boundary - accesses. - -v2: FontNames.c return a NULL list whenever a single -length field from the server is incohent. - -Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> -Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> ---- - src/FontNames.c | 23 +++++++++++++++++------ - src/ListExt.c | 12 ++++++++---- - src/ModMap.c | 3 ++- - 3 files changed, 27 insertions(+), 11 deletions(-) - -diff --git a/src/FontNames.c b/src/FontNames.c -index 21dcafe..e55f338 100644 ---- a/src/FontNames.c -+++ b/src/FontNames.c -@@ -66,7 +66,7 @@ int *actualCount) /* RETURN */ - - if (rep.nFonts) { - flist = Xmalloc (rep.nFonts * sizeof(char *)); -- if (rep.length < (INT_MAX >> 2)) { -+ if (rep.length > 0 && rep.length < (INT_MAX >> 2)) { - rlen = rep.length << 2; - ch = Xmalloc(rlen + 1); - /* +1 to leave room for last null-terminator */ -@@ -93,11 +93,22 @@ int *actualCount) /* RETURN */ - if (ch + length < chend) { - flist[i] = ch + 1; /* skip over length */ - ch += length + 1; /* find next length ... */ -- length = *(unsigned char *)ch; -- *ch = '\0'; /* and replace with null-termination */ -- count++; -- } else -- flist[i] = NULL; -+ if (ch <= chend) { -+ length = *(unsigned char *)ch; -+ *ch = '\0'; /* and replace with null-termination */ -+ count++; -+ } else { -+ Xfree(flist); -+ flist = NULL; -+ count = 0; -+ break; -+ } -+ } else { -+ Xfree(flist); -+ flist = NULL; -+ count = 0; -+ break; -+ } - } - } - *actualCount = count; -diff --git a/src/ListExt.c b/src/ListExt.c -index be6b989..0516e45 100644 ---- a/src/ListExt.c -+++ b/src/ListExt.c -@@ -55,7 +55,7 @@ char **XListExtensions( - - if (rep.nExtensions) { - list = Xmalloc (rep.nExtensions * sizeof (char *)); -- if (rep.length < (INT_MAX >> 2)) { -+ if (rep.length > 0 && rep.length < (INT_MAX >> 2)) { - rlen = rep.length << 2; - ch = Xmalloc (rlen + 1); - /* +1 to leave room for last null-terminator */ -@@ -80,9 +80,13 @@ char **XListExtensions( - if (ch + length < chend) { - list[i] = ch+1; /* skip over length */ - ch += length + 1; /* find next length ... */ -- length = *ch; -- *ch = '\0'; /* and replace with null-termination */ -- count++; -+ if (ch <= chend) { -+ length = *ch; -+ *ch = '\0'; /* and replace with null-termination */ -+ count++; -+ } else { -+ list[i] = NULL; -+ } - } else - list[i] = NULL; - } -diff --git a/src/ModMap.c b/src/ModMap.c -index a809aa2..49a5d08 100644 ---- a/src/ModMap.c -+++ b/src/ModMap.c -@@ -42,7 +42,8 @@ XGetModifierMapping(register Display *dpy) - GetEmptyReq(GetModifierMapping, req); - (void) _XReply (dpy, (xReply *)&rep, 0, xFalse); - -- if (rep.length < (INT_MAX >> 2)) { -+ if (rep.length < (INT_MAX >> 2) && -+ (rep.length >> 1) == rep.numKeyPerModifier) { - nbytes = (unsigned long)rep.length << 2; - res = Xmalloc(sizeof (XModifierKeymap)); - if (res) --- -2.10.1 - diff --git a/gnu/packages/patches/libxfixes-CVE-2016-7944.patch b/gnu/packages/patches/libxfixes-CVE-2016-7944.patch deleted file mode 100644 index 2ce463fc46..0000000000 --- a/gnu/packages/patches/libxfixes-CVE-2016-7944.patch +++ /dev/null @@ -1,62 +0,0 @@ -Fix CVE-2016-7944: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7944 - -Patch copied from upstream source repository: - -https://cgit.freedesktop.org/xorg/lib/libXfixes/commit/?id=61c1039ee23a2d1de712843bed3480654d7ef42e - -From 61c1039ee23a2d1de712843bed3480654d7ef42e Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann <tobias@stoeckmann.org> -Date: Sun, 25 Sep 2016 22:38:44 +0200 -Subject: [PATCH] Integer overflow on illegal server response - -The 32 bit field "rep.length" is not checked for validity, which allows -an integer overflow on 32 bit systems. - -A malicious server could send INT_MAX as length, which gets multiplied -by the size of XRectangle. In that case the client won't read the whole -data from server, getting out of sync. - -Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> -Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> ---- - src/Region.c | 15 ++++++++++++--- - 1 file changed, 12 insertions(+), 3 deletions(-) - -diff --git a/src/Region.c b/src/Region.c -index cb0cf6e..59bcc1a 100644 ---- a/src/Region.c -+++ b/src/Region.c -@@ -23,6 +23,7 @@ - #ifdef HAVE_CONFIG_H - #include <config.h> - #endif -+#include <limits.h> - #include "Xfixesint.h" - - XserverRegion -@@ -333,9 +334,17 @@ XFixesFetchRegionAndBounds (Display *dpy, - bounds->y = rep.y; - bounds->width = rep.width; - bounds->height = rep.height; -- nbytes = (long) rep.length << 2; -- nrects = rep.length >> 1; -- rects = Xmalloc (nrects * sizeof (XRectangle)); -+ -+ if (rep.length < (INT_MAX >> 2)) { -+ nbytes = (long) rep.length << 2; -+ nrects = rep.length >> 1; -+ rects = Xmalloc (nrects * sizeof (XRectangle)); -+ } else { -+ nbytes = 0; -+ nrects = 0; -+ rects = NULL; -+ } -+ - if (!rects) - { - _XEatDataWords(dpy, rep.length); --- -2.10.1 - diff --git a/gnu/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch b/gnu/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch deleted file mode 100644 index ca899e34c0..0000000000 --- a/gnu/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch +++ /dev/null @@ -1,420 +0,0 @@ -Fix CVE-2016-7945: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7945 - -Patch copied from upstream source repository: - -https://cgit.freedesktop.org/xorg/lib/libXi/commit/?id=19a9cd607de73947fcfb104682f203ffe4e1f4e5 - -From 19a9cd607de73947fcfb104682f203ffe4e1f4e5 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann <tobias@stoeckmann.org> -Date: Sun, 25 Sep 2016 22:31:34 +0200 -Subject: [PATCH] Properly validate server responses. - -By validating length fields from server responses, out of boundary -accesses and endless loops can be mitigated. - -Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> -Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> ---- - src/XGMotion.c | 3 ++- - src/XGetBMap.c | 3 ++- - src/XGetDCtl.c | 6 ++++-- - src/XGetFCtl.c | 7 ++++++- - src/XGetKMap.c | 14 +++++++++++--- - src/XGetMMap.c | 11 +++++++++-- - src/XIQueryDevice.c | 36 ++++++++++++++++++++++++++++++++++-- - src/XListDev.c | 21 +++++++++++++++------ - src/XOpenDev.c | 13 ++++++++++--- - src/XQueryDv.c | 8 ++++++-- - 10 files changed, 99 insertions(+), 23 deletions(-) - -diff --git a/src/XGMotion.c b/src/XGMotion.c -index 7785843..9433e29 100644 ---- a/src/XGMotion.c -+++ b/src/XGMotion.c -@@ -114,7 +114,8 @@ XGetDeviceMotionEvents( - } - /* rep.axes is a CARD8, so assume max number of axes for bounds check */ - if (rep.nEvents < -- (INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int))))) { -+ (INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int)))) && -+ rep.nEvents * (rep.axes + 1) <= rep.length) { - size_t bsize = rep.nEvents * - (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int))); - bufp = Xmalloc(bsize); -diff --git a/src/XGetBMap.c b/src/XGetBMap.c -index 002daba..13bb8c6 100644 ---- a/src/XGetBMap.c -+++ b/src/XGetBMap.c -@@ -92,7 +92,8 @@ XGetDeviceButtonMapping( - - status = _XReply(dpy, (xReply *) & rep, 0, xFalse); - if (status == 1) { -- if (rep.length <= (sizeof(mapping) >> 2)) { -+ if (rep.length <= (sizeof(mapping) >> 2) && -+ rep.nElts <= (rep.length << 2)) { - unsigned long nbytes = rep.length << 2; - _XRead(dpy, (char *)mapping, nbytes); - -diff --git a/src/XGetDCtl.c b/src/XGetDCtl.c -index c5d3b53..7f6b396 100644 ---- a/src/XGetDCtl.c -+++ b/src/XGetDCtl.c -@@ -93,7 +93,8 @@ XGetDeviceControl( - if (rep.length > 0) { - unsigned long nbytes; - size_t size = 0; -- if (rep.length < (INT_MAX >> 2)) { -+ if (rep.length < (INT_MAX >> 2) && -+ (rep.length << 2) >= sizeof(xDeviceState)) { - nbytes = (unsigned long) rep.length << 2; - d = Xmalloc(nbytes); - } -@@ -117,7 +118,8 @@ XGetDeviceControl( - size_t val_size; - - r = (xDeviceResolutionState *) d; -- if (r->num_valuators >= (INT_MAX / (3 * sizeof(int)))) -+ if (sizeof(xDeviceResolutionState) > nbytes || -+ r->num_valuators >= (INT_MAX / (3 * sizeof(int)))) - goto out; - val_size = 3 * sizeof(int) * r->num_valuators; - if ((sizeof(xDeviceResolutionState) + val_size) > nbytes) -diff --git a/src/XGetFCtl.c b/src/XGetFCtl.c -index 7fd6d0e..82dcc64 100644 ---- a/src/XGetFCtl.c -+++ b/src/XGetFCtl.c -@@ -73,6 +73,7 @@ XGetFeedbackControl( - XFeedbackState *Sav = NULL; - xFeedbackState *f = NULL; - xFeedbackState *sav = NULL; -+ char *end = NULL; - xGetFeedbackControlReq *req; - xGetFeedbackControlReply rep; - XExtDisplayInfo *info = XInput_find_display(dpy); -@@ -105,10 +106,12 @@ XGetFeedbackControl( - goto out; - } - sav = f; -+ end = (char *)f + nbytes; - _XRead(dpy, (char *)f, nbytes); - - for (i = 0; i < *num_feedbacks; i++) { -- if (f->length > nbytes) -+ if ((char *)f + sizeof(*f) > end || -+ f->length == 0 || f->length > nbytes) - goto out; - nbytes -= f->length; - -@@ -125,6 +128,8 @@ XGetFeedbackControl( - case StringFeedbackClass: - { - xStringFeedbackState *strf = (xStringFeedbackState *) f; -+ if ((char *)f + sizeof(*strf) > end) -+ goto out; - size += sizeof(XStringFeedbackState) + - (strf->num_syms_supported * sizeof(KeySym)); - } -diff --git a/src/XGetKMap.c b/src/XGetKMap.c -index 0540ce4..008a72b 100644 ---- a/src/XGetKMap.c -+++ b/src/XGetKMap.c -@@ -54,6 +54,7 @@ SOFTWARE. - #include <config.h> - #endif - -+#include <limits.h> - #include <X11/extensions/XI.h> - #include <X11/extensions/XIproto.h> - #include <X11/Xlibint.h> -@@ -93,9 +94,16 @@ XGetDeviceKeyMapping(register Display * dpy, XDevice * dev, - return (KeySym *) NULL; - } - if (rep.length > 0) { -- *syms_per_code = rep.keySymsPerKeyCode; -- nbytes = (long)rep.length << 2; -- mapping = (KeySym *) Xmalloc((unsigned)nbytes); -+ if (rep.length < INT_MAX >> 2 && -+ rep.length == rep.keySymsPerKeyCode * keycount) { -+ *syms_per_code = rep.keySymsPerKeyCode; -+ nbytes = (long)rep.length << 2; -+ mapping = (KeySym *) Xmalloc((unsigned)nbytes); -+ } else { -+ *syms_per_code = 0; -+ nbytes = 0; -+ mapping = NULL; -+ } - if (mapping) - _XRead(dpy, (char *)mapping, nbytes); - else -diff --git a/src/XGetMMap.c b/src/XGetMMap.c -index 246698c..33c114f 100644 ---- a/src/XGetMMap.c -+++ b/src/XGetMMap.c -@@ -53,6 +53,7 @@ SOFTWARE. - #include <config.h> - #endif - -+#include <limits.h> - #include <X11/extensions/XI.h> - #include <X11/extensions/XIproto.h> - #include <X11/Xlibint.h> -@@ -85,8 +86,14 @@ XGetDeviceModifierMapping( - SyncHandle(); - return (XModifierKeymap *) NULL; - } -- nbytes = (unsigned long)rep.length << 2; -- res = (XModifierKeymap *) Xmalloc(sizeof(XModifierKeymap)); -+ if (rep.length < (INT_MAX >> 2) && -+ rep.numKeyPerModifier == rep.length >> 1) { -+ nbytes = (unsigned long)rep.length << 2; -+ res = (XModifierKeymap *) Xmalloc(sizeof(XModifierKeymap)); -+ } else { -+ nbytes = 0; -+ res = NULL; -+ } - if (res) { - res->modifiermap = (KeyCode *) Xmalloc(nbytes); - if (res->modifiermap) -diff --git a/src/XIQueryDevice.c b/src/XIQueryDevice.c -index fb8504f..a457cd6 100644 ---- a/src/XIQueryDevice.c -+++ b/src/XIQueryDevice.c -@@ -26,6 +26,7 @@ - #include <config.h> - #endif - -+#include <limits.h> - #include <stdint.h> - #include <X11/Xlibint.h> - #include <X11/extensions/XI2proto.h> -@@ -43,6 +44,7 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return) - xXIQueryDeviceReq *req; - xXIQueryDeviceReply reply; - char *ptr; -+ char *end; - int i; - char *buf; - -@@ -60,14 +62,24 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return) - if (!_XReply(dpy, (xReply*) &reply, 0, xFalse)) - goto error; - -- *ndevices_return = reply.num_devices; -- info = Xmalloc((reply.num_devices + 1) * sizeof(XIDeviceInfo)); -+ if (reply.length < INT_MAX / 4) -+ { -+ *ndevices_return = reply.num_devices; -+ info = Xmalloc((reply.num_devices + 1) * sizeof(XIDeviceInfo)); -+ } -+ else -+ { -+ *ndevices_return = 0; -+ info = NULL; -+ } -+ - if (!info) - goto error; - - buf = Xmalloc(reply.length * 4); - _XRead(dpy, buf, reply.length * 4); - ptr = buf; -+ end = buf + reply.length * 4; - - /* info is a null-terminated array */ - info[reply.num_devices].name = NULL; -@@ -79,6 +91,9 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return) - XIDeviceInfo *lib = &info[i]; - xXIDeviceInfo *wire = (xXIDeviceInfo*)ptr; - -+ if (ptr + sizeof(xXIDeviceInfo) > end) -+ goto error_loop; -+ - lib->deviceid = wire->deviceid; - lib->use = wire->use; - lib->attachment = wire->attachment; -@@ -87,12 +102,23 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return) - - ptr += sizeof(xXIDeviceInfo); - -+ if (ptr + wire->name_len > end) -+ goto error_loop; -+ - lib->name = Xcalloc(wire->name_len + 1, 1); -+ if (lib->name == NULL) -+ goto error_loop; - strncpy(lib->name, ptr, wire->name_len); -+ lib->name[wire->name_len] = '\0'; - ptr += ((wire->name_len + 3)/4) * 4; - - sz = size_classes((xXIAnyInfo*)ptr, nclasses); - lib->classes = Xmalloc(sz); -+ if (lib->classes == NULL) -+ { -+ Xfree(lib->name); -+ goto error_loop; -+ } - ptr += copy_classes(lib, (xXIAnyInfo*)ptr, &nclasses); - /* We skip over unused classes */ - lib->num_classes = nclasses; -@@ -103,6 +129,12 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return) - SyncHandle(); - return info; - -+error_loop: -+ while (--i >= 0) -+ { -+ Xfree(info[i].name); -+ Xfree(info[i].classes); -+ } - error: - UnlockDisplay(dpy); - error_unlocked: -diff --git a/src/XListDev.c b/src/XListDev.c -index b85ff3c..f850cd0 100644 ---- a/src/XListDev.c -+++ b/src/XListDev.c -@@ -74,7 +74,7 @@ static int pad_to_xid(int base_size) - } - - static size_t --SizeClassInfo(xAnyClassPtr *any, int num_classes) -+SizeClassInfo(xAnyClassPtr *any, size_t len, int num_classes) - { - int size = 0; - int j; -@@ -90,6 +90,8 @@ SizeClassInfo(xAnyClassPtr *any, int num_classes) - { - xValuatorInfoPtr v; - -+ if (len < sizeof(v)) -+ return 0; - v = (xValuatorInfoPtr) *any; - size += pad_to_xid(sizeof(XValuatorInfo) + - (v->num_axes * sizeof(XAxisInfo))); -@@ -98,6 +100,8 @@ SizeClassInfo(xAnyClassPtr *any, int num_classes) - default: - break; - } -+ if ((*any)->length > len) -+ return 0; - *any = (xAnyClassPtr) ((char *)(*any) + (*any)->length); - } - -@@ -170,7 +174,7 @@ XListInputDevices( - register Display *dpy, - int *ndevices) - { -- size_t size; -+ size_t s, size; - xListInputDevicesReq *req; - xListInputDevicesReply rep; - xDeviceInfo *list, *slist = NULL; -@@ -178,6 +182,7 @@ XListInputDevices( - XDeviceInfo *clist = NULL; - xAnyClassPtr any, sav_any; - XAnyClassPtr Any; -+ char *end = NULL; - unsigned char *nptr, *Nptr; - int i; - unsigned long rlen; -@@ -213,16 +218,20 @@ XListInputDevices( - - any = (xAnyClassPtr) ((char *)list + (*ndevices * sizeof(xDeviceInfo))); - sav_any = any; -+ end = (char *)list + rlen; - for (i = 0; i < *ndevices; i++, list++) { -- size += SizeClassInfo(&any, (int)list->num_classes); -+ s = SizeClassInfo(&any, end - (char *)any, (int)list->num_classes); -+ if (!s) -+ goto out; -+ size += s; - } - -- Nptr = ((unsigned char *)list) + rlen + 1; -+ Nptr = ((unsigned char *)list) + rlen; - for (i = 0, nptr = (unsigned char *)any; i < *ndevices; i++) { -+ if (nptr >= Nptr) -+ goto out; - size += *nptr + 1; - nptr += (*nptr + 1); -- if (nptr > Nptr) -- goto out; - } - - clist = (XDeviceInfoPtr) Xmalloc(size); -diff --git a/src/XOpenDev.c b/src/XOpenDev.c -index 029dec2..4b3c460 100644 ---- a/src/XOpenDev.c -+++ b/src/XOpenDev.c -@@ -53,6 +53,7 @@ SOFTWARE. - #include <config.h> - #endif - -+#include <limits.h> - #include <X11/extensions/XI.h> - #include <X11/extensions/XIproto.h> - #include <X11/Xlibint.h> -@@ -86,9 +87,15 @@ XOpenDevice( - return (XDevice *) NULL; - } - -- rlen = rep.length << 2; -- dev = (XDevice *) Xmalloc(sizeof(XDevice) + rep.num_classes * -- sizeof(XInputClassInfo)); -+ if (rep.length < INT_MAX >> 2 && -+ (rep.length << 2) >= rep.num_classes * sizeof(xInputClassInfo)) { -+ rlen = rep.length << 2; -+ dev = (XDevice *) Xmalloc(sizeof(XDevice) + rep.num_classes * -+ sizeof(XInputClassInfo)); -+ } else { -+ rlen = 0; -+ dev = NULL; -+ } - if (dev) { - int dlen; /* data length */ - -diff --git a/src/XQueryDv.c b/src/XQueryDv.c -index de1c0e5..7ee2272 100644 ---- a/src/XQueryDv.c -+++ b/src/XQueryDv.c -@@ -73,7 +73,7 @@ XQueryDeviceState( - xQueryDeviceStateReply rep; - XDeviceState *state = NULL; - XInputClass *any, *Any; -- char *data = NULL; -+ char *data = NULL, *end = NULL; - XExtDisplayInfo *info = XInput_find_display(dpy); - - LockDisplay(dpy); -@@ -92,6 +92,7 @@ XQueryDeviceState( - if (rep.length < (INT_MAX >> 2)) { - rlen = (unsigned long) rep.length << 2; - data = Xmalloc(rlen); -+ end = data + rlen; - } - if (!data) { - _XEatDataWords(dpy, rep.length); -@@ -100,7 +101,8 @@ XQueryDeviceState( - _XRead(dpy, data, rlen); - - for (i = 0, any = (XInputClass *) data; i < (int)rep.num_classes; i++) { -- if (any->length > rlen) -+ if ((char *)any + sizeof(XInputClass) > end || -+ any->length == 0 || any->length > rlen) - goto out; - rlen -= any->length; - -@@ -114,6 +116,8 @@ XQueryDeviceState( - case ValuatorClass: - { - xValuatorState *v = (xValuatorState *) any; -+ if ((char *)any + sizeof(xValuatorState) > end) -+ goto out; - size += (sizeof(XValuatorState) + - (v->num_valuators * sizeof(int))); - } --- -2.10.1 - diff --git a/gnu/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch b/gnu/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch deleted file mode 100644 index ece8b18309..0000000000 --- a/gnu/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch +++ /dev/null @@ -1,447 +0,0 @@ -Fix CVE-2016-7947 and CVE-2016-7948. - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948 - -Patch copied from upstream source repository: - -https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6 - -From a0df3e1c7728205e5c7650b2e6dce684139254a6 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann <tobias@stoeckmann.org> -Date: Sun, 25 Sep 2016 22:21:40 +0200 -Subject: [PATCH] Avoid out of boundary accesses on illegal responses - -The responses of the connected X server have to be properly checked -to avoid out of boundary accesses that could otherwise be triggered -by a malicious server. - -Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> -Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> ---- - src/XrrConfig.c | 32 +++++++++++++-------- - src/XrrCrtc.c | 83 ++++++++++++++++++++++++++++++++++++++++++------------- - src/XrrMonitor.c | 18 ++++++++++++ - src/XrrOutput.c | 11 ++++++++ - src/XrrProvider.c | 28 ++++++++++++++++--- - src/XrrScreen.c | 52 ++++++++++++++++++++++------------ - 6 files changed, 172 insertions(+), 52 deletions(-) - -diff --git a/src/XrrConfig.c b/src/XrrConfig.c -index 2f0282b..e68c45a 100644 ---- a/src/XrrConfig.c -+++ b/src/XrrConfig.c -@@ -29,6 +29,7 @@ - #include <config.h> - #endif - -+#include <limits.h> - #include <stdio.h> - #include <X11/Xlib.h> - /* we need to be able to manipulate the Display structure on events */ -@@ -272,23 +273,30 @@ static XRRScreenConfiguration *_XRRGetScreenInfo (Display *dpy, - rep.rate = 0; - rep.nrateEnts = 0; - } -+ if (rep.length < INT_MAX >> 2) { -+ nbytes = (long) rep.length << 2; - -- nbytes = (long) rep.length << 2; -+ nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) + -+ ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF(CARD16) */); - -- nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) + -- ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF (CARD16) */); -+ /* -+ * first we must compute how much space to allocate for -+ * randr library's use; we'll allocate the structures in a single -+ * allocation, on cleanlyness grounds. -+ */ - -- /* -- * first we must compute how much space to allocate for -- * randr library's use; we'll allocate the structures in a single -- * allocation, on cleanlyness grounds. -- */ -+ rbytes = sizeof (XRRScreenConfiguration) + -+ (rep.nSizes * sizeof (XRRScreenSize) + -+ rep.nrateEnts * sizeof (int)); - -- rbytes = sizeof (XRRScreenConfiguration) + -- (rep.nSizes * sizeof (XRRScreenSize) + -- rep.nrateEnts * sizeof (int)); -+ scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes); -+ } else { -+ nbytes = 0; -+ nbytesRead = 0; -+ rbytes = 0; -+ scp = NULL; -+ } - -- scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes); - if (scp == NULL) { - _XEatData (dpy, (unsigned long) nbytes); - return NULL; -diff --git a/src/XrrCrtc.c b/src/XrrCrtc.c -index 5ae35c5..6665092 100644 ---- a/src/XrrCrtc.c -+++ b/src/XrrCrtc.c -@@ -24,6 +24,7 @@ - #include <config.h> - #endif - -+#include <limits.h> - #include <stdio.h> - #include <X11/Xlib.h> - /* we need to be able to manipulate the Display structure on events */ -@@ -57,22 +58,33 @@ XRRGetCrtcInfo (Display *dpy, XRRScreenResources *resources, RRCrtc crtc) - return NULL; - } - -- nbytes = (long) rep.length << 2; -+ if (rep.length < INT_MAX >> 2) -+ { -+ nbytes = (long) rep.length << 2; - -- nbytesRead = (long) (rep.nOutput * 4 + -- rep.nPossibleOutput * 4); -+ nbytesRead = (long) (rep.nOutput * 4 + -+ rep.nPossibleOutput * 4); - -- /* -- * first we must compute how much space to allocate for -- * randr library's use; we'll allocate the structures in a single -- * allocation, on cleanlyness grounds. -- */ -+ /* -+ * first we must compute how much space to allocate for -+ * randr library's use; we'll allocate the structures in a single -+ * allocation, on cleanlyness grounds. -+ */ - -- rbytes = (sizeof (XRRCrtcInfo) + -- rep.nOutput * sizeof (RROutput) + -- rep.nPossibleOutput * sizeof (RROutput)); -+ rbytes = (sizeof (XRRCrtcInfo) + -+ rep.nOutput * sizeof (RROutput) + -+ rep.nPossibleOutput * sizeof (RROutput)); -+ -+ xci = (XRRCrtcInfo *) Xmalloc(rbytes); -+ } -+ else -+ { -+ nbytes = 0; -+ nbytesRead = 0; -+ rbytes = 0; -+ xci = NULL; -+ } - -- xci = (XRRCrtcInfo *) Xmalloc(rbytes); - if (xci == NULL) { - _XEatDataWords (dpy, rep.length); - UnlockDisplay (dpy); -@@ -194,12 +206,21 @@ XRRGetCrtcGamma (Display *dpy, RRCrtc crtc) - if (!_XReply (dpy, (xReply *) &rep, 0, xFalse)) - goto out; - -- nbytes = (long) rep.length << 2; -+ if (rep.length < INT_MAX >> 2) -+ { -+ nbytes = (long) rep.length << 2; - -- /* three channels of CARD16 data */ -- nbytesRead = (rep.size * 2 * 3); -+ /* three channels of CARD16 data */ -+ nbytesRead = (rep.size * 2 * 3); - -- crtc_gamma = XRRAllocGamma (rep.size); -+ crtc_gamma = XRRAllocGamma (rep.size); -+ } -+ else -+ { -+ nbytes = 0; -+ nbytesRead = 0; -+ crtc_gamma = NULL; -+ } - - if (!crtc_gamma) - { -@@ -357,7 +378,7 @@ XRRGetCrtcTransform (Display *dpy, - xRRGetCrtcTransformReq *req; - int major_version, minor_version; - XRRCrtcTransformAttributes *attr; -- char *extra = NULL, *e; -+ char *extra = NULL, *end = NULL, *e; - int p; - - *attributes = NULL; -@@ -395,9 +416,17 @@ XRRGetCrtcTransform (Display *dpy, - else - { - int extraBytes = rep.length * 4 - CrtcTransformExtra; -- extra = Xmalloc (extraBytes); -+ if (rep.length < INT_MAX / 4 && -+ rep.length * 4 >= CrtcTransformExtra) { -+ extra = Xmalloc (extraBytes); -+ end = extra + extraBytes; -+ } else -+ extra = NULL; - if (!extra) { -- _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2)); -+ if (rep.length > (CrtcTransformExtra >> 2)) -+ _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2)); -+ else -+ _XEatDataWords (dpy, rep.length); - UnlockDisplay (dpy); - SyncHandle (); - return False; -@@ -429,22 +458,38 @@ XRRGetCrtcTransform (Display *dpy, - - e = extra; - -+ if (e + rep.pendingNbytesFilter > end) { -+ XFree (extra); -+ return False; -+ } - memcpy (attr->pendingFilter, e, rep.pendingNbytesFilter); - attr->pendingFilter[rep.pendingNbytesFilter] = '\0'; - e += (rep.pendingNbytesFilter + 3) & ~3; - for (p = 0; p < rep.pendingNparamsFilter; p++) { - INT32 f; -+ if (e + 4 > end) { -+ XFree (extra); -+ return False; -+ } - memcpy (&f, e, 4); - e += 4; - attr->pendingParams[p] = (XFixed) f; - } - attr->pendingNparams = rep.pendingNparamsFilter; - -+ if (e + rep.currentNbytesFilter > end) { -+ XFree (extra); -+ return False; -+ } - memcpy (attr->currentFilter, e, rep.currentNbytesFilter); - attr->currentFilter[rep.currentNbytesFilter] = '\0'; - e += (rep.currentNbytesFilter + 3) & ~3; - for (p = 0; p < rep.currentNparamsFilter; p++) { - INT32 f; -+ if (e + 4 > end) { -+ XFree (extra); -+ return False; -+ } - memcpy (&f, e, 4); - e += 4; - attr->currentParams[p] = (XFixed) f; -diff --git a/src/XrrMonitor.c b/src/XrrMonitor.c -index a9eaa7b..adc5330 100644 ---- a/src/XrrMonitor.c -+++ b/src/XrrMonitor.c -@@ -24,6 +24,7 @@ - #include <config.h> - #endif - -+#include <limits.h> - #include <stdio.h> - #include <X11/Xlib.h> - /* we need to be able to manipulate the Display structure on events */ -@@ -65,6 +66,15 @@ XRRGetMonitors(Display *dpy, Window window, Bool get_active, int *nmonitors) - return NULL; - } - -+ if (rep.length > INT_MAX >> 2 || -+ rep.nmonitors > INT_MAX / SIZEOF(xRRMonitorInfo) || -+ rep.noutputs > INT_MAX / 4 || -+ rep.nmonitors * SIZEOF(xRRMonitorInfo) > INT_MAX - rep.noutputs * 4) { -+ _XEatData (dpy, rep.length); -+ UnlockDisplay (dpy); -+ SyncHandle (); -+ return NULL; -+ } - nbytes = (long) rep.length << 2; - nmon = rep.nmonitors; - noutput = rep.noutputs; -@@ -111,6 +121,14 @@ XRRGetMonitors(Display *dpy, Window window, Bool get_active, int *nmonitors) - mon[m].outputs = output; - buf += SIZEOF (xRRMonitorInfo); - xoutput = (CARD32 *) buf; -+ if (xmon->noutput > rep.noutputs) { -+ Xfree(buf); -+ Xfree(mon); -+ UnlockDisplay (dpy); -+ SyncHandle (); -+ return NULL; -+ } -+ rep.noutputs -= xmon->noutput; - for (o = 0; o < xmon->noutput; o++) - output[o] = xoutput[o]; - output += xmon->noutput; -diff --git a/src/XrrOutput.c b/src/XrrOutput.c -index 85f0b6e..30f3d40 100644 ---- a/src/XrrOutput.c -+++ b/src/XrrOutput.c -@@ -25,6 +25,7 @@ - #include <config.h> - #endif - -+#include <limits.h> - #include <stdio.h> - #include <X11/Xlib.h> - /* we need to be able to manipulate the Display structure on events */ -@@ -60,6 +61,16 @@ XRRGetOutputInfo (Display *dpy, XRRScreenResources *resources, RROutput output) - return NULL; - } - -+ if (rep.length > INT_MAX >> 2 || rep.length < (OutputInfoExtra >> 2)) -+ { -+ if (rep.length > (OutputInfoExtra >> 2)) -+ _XEatDataWords (dpy, rep.length - (OutputInfoExtra >> 2)); -+ else -+ _XEatDataWords (dpy, rep.length); -+ UnlockDisplay (dpy); -+ SyncHandle (); -+ return NULL; -+ } - nbytes = ((long) (rep.length) << 2) - OutputInfoExtra; - - nbytesRead = (long) (rep.nCrtcs * 4 + -diff --git a/src/XrrProvider.c b/src/XrrProvider.c -index 9e620c7..d796cd0 100644 ---- a/src/XrrProvider.c -+++ b/src/XrrProvider.c -@@ -25,6 +25,7 @@ - #include <config.h> - #endif - -+#include <limits.h> - #include <stdio.h> - #include <X11/Xlib.h> - /* we need to be able to manipulate the Display structure on events */ -@@ -59,12 +60,20 @@ XRRGetProviderResources(Display *dpy, Window window) - return NULL; - } - -- nbytes = (long) rep.length << 2; -+ if (rep.length < INT_MAX >> 2) { -+ nbytes = (long) rep.length << 2; - -- nbytesRead = (long) (rep.nProviders * 4); -+ nbytesRead = (long) (rep.nProviders * 4); - -- rbytes = (sizeof(XRRProviderResources) + rep.nProviders * sizeof(RRProvider)); -- xrpr = (XRRProviderResources *) Xmalloc(rbytes); -+ rbytes = (sizeof(XRRProviderResources) + rep.nProviders * -+ sizeof(RRProvider)); -+ xrpr = (XRRProviderResources *) Xmalloc(rbytes); -+ } else { -+ nbytes = 0; -+ nbytesRead = 0; -+ rbytes = 0; -+ xrpr = NULL; -+ } - - if (xrpr == NULL) { - _XEatDataWords (dpy, rep.length); -@@ -121,6 +130,17 @@ XRRGetProviderInfo(Display *dpy, XRRScreenResources *resources, RRProvider provi - return NULL; - } - -+ if (rep.length > INT_MAX >> 2 || rep.length < ProviderInfoExtra >> 2) -+ { -+ if (rep.length < ProviderInfoExtra >> 2) -+ _XEatDataWords (dpy, rep.length); -+ else -+ _XEatDataWords (dpy, rep.length - (ProviderInfoExtra >> 2)); -+ UnlockDisplay (dpy); -+ SyncHandle (); -+ return NULL; -+ } -+ - nbytes = ((long) rep.length << 2) - ProviderInfoExtra; - - nbytesRead = (long)(rep.nCrtcs * 4 + -diff --git a/src/XrrScreen.c b/src/XrrScreen.c -index b8ce7e5..1f7ffe6 100644 ---- a/src/XrrScreen.c -+++ b/src/XrrScreen.c -@@ -24,6 +24,7 @@ - #include <config.h> - #endif - -+#include <limits.h> - #include <stdio.h> - #include <X11/Xlib.h> - /* we need to be able to manipulate the Display structure on events */ -@@ -105,27 +106,36 @@ doGetScreenResources (Display *dpy, Window window, int poll) - xrri->has_rates = _XRRHasRates (xrri->minor_version, xrri->major_version); - } - -- nbytes = (long) rep.length << 2; -+ if (rep.length < INT_MAX >> 2) { -+ nbytes = (long) rep.length << 2; - -- nbytesRead = (long) (rep.nCrtcs * 4 + -- rep.nOutputs * 4 + -- rep.nModes * SIZEOF (xRRModeInfo) + -- ((rep.nbytesNames + 3) & ~3)); -+ nbytesRead = (long) (rep.nCrtcs * 4 + -+ rep.nOutputs * 4 + -+ rep.nModes * SIZEOF (xRRModeInfo) + -+ ((rep.nbytesNames + 3) & ~3)); - -- /* -- * first we must compute how much space to allocate for -- * randr library's use; we'll allocate the structures in a single -- * allocation, on cleanlyness grounds. -- */ -+ /* -+ * first we must compute how much space to allocate for -+ * randr library's use; we'll allocate the structures in a single -+ * allocation, on cleanlyness grounds. -+ */ -+ -+ rbytes = (sizeof (XRRScreenResources) + -+ rep.nCrtcs * sizeof (RRCrtc) + -+ rep.nOutputs * sizeof (RROutput) + -+ rep.nModes * sizeof (XRRModeInfo) + -+ rep.nbytesNames + rep.nModes); /* '\0' terminate names */ - -- rbytes = (sizeof (XRRScreenResources) + -- rep.nCrtcs * sizeof (RRCrtc) + -- rep.nOutputs * sizeof (RROutput) + -- rep.nModes * sizeof (XRRModeInfo) + -- rep.nbytesNames + rep.nModes); /* '\0' terminate names */ -+ xrsr = (XRRScreenResources *) Xmalloc(rbytes); -+ wire_names = (char *) Xmalloc (rep.nbytesNames); -+ } else { -+ nbytes = 0; -+ nbytesRead = 0; -+ rbytes = 0; -+ xrsr = NULL; -+ wire_names = NULL; -+ } - -- xrsr = (XRRScreenResources *) Xmalloc(rbytes); -- wire_names = (char *) Xmalloc (rep.nbytesNames); - if (xrsr == NULL || wire_names == NULL) { - Xfree (xrsr); - Xfree (wire_names); -@@ -174,6 +184,14 @@ doGetScreenResources (Display *dpy, Window window, int poll) - wire_name = wire_names; - for (i = 0; i < rep.nModes; i++) { - xrsr->modes[i].name = names; -+ if (xrsr->modes[i].nameLength > rep.nbytesNames) { -+ Xfree (xrsr); -+ Xfree (wire_names); -+ UnlockDisplay (dpy); -+ SyncHandle (); -+ return NULL; -+ } -+ rep.nbytesNames -= xrsr->modes[i].nameLength; - memcpy (names, wire_name, xrsr->modes[i].nameLength); - names[xrsr->modes[i].nameLength] = '\0'; - names += xrsr->modes[i].nameLength + 1; --- -2.10.1 - diff --git a/gnu/packages/patches/libxrender-CVE-2016-7949.patch b/gnu/packages/patches/libxrender-CVE-2016-7949.patch deleted file mode 100644 index 3a2be4ea8e..0000000000 --- a/gnu/packages/patches/libxrender-CVE-2016-7949.patch +++ /dev/null @@ -1,66 +0,0 @@ -Fix CVE-2016-7949: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7949 - -Patch copied from upstream source repository: - -https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=9362c7ddd1af3b168953d0737877bc52d79c94f4 - -From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann <tobias@stoeckmann.org> -Date: Sun, 25 Sep 2016 21:43:09 +0200 -Subject: [PATCH] Validate lengths while parsing server data. - -Individual lengths inside received server data can overflow -the previously reserved memory. - -It is therefore important to validate every single length -field to not overflow the previously agreed sum of all invidual -length fields. - -v2: consume remaining bytes in the reply buffer on error. - -Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> -Reviewed-by: Matthieu Herrb@laas.fr ---- - src/Xrender.c | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/src/Xrender.c b/src/Xrender.c -index 3102eb2..71cf3e6 100644 ---- a/src/Xrender.c -+++ b/src/Xrender.c -@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy) - screen->fallback = _XRenderFindFormat (xri, xScreen->fallback); - screen->subpixel = SubPixelUnknown; - xDepth = (xPictDepth *) (xScreen + 1); -+ if (screen->ndepths > rep.numDepths) { -+ Xfree (xri); -+ Xfree (xData); -+ _XEatDataWords (dpy, rep.length); -+ UnlockDisplay (dpy); -+ SyncHandle (); -+ return 0; -+ } -+ rep.numDepths -= screen->ndepths; - for (nd = 0; nd < screen->ndepths; nd++) - { - depth->depth = xDepth->depth; - depth->nvisuals = xDepth->nPictVisuals; - depth->visuals = visual; - xVisual = (xPictVisual *) (xDepth + 1); -+ if (depth->nvisuals > rep.numVisuals) { -+ Xfree (xri); -+ Xfree (xData); -+ _XEatDataWords (dpy, rep.length); -+ UnlockDisplay (dpy); -+ SyncHandle (); -+ return 0; -+ } -+ rep.numVisuals -= depth->nvisuals; - for (nv = 0; nv < depth->nvisuals; nv++) - { - visual->visual = _XRenderFindVisual (dpy, xVisual->visual); --- -2.10.1 - diff --git a/gnu/packages/patches/libxrender-CVE-2016-7950.patch b/gnu/packages/patches/libxrender-CVE-2016-7950.patch deleted file mode 100644 index 1a64b6e724..0000000000 --- a/gnu/packages/patches/libxrender-CVE-2016-7950.patch +++ /dev/null @@ -1,73 +0,0 @@ -Fix CVE-2016-7950: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7950 - -Patch copied from upstream source repository: - -https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=8fad00b0b647ee662ce4737ca15be033b7a21714 - -From 8fad00b0b647ee662ce4737ca15be033b7a21714 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann <tobias@stoeckmann.org> -Date: Sun, 25 Sep 2016 21:42:09 +0200 -Subject: [PATCH] Avoid OOB write in XRenderQueryFilters - -The memory for filter names is reserved right after receiving the reply. -After that, filters are iterated and each individual filter name is -stored in that reserved memory. - -The individual name lengths are not checked for validity, which means -that a malicious server can reserve less memory than it will write to -during each iteration. - -v2: consume remaining bytes in reply buffer on error. - -Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> -Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> ---- - src/Filter.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/src/Filter.c b/src/Filter.c -index edfa572..8d701eb 100644 ---- a/src/Filter.c -+++ b/src/Filter.c -@@ -38,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) - char *name; - char len; - int i; -- unsigned long nbytes, nbytesAlias, nbytesName; -+ unsigned long nbytes, nbytesAlias, nbytesName, reply_left; - - if (!RenderHasExtension (info)) - return NULL; -@@ -114,6 +114,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) - * Read the filter aliases - */ - _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases); -+ reply_left = 8 + rep.length - 2 * rep.numAliases;; - - /* - * Read the filter names -@@ -122,9 +123,19 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) - { - int l; - _XRead (dpy, &len, 1); -+ reply_left--; - l = len & 0xff; -+ if ((unsigned long)l + 1 > nbytesName) { -+ _XEatDataWords(dpy, reply_left); -+ Xfree(filters); -+ UnlockDisplay (dpy); -+ SyncHandle (); -+ return NULL; -+ } -+ nbytesName -= l + 1; - filters->filter[i] = name; - _XRead (dpy, name, l); -+ reply_left -= l; - name[l] = '\0'; - name += l + 1; - } --- -2.10.1 - diff --git a/gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch b/gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch deleted file mode 100644 index 9df6cf3f4d..0000000000 --- a/gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch +++ /dev/null @@ -1,152 +0,0 @@ -Fix CVE-2016-7951 and CVE-2016-7952 - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7951 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7952 - -Patch copied from upstream source repository: - -https://cgit.freedesktop.org/xorg/lib/libXtst/commit/?id=9556ad67af3129ec4a7a4f4b54a0d59701beeae3 - -From 9556ad67af3129ec4a7a4f4b54a0d59701beeae3 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann <tobias@stoeckmann.org> -Date: Sun, 25 Sep 2016 21:37:01 +0200 -Subject: [PATCH] Out of boundary access and endless loop in libXtst - -A lack of range checks in libXtst allows out of boundary accesses. -The checks have to be done in-place here, because it cannot be done -without in-depth knowledge of the read data. - -If XRecordStartOfData, XRecordEndOfData, or XRecordClientDied -without a client sequence have attached data, an endless loop would -occur. The do-while-loop continues until the current index reaches -the end. But in these cases, the current index would not be -incremented, leading to an endless processing. - -Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> -Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> ---- - src/XRecord.c | 43 +++++++++++++++++++++++++++++++++++++++---- - 1 file changed, 39 insertions(+), 4 deletions(-) - -diff --git a/src/XRecord.c b/src/XRecord.c -index 50420c0..fefd842 100644 ---- a/src/XRecord.c -+++ b/src/XRecord.c -@@ -749,15 +749,23 @@ parse_reply_call_callback( - switch (rep->category) { - case XRecordFromServer: - if (rep->elementHeader&XRecordFromServerTime) { -+ if (current_index + 4 > rep->length << 2) -+ return Error; - EXTRACT_CARD32(rep->clientSwapped, - reply->buf+current_index, - data->server_time); - current_index += 4; - } -+ if (current_index + 1 > rep->length << 2) -+ return Error; - switch (reply->buf[current_index]) { - case X_Reply: /* reply */ -+ if (current_index + 8 > rep->length << 2) -+ return Error; - EXTRACT_CARD32(rep->clientSwapped, - reply->buf+current_index+4, datum_bytes); -+ if (datum_bytes < 0 || datum_bytes > ((INT_MAX >> 2) - 8)) -+ return Error; - datum_bytes = (datum_bytes+8) << 2; - break; - default: /* error or event */ -@@ -766,52 +774,73 @@ parse_reply_call_callback( - break; - case XRecordFromClient: - if (rep->elementHeader&XRecordFromClientTime) { -+ if (current_index + 4 > rep->length << 2) -+ return Error; - EXTRACT_CARD32(rep->clientSwapped, - reply->buf+current_index, - data->server_time); - current_index += 4; - } - if (rep->elementHeader&XRecordFromClientSequence) { -+ if (current_index + 4 > rep->length << 2) -+ return Error; - EXTRACT_CARD32(rep->clientSwapped, - reply->buf+current_index, - data->client_seq); - current_index += 4; - } -+ if (current_index + 4 > rep->length<<2) -+ return Error; - if (reply->buf[current_index+2] == 0 - && reply->buf[current_index+3] == 0) /* needn't swap 0 */ - { /* BIG-REQUESTS */ -+ if (current_index + 8 > rep->length << 2) -+ return Error; - EXTRACT_CARD32(rep->clientSwapped, - reply->buf+current_index+4, datum_bytes); - } else { - EXTRACT_CARD16(rep->clientSwapped, - reply->buf+current_index+2, datum_bytes); - } -+ if (datum_bytes < 0 || datum_bytes > INT_MAX >> 2) -+ return Error; - datum_bytes <<= 2; - break; - case XRecordClientStarted: -+ if (current_index + 8 > rep->length << 2) -+ return Error; - EXTRACT_CARD16(rep->clientSwapped, - reply->buf+current_index+6, datum_bytes); - datum_bytes = (datum_bytes+2) << 2; - break; - case XRecordClientDied: - if (rep->elementHeader&XRecordFromClientSequence) { -+ if (current_index + 4 > rep->length << 2) -+ return Error; - EXTRACT_CARD32(rep->clientSwapped, - reply->buf+current_index, - data->client_seq); - current_index += 4; -- } -- /* fall through */ -+ } else if (current_index < rep->length << 2) -+ return Error; -+ datum_bytes = 0; -+ break; - case XRecordStartOfData: - case XRecordEndOfData: -+ if (current_index < rep->length << 2) -+ return Error; - datum_bytes = 0; -+ break; - } - - if (datum_bytes > 0) { -- if (current_index + datum_bytes > rep->length << 2) -+ if (INT_MAX - datum_bytes < (rep->length << 2) - current_index) { - fprintf(stderr, - "XRecord: %lu-byte reply claims %d-byte element (seq %lu)\n", -- (long)rep->length << 2, current_index + datum_bytes, -+ (unsigned long)rep->length << 2, current_index + datum_bytes, - dpy->last_request_read); -+ return Error; -+ } - /* - * This assignment (and indeed the whole buffer sharing - * scheme) assumes arbitrary 4-byte boundaries are -@@ -863,6 +892,12 @@ XRecordEnableContext(Display *dpy, XRecordContext context, - return 0; - } - -+ if (rep.length > INT_MAX >> 2) { -+ UnlockDisplay(dpy); -+ SyncHandle(); -+ return 0; -+ } -+ - if (rep.length > 0) { - reply = alloc_reply_buffer(info, rep.length<<2); - if (!reply) { --- -2.10.1 - diff --git a/gnu/packages/patches/libxv-CVE-2016-5407.patch b/gnu/packages/patches/libxv-CVE-2016-5407.patch deleted file mode 100644 index e6a76c9f70..0000000000 --- a/gnu/packages/patches/libxv-CVE-2016-5407.patch +++ /dev/null @@ -1,162 +0,0 @@ -Fix CVE-2016-5407: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5407 - -Patch copied from upstream source repository: - -https://cgit.freedesktop.org/xorg/lib/libXv/commit/?id=d9da580b46a28ab497de2e94fdc7b9ff953dab17 - -From d9da580b46a28ab497de2e94fdc7b9ff953dab17 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann <tobias@stoeckmann.org> -Date: Sun, 25 Sep 2016 21:30:03 +0200 -Subject: [PATCH] Protocol handling issues in libXv - CVE-2016-5407 - -The Xv query functions for adaptors and encodings suffer from out of -boundary accesses if a hostile X server sends a maliciously crafted -response. - -A previous fix already checks the received length against fixed values -but ignores additional length specifications which are stored inside -the received data. - -These lengths are accessed in a for-loop. The easiest way to guarantee -a correct processing is by validating all lengths against the -remaining size left before accessing referenced memory. - -This makes the previously applied check obsolete, therefore I removed -it. - -Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> -Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> ---- - src/Xv.c | 46 +++++++++++++++++++++++++++++----------------- - 1 file changed, 29 insertions(+), 17 deletions(-) - -diff --git a/src/Xv.c b/src/Xv.c -index e47093a..be450c4 100644 ---- a/src/Xv.c -+++ b/src/Xv.c -@@ -158,6 +158,7 @@ XvQueryAdaptors( - size_t size; - unsigned int ii, jj; - char *name; -+ char *end; - XvAdaptorInfo *pas = NULL, *pa; - XvFormat *pfs, *pf; - char *buffer = NULL; -@@ -197,17 +198,13 @@ XvQueryAdaptors( - /* GET INPUT ADAPTORS */ - - if (rep.num_adaptors == 0) { -- /* If there's no adaptors, there's nothing more to do. */ -+ /* If there are no adaptors, there's nothing more to do. */ - status = Success; - goto out; - } - -- if (size < (rep.num_adaptors * sz_xvAdaptorInfo)) { -- /* If there's not enough data for the number of adaptors, -- then we have a problem. */ -- status = XvBadReply; -- goto out; -- } -+ u.buffer = buffer; -+ end = buffer + size; - - size = rep.num_adaptors * sizeof(XvAdaptorInfo); - if ((pas = Xmalloc(size)) == NULL) { -@@ -225,9 +222,12 @@ XvQueryAdaptors( - pa++; - } - -- u.buffer = buffer; - pa = pas; - for (ii = 0; ii < rep.num_adaptors; ii++) { -+ if (u.buffer + sz_xvAdaptorInfo > end) { -+ status = XvBadReply; -+ goto out; -+ } - pa->type = u.pa->type; - pa->base_id = u.pa->base_id; - pa->num_ports = u.pa->num_ports; -@@ -239,6 +239,10 @@ XvQueryAdaptors( - size = u.pa->name_size; - u.buffer += pad_to_int32(sz_xvAdaptorInfo); - -+ if (u.buffer + size > end) { -+ status = XvBadReply; -+ goto out; -+ } - if ((name = Xmalloc(size + 1)) == NULL) { - status = XvBadAlloc; - goto out; -@@ -259,6 +263,11 @@ XvQueryAdaptors( - - pf = pfs; - for (jj = 0; jj < pa->num_formats; jj++) { -+ if (u.buffer + sz_xvFormat > end) { -+ Xfree(pfs); -+ status = XvBadReply; -+ goto out; -+ } - pf->depth = u.pf->depth; - pf->visual_id = u.pf->visual; - pf++; -@@ -327,6 +336,7 @@ XvQueryEncodings( - size_t size; - unsigned int jj; - char *name; -+ char *end; - XvEncodingInfo *pes = NULL, *pe; - char *buffer = NULL; - union { -@@ -364,17 +374,13 @@ XvQueryEncodings( - /* GET ENCODINGS */ - - if (rep.num_encodings == 0) { -- /* If there's no encodings, there's nothing more to do. */ -+ /* If there are no encodings, there's nothing more to do. */ - status = Success; - goto out; - } - -- if (size < (rep.num_encodings * sz_xvEncodingInfo)) { -- /* If there's not enough data for the number of adaptors, -- then we have a problem. */ -- status = XvBadReply; -- goto out; -- } -+ u.buffer = buffer; -+ end = buffer + size; - - size = rep.num_encodings * sizeof(XvEncodingInfo); - if ((pes = Xmalloc(size)) == NULL) { -@@ -391,10 +397,12 @@ XvQueryEncodings( - pe++; - } - -- u.buffer = buffer; -- - pe = pes; - for (jj = 0; jj < rep.num_encodings; jj++) { -+ if (u.buffer + sz_xvEncodingInfo > end) { -+ status = XvBadReply; -+ goto out; -+ } - pe->encoding_id = u.pe->encoding; - pe->width = u.pe->width; - pe->height = u.pe->height; -@@ -405,6 +413,10 @@ XvQueryEncodings( - size = u.pe->name_size; - u.buffer += pad_to_int32(sz_xvEncodingInfo); - -+ if (u.buffer + size > end) { -+ status = XvBadReply; -+ goto out; -+ } - if ((name = Xmalloc(size + 1)) == NULL) { - status = XvBadAlloc; - goto out; --- -2.10.1 - diff --git a/gnu/packages/patches/libxvmc-CVE-2016-7953.patch b/gnu/packages/patches/libxvmc-CVE-2016-7953.patch deleted file mode 100644 index 737abdeb9f..0000000000 --- a/gnu/packages/patches/libxvmc-CVE-2016-7953.patch +++ /dev/null @@ -1,42 +0,0 @@ -Fix CVE-2016-7953: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7953 - -Patch copied from upstream source repository: - -https://cgit.freedesktop.org/xorg/lib/libXvMC/commit/?id=2cd95e7da8367cccdcdd5c9b160012d1dec5cbdb - -From 2cd95e7da8367cccdcdd5c9b160012d1dec5cbdb Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann <tobias@stoeckmann.org> -Date: Sun, 25 Sep 2016 22:34:27 +0200 -Subject: [PATCH] Avoid buffer underflow on empty strings. - -If an empty string is received from an x-server, do not underrun the -buffer by accessing "rep.nameLen - 1" unconditionally, which could end -up being -1. - -Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> -Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> ---- - src/XvMC.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/XvMC.c b/src/XvMC.c -index 7336760..3ee4212 100644 ---- a/src/XvMC.c -+++ b/src/XvMC.c -@@ -576,9 +576,9 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port, - if (*name && *busID && tmpBuf) { - _XRead(dpy, tmpBuf, realSize); - strncpy(*name,tmpBuf,rep.nameLen); -- (*name)[rep.nameLen - 1] = '\0'; -+ (*name)[rep.nameLen == 0 ? 0 : rep.nameLen - 1] = '\0'; - strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen); -- (*busID)[rep.busIDLen - 1] = '\0'; -+ (*busID)[rep.busIDLen == 0 ? 0 : rep.busIDLen - 1] = '\0'; - XFree(tmpBuf); - } else { - XFree(*name); --- -2.10.1 - diff --git a/gnu/packages/patches/linux-pam-no-setfsuid.patch b/gnu/packages/patches/linux-pam-no-setfsuid.patch new file mode 100644 index 0000000000..f92fbc057a --- /dev/null +++ b/gnu/packages/patches/linux-pam-no-setfsuid.patch @@ -0,0 +1,75 @@ +On systems without 'setfsuid', use 'setreuid' instead. + +The patch originates from the Debian project for GNU/Hurd. +Authors: Steve Langasek <vorlon@debian.org> +Upstream status: A ticket was opened to request apply the patch, +ticket: 'https://fedorahosted.org/linux-pam/ticket/64'. + +--- Linux-PAM-1.2.1/libpam/pam_modutil_priv.c 2015-03-24 06:02:32.000000000 -0600 ++++ pam_modutil_priv-mod.c 2016-09-20 13:36:53.150663205 -0500 +@@ -14,7 +14,9 @@ + #include <syslog.h> + #include <pwd.h> + #include <grp.h> ++#ifdef HAVE_SYS_FSUID_H + #include <sys/fsuid.h> ++#endif /* HAVE_SYS_FSUID_H */ + + /* + * Two setfsuid() calls in a row are necessary to check +@@ -22,17 +24,55 @@ + */ + static int change_uid(uid_t uid, uid_t *save) + { ++#ifdef HAVE_SYS_FSUID_H + uid_t tmp = setfsuid(uid); + if (save) + *save = tmp; + return (uid_t) setfsuid(uid) == uid ? 0 : -1; ++#else ++ uid_t euid = geteuid(); ++ uid_t ruid = getuid(); ++ if (save) ++ *save = ruid; ++ if (ruid == uid && uid != 0) ++ if (setreuid(euid, uid)) ++ return -1; ++ else { ++ setreuid(0, -1); ++ if (setreuid(-1, uid)) { ++ setreuid(-1, 0); ++ setreuid(0, -1); ++ if (setreuid(-1, uid)) ++ return -1; ++ } ++ } ++#endif + } + static int change_gid(gid_t gid, gid_t *save) + { ++#ifdef HAVE_SYS_FSUID_H + gid_t tmp = setfsgid(gid); + if (save) + *save = tmp; + return (gid_t) setfsgid(gid) == gid ? 0 : -1; ++#else ++ gid_t egid = getegid(); ++ gid_t rgid = getgid(); ++ if (save) ++ *save = rgid; ++ if (rgid == gid) ++ if (setregid(egid, gid)) ++ return -1; ++ else { ++ setregid(0, -1); ++ if (setregid(-1, gid)) { ++ setregid(-1, 0); ++ setregid(0, -1); ++ if (setregid(-1, gid)) ++ return -1; ++ } ++ } ++#endif + } + + static int cleanup(struct pam_modutil_privs *p) diff --git a/gnu/packages/patches/openssl-CVE-2016-2177.patch b/gnu/packages/patches/openssl-CVE-2016-2177.patch deleted file mode 100644 index f6465aeaa7..0000000000 --- a/gnu/packages/patches/openssl-CVE-2016-2177.patch +++ /dev/null @@ -1,286 +0,0 @@ -Fix CVE-2016-2177. - -<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177> - -Source: -<https://git.openssl.org/?p=openssl.git;a=commit;h=a004e72b95835136d3f1ea90517f706c24c03da7> - -From a004e72b95835136d3f1ea90517f706c24c03da7 Mon Sep 17 00:00:00 2001 -From: Matt Caswell <matt@openssl.org> -Date: Thu, 5 May 2016 11:10:26 +0100 -Subject: [PATCH] Avoid some undefined pointer arithmetic - -A common idiom in the codebase is: - -if (p + len > limit) -{ - return; /* Too long */ -} - -Where "p" points to some malloc'd data of SIZE bytes and -limit == p + SIZE - -"len" here could be from some externally supplied data (e.g. from a TLS -message). - -The rules of C pointer arithmetic are such that "p + len" is only well -defined where len <= SIZE. Therefore the above idiom is actually -undefined behaviour. - -For example this could cause problems if some malloc implementation -provides an address for "p" such that "p + len" actually overflows for -values of len that are too big and therefore p + len < limit! - -Issue reported by Guido Vranken. - -CVE-2016-2177 - -Reviewed-by: Rich Salz <rsalz@openssl.org> ---- - ssl/s3_srvr.c | 14 +++++++------- - ssl/ssl_sess.c | 2 +- - ssl/t1_lib.c | 56 ++++++++++++++++++++++++++++++-------------------------- - 3 files changed, 38 insertions(+), 34 deletions(-) - -diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c -index ab28702..ab7f690 100644 ---- a/ssl/s3_srvr.c -+++ b/ssl/s3_srvr.c -@@ -980,7 +980,7 @@ int ssl3_get_client_hello(SSL *s) - - session_length = *(p + SSL3_RANDOM_SIZE); - -- if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) { -+ if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -998,7 +998,7 @@ int ssl3_get_client_hello(SSL *s) - /* get the session-id */ - j = *(p++); - -- if (p + j > d + n) { -+ if ((d + n) - p < j) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -1054,14 +1054,14 @@ int ssl3_get_client_hello(SSL *s) - - if (SSL_IS_DTLS(s)) { - /* cookie stuff */ -- if (p + 1 > d + n) { -+ if ((d + n) - p < 1) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; - } - cookie_len = *(p++); - -- if (p + cookie_len > d + n) { -+ if ((d + n ) - p < cookie_len) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -1131,7 +1131,7 @@ int ssl3_get_client_hello(SSL *s) - } - } - -- if (p + 2 > d + n) { -+ if ((d + n ) - p < 2) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -1145,7 +1145,7 @@ int ssl3_get_client_hello(SSL *s) - } - - /* i bytes of cipher data + 1 byte for compression length later */ -- if ((p + i + 1) > (d + n)) { -+ if ((d + n) - p < i + 1) { - /* not enough data */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); -@@ -1211,7 +1211,7 @@ int ssl3_get_client_hello(SSL *s) - - /* compression */ - i = *(p++); -- if ((p + i) > (d + n)) { -+ if ((d + n) - p < i) { - /* not enough data */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); -diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c -index b182998..54ee783 100644 ---- a/ssl/ssl_sess.c -+++ b/ssl/ssl_sess.c -@@ -573,7 +573,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, - int r; - #endif - -- if (session_id + len > limit) { -+ if (limit - session_id < len) { - fatal = 1; - goto err; - } -diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index fb64607..cdac011 100644 ---- a/ssl/t1_lib.c -+++ b/ssl/t1_lib.c -@@ -1867,11 +1867,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - 0x02, 0x03, /* SHA-1/ECDSA */ - }; - -- if (data >= (limit - 2)) -+ if (limit - data <= 2) - return; - data += 2; - -- if (data > (limit - 4)) -+ if (limit - data < 4) - return; - n2s(data, type); - n2s(data, size); -@@ -1879,7 +1879,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - if (type != TLSEXT_TYPE_server_name) - return; - -- if (data + size > limit) -+ if (limit - data < size) - return; - data += size; - -@@ -1887,7 +1887,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - const size_t len1 = sizeof(kSafariExtensionsBlock); - const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); - -- if (data + len1 + len2 != limit) -+ if (limit - data != (int)(len1 + len2)) - return; - if (memcmp(data, kSafariExtensionsBlock, len1) != 0) - return; -@@ -1896,7 +1896,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - } else { - const size_t len = sizeof(kSafariExtensionsBlock); - -- if (data + len != limit) -+ if (limit - data != (int)(len)) - return; - if (memcmp(data, kSafariExtensionsBlock, len) != 0) - return; -@@ -2053,19 +2053,19 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, - if (data == limit) - goto ri_check; - -- if (data > (limit - 2)) -+ if (limit - data < 2) - goto err; - - n2s(data, len); - -- if (data + len != limit) -+ if (limit - data != len) - goto err; - -- while (data <= (limit - 4)) { -+ while (limit - data >= 4) { - n2s(data, type); - n2s(data, size); - -- if (data + size > (limit)) -+ if (limit - data < size) - goto err; - # if 0 - fprintf(stderr, "Received extension type %d size %d\n", type, size); -@@ -2472,18 +2472,18 @@ static int ssl_scan_clienthello_custom_tlsext(SSL *s, - if (s->hit || s->cert->srv_ext.meths_count == 0) - return 1; - -- if (data >= limit - 2) -+ if (limit - data <= 2) - return 1; - n2s(data, len); - -- if (data > limit - len) -+ if (limit - data < len) - return 1; - -- while (data <= limit - 4) { -+ while (limit - data >= 4) { - n2s(data, type); - n2s(data, size); - -- if (data + size > limit) -+ if (limit - data < size) - return 1; - if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0) - return 0; -@@ -2569,20 +2569,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, - SSL_TLSEXT_HB_DONT_SEND_REQUESTS); - # endif - -- if (data >= (d + n - 2)) -+ if ((d + n) - data <= 2) - goto ri_check; - - n2s(data, length); -- if (data + length != d + n) { -+ if ((d + n) - data != length) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - -- while (data <= (d + n - 4)) { -+ while ((d + n) - data >= 4) { - n2s(data, type); - n2s(data, size); - -- if (data + size > (d + n)) -+ if ((d + n) - data < size) - goto ri_check; - - if (s->tlsext_debug_cb) -@@ -3307,29 +3307,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, - /* Skip past DTLS cookie */ - if (SSL_IS_DTLS(s)) { - i = *(p++); -- p += i; -- if (p >= limit) -+ -+ if (limit - p <= i) - return -1; -+ -+ p += i; - } - /* Skip past cipher list */ - n2s(p, i); -- p += i; -- if (p >= limit) -+ if (limit - p <= i) - return -1; -+ p += i; -+ - /* Skip past compression algorithm list */ - i = *(p++); -- p += i; -- if (p > limit) -+ if (limit - p < i) - return -1; -+ p += i; -+ - /* Now at start of extensions */ -- if ((p + 2) >= limit) -+ if (limit - p <= 2) - return 0; - n2s(p, i); -- while ((p + 4) <= limit) { -+ while (limit - p >= 4) { - unsigned short type, size; - n2s(p, type); - n2s(p, size); -- if (p + size > limit) -+ if (limit - p < size) - return 0; - if (type == TLSEXT_TYPE_session_ticket) { - int r; --- -2.8.4 - diff --git a/gnu/packages/patches/openssl-CVE-2016-2178.patch b/gnu/packages/patches/openssl-CVE-2016-2178.patch deleted file mode 100644 index 37cf2763af..0000000000 --- a/gnu/packages/patches/openssl-CVE-2016-2178.patch +++ /dev/null @@ -1,112 +0,0 @@ -Fix CVE-2016-2178. - -<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2178> - -Source: -<https://git.openssl.org/?p=openssl.git;a=commit;h=621eaf49a289bfac26d4cbcdb7396e796784c534> -<https://git.openssl.org/?p=openssl.git;a=commit;h=b7d0f2834e139a20560d64c73e2565e93715ce2b> - -From 621eaf49a289bfac26d4cbcdb7396e796784c534 Mon Sep 17 00:00:00 2001 -From: Cesar Pereida <cesar.pereida@aalto.fi> -Date: Mon, 23 May 2016 12:45:25 +0300 -Subject: [PATCH 1/2] Fix DSA, preserve BN_FLG_CONSTTIME - -Operations in the DSA signing algorithm should run in constant time in -order to avoid side channel attacks. A flaw in the OpenSSL DSA -implementation means that a non-constant time codepath is followed for -certain operations. This has been demonstrated through a cache-timing -attack to be sufficient for an attacker to recover the private DSA key. - -CVE-2016-2178 - -Reviewed-by: Richard Levitte <levitte@openssl.org> -Reviewed-by: Matt Caswell <matt@openssl.org> ---- - crypto/dsa/dsa_ossl.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c -index efc4f1b..b29eb4b 100644 ---- a/crypto/dsa/dsa_ossl.c -+++ b/crypto/dsa/dsa_ossl.c -@@ -248,9 +248,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, - if (!BN_rand_range(&k, dsa->q)) - goto err; - while (BN_is_zero(&k)) ; -- if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { -- BN_set_flags(&k, BN_FLG_CONSTTIME); -- } - - if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { - if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, -@@ -279,9 +276,12 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, - } - - K = &kq; -+ -+ BN_set_flags(K, BN_FLG_CONSTTIME); - } else { - K = &k; - } -+ - DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, - dsa->method_mont_p); - if (!BN_mod(r, r, dsa->q, ctx)) --- -2.8.4 - -From b7d0f2834e139a20560d64c73e2565e93715ce2b Mon Sep 17 00:00:00 2001 -From: Matt Caswell <matt@openssl.org> -Date: Tue, 7 Jun 2016 09:12:51 +0100 -Subject: [PATCH 2/2] More fix DSA, preserve BN_FLG_CONSTTIME - -The previous "fix" still left "k" exposed to constant time problems in -the later BN_mod_inverse() call. Ensure both k and kq have the -BN_FLG_CONSTTIME flag set at the earliest opportunity after creation. - -CVE-2016-2178 - -Reviewed-by: Rich Salz <rsalz@openssl.org> ---- - crypto/dsa/dsa_ossl.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c -index b29eb4b..58013a4 100644 ---- a/crypto/dsa/dsa_ossl.c -+++ b/crypto/dsa/dsa_ossl.c -@@ -247,7 +247,12 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, - do - if (!BN_rand_range(&k, dsa->q)) - goto err; -- while (BN_is_zero(&k)) ; -+ while (BN_is_zero(&k)); -+ -+ if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { -+ BN_set_flags(&k, BN_FLG_CONSTTIME); -+ } -+ - - if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { - if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, -@@ -261,6 +266,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, - if (!BN_copy(&kq, &k)) - goto err; - -+ BN_set_flags(&kq, BN_FLG_CONSTTIME); -+ - /* - * We do not want timing information to leak the length of k, so we - * compute g^k using an equivalent exponent of fixed length. (This -@@ -276,8 +283,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, - } - - K = &kq; -- -- BN_set_flags(K, BN_FLG_CONSTTIME); - } else { - K = &k; - } --- -2.8.4 - diff --git a/gnu/packages/patches/perl-CVE-2015-8607.patch b/gnu/packages/patches/perl-CVE-2015-8607.patch deleted file mode 100644 index 4c25d41740..0000000000 --- a/gnu/packages/patches/perl-CVE-2015-8607.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 3a629609084d147838368262171b923f0770e564 Mon Sep 17 00:00:00 2001 -From: Tony Cook <tony@develop-help.com> -Date: Tue, 15 Dec 2015 10:56:54 +1100 -Subject: ensure File::Spec::canonpath() preserves taint - -Previously the unix specific XS implementation of canonpath() would -return an untainted path when supplied a tainted path. - -For the empty string case, newSVpvs() already sets taint as needed on -its result. - -This issue was assigned CVE-2015-8607. - -Bug: https://rt.perl.org/Ticket/Display.html?id=126862 -Bug-Debian: https://bugs.debian.org/810719 -Origin: upstream -Patch-Name: fixes/CVE-2015-8607_file_spec_taint_fix.diff ---- - dist/PathTools/Cwd.xs | 1 + - dist/PathTools/t/taint.t | 19 ++++++++++++++++++- - 2 files changed, 19 insertions(+), 1 deletion(-) - -diff --git a/dist/PathTools/Cwd.xs b/dist/PathTools/Cwd.xs -index 9d4dcf0..3d018dc 100644 ---- a/dist/PathTools/Cwd.xs -+++ b/dist/PathTools/Cwd.xs -@@ -535,6 +535,7 @@ THX_unix_canonpath(pTHX_ SV *path) - *o = 0; - SvPOK_on(retval); - SvCUR_set(retval, o - SvPVX(retval)); -+ SvTAINT(retval); - return retval; - } - -diff --git a/dist/PathTools/t/taint.t b/dist/PathTools/t/taint.t -index 309b3e5..48f8c5b 100644 ---- a/dist/PathTools/t/taint.t -+++ b/dist/PathTools/t/taint.t -@@ -12,7 +12,7 @@ use Test::More; - BEGIN { - plan( - ${^TAINT} -- ? (tests => 17) -+ ? (tests => 21) - : (skip_all => "A perl without taint support") - ); - } -@@ -34,3 +34,20 @@ foreach my $func (@Functions) { - - # Previous versions of Cwd tainted $^O - is !tainted($^O), 1, "\$^O should not be tainted"; -+ -+{ -+ # [perl #126862] canonpath() loses taint -+ my $tainted = substr($ENV{PATH}, 0, 0); -+ # yes, getcwd()'s result should be tainted, and is tested above -+ # but be sure -+ ok tainted(File::Spec->canonpath($tainted . Cwd::getcwd)), -+ "canonpath() keeps taint on non-empty string"; -+ ok tainted(File::Spec->canonpath($tainted)), -+ "canonpath() keeps taint on empty string"; -+ -+ (Cwd::getcwd() =~ /^(.*)/); -+ my $untainted = $1; -+ ok !tainted($untainted), "make sure our untainted value is untainted"; -+ ok !tainted(File::Spec->canonpath($untainted)), -+ "canonpath() doesn't add taint to untainted string"; -+} diff --git a/gnu/packages/patches/perl-CVE-2016-2381.patch b/gnu/packages/patches/perl-CVE-2016-2381.patch deleted file mode 100644 index 99d1944a5d..0000000000 --- a/gnu/packages/patches/perl-CVE-2016-2381.patch +++ /dev/null @@ -1,116 +0,0 @@ -Fix CVE-2016-2381 (ambiguous handling of duplicated environment variables). - -Copied from upstream: -http://perl5.git.perl.org/perl.git/commit/ae37b791a73a9e78dedb89fb2429d2628cf58076 - -References: -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381 -http://www.nntp.perl.org/group/perl.perl5.porters/2016/03/msg234747.html -https://security-tracker.debian.org/tracker/CVE-2016-2381 - ---- - -From 1237ea93fb2475a5ae576d5ee1358a5bb4ebe426 Mon Sep 17 00:00:00 2001 -From: Tony Cook <tony@develop-help.com> -Date: Wed, 27 Jan 2016 11:52:15 +1100 -Subject: remove duplicate environment variables from environ - -If we see duplicate environment variables while iterating over -environ[]: - -a) make sure we use the same value in %ENV that getenv() returns. - -Previously on a duplicate, %ENV would have the last entry for the name -from environ[], but a typical getenv() would return the first entry. - -Rather than assuming all getenv() implementations return the first entry -explicitly call getenv() to ensure they agree. - -b) remove duplicate entries from environ - -Previously if there was a duplicate definition for a name in environ[] -setting that name in %ENV could result in an unsafe value being passed -to a child process, so ensure environ[] has no duplicates. - -Patch-Name: fixes/CVE-2016-2381_duplicate_env.diff ---- - perl.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 49 insertions(+), 2 deletions(-) - -diff --git a/perl.c b/perl.c -index 67d32ce..26aeb91 100644 ---- a/perl.c -+++ b/perl.c -@@ -4277,23 +4277,70 @@ S_init_postdump_symbols(pTHX_ int argc, char **argv, char **env) - } - if (env) { - char *s, *old_var; -+ STRLEN nlen; - SV *sv; -+ HV *dups = newHV(); -+ - for (; *env; env++) { - old_var = *env; - - if (!(s = strchr(old_var,'=')) || s == old_var) - continue; -+ nlen = s - old_var; - - #if defined(MSDOS) && !defined(DJGPP) - *s = '\0'; - (void)strupr(old_var); - *s = '='; - #endif -- sv = newSVpv(s+1, 0); -- (void)hv_store(hv, old_var, s - old_var, sv, 0); -+ if (hv_exists(hv, old_var, nlen)) { -+ const char *name = savepvn(old_var, nlen); -+ -+ /* make sure we use the same value as getenv(), otherwise code that -+ uses getenv() (like setlocale()) might see a different value to %ENV -+ */ -+ sv = newSVpv(PerlEnv_getenv(name), 0); -+ -+ /* keep a count of the dups of this name so we can de-dup environ later */ -+ if (hv_exists(dups, name, nlen)) -+ ++SvIVX(*hv_fetch(dups, name, nlen, 0)); -+ else -+ (void)hv_store(dups, name, nlen, newSViv(1), 0); -+ -+ Safefree(name); -+ } -+ else { -+ sv = newSVpv(s+1, 0); -+ } -+ (void)hv_store(hv, old_var, nlen, sv, 0); - if (env_is_not_environ) - mg_set(sv); - } -+ if (HvKEYS(dups)) { -+ /* environ has some duplicate definitions, remove them */ -+ HE *entry; -+ hv_iterinit(dups); -+ while ((entry = hv_iternext_flags(dups, 0))) { -+ STRLEN nlen; -+ const char *name = HePV(entry, nlen); -+ IV count = SvIV(HeVAL(entry)); -+ IV i; -+ SV **valp = hv_fetch(hv, name, nlen, 0); -+ -+ assert(valp); -+ -+ /* try to remove any duplicate names, depending on the -+ * implementation used in my_setenv() the iteration might -+ * not be necessary, but let's be safe. -+ */ -+ for (i = 0; i < count; ++i) -+ my_setenv(name, 0); -+ -+ /* and set it back to the value we set $ENV{name} to */ -+ my_setenv(name, SvPV_nolen(*valp)); -+ } -+ } -+ SvREFCNT_dec_NN(dups); - } - #endif /* USE_ENVIRON_ARRAY */ - #endif /* !PERL_MICRO */ diff --git a/gnu/packages/patches/perl-no-build-time.patch b/gnu/packages/patches/perl-no-build-time.patch deleted file mode 100644 index 5d78e8f462..0000000000 --- a/gnu/packages/patches/perl-no-build-time.patch +++ /dev/null @@ -1,26 +0,0 @@ -Do not record the configuration and build time so that builds can be -reproduced bit-for-bit. - ---- perl-5.22.0/Configure 1970-01-01 01:00:00.000000000 +0100 -+++ perl-5.22.0/Configure 2015-12-13 00:14:43.148165080 +0100 -@@ -3834,6 +3817,7 @@ esac - - : who configured the system - cf_time=`LC_ALL=C; LANGUAGE=C; export LC_ALL; export LANGUAGE; $date 2>&1` -+cf_time='Thu Jan 1 00:00:01 UTC 1970' - case "$cf_by" in - "") - cf_by=`(logname) 2>/dev/null` - ---- perl-5.22.0/perl.c 2015-12-13 00:25:30.269156627 +0100 -+++ perl-5.22.0/perl.c 2015-12-13 00:25:38.265218175 +0100 -@@ -1795,7 +1795,7 @@ S_Internals_V(pTHX_ CV *cv) - PUSHs(Perl_newSVpvn_flags(aTHX_ non_bincompat_options, - sizeof(non_bincompat_options) - 1, SVs_TEMP)); - --#ifdef __DATE__ -+#if 0 - # ifdef __TIME__ - PUSHs(Perl_newSVpvn_flags(aTHX_ - STR_WITH_LEN("Compiled at " __DATE__ " " __TIME__), - diff --git a/gnu/packages/patches/perl-reproducible-build-date.patch b/gnu/packages/patches/perl-reproducible-build-date.patch new file mode 100644 index 0000000000..bf0d4b8f6d --- /dev/null +++ b/gnu/packages/patches/perl-reproducible-build-date.patch @@ -0,0 +1,50 @@ +Don't encode the current timestamp. + +This affects the output of `perl -V`, specifically the message "Compiled +at [...]". + +The 'cf_time' and 'cf_by' values show up in 'config.h' and +in 'Config_heavy.pl'. + +Use the output of 'uname -s' instead of 'uname -a' to avoid recording +the kernel version ('uname -o' leads to directory names like +'x86_64-gnulinux' instead of 'x86_64-linux', which might cause breakage +down the road.) + +diff --git a/perl.c b/perl.c +index 228a0d8..ed38313 100644 +--- a/perl.c ++++ b/perl.c +@@ -1825,6 +1825,7 @@ S_Internals_V(pTHX_ CV *cv) + PUSHs(Perl_newSVpvn_flags(aTHX_ non_bincompat_options, + sizeof(non_bincompat_options) - 1, SVs_TEMP)); + ++#define PERL_BUILD_DATE "Jan 1 1970 00:00:00" + #ifndef PERL_BUILD_DATE + # ifdef __DATE__ + # ifdef __TIME__ + +--- a/Configure 1970-01-01 01:00:00.000000000 +0100 ++++ b/Configure 2016-10-01 14:47:20.017319739 +0200 +@@ -3276,7 +3276,7 @@ $eunicefix tr + : Try to determine whether config.sh was made on this system + case "$config_sh" in + '') +-myuname=`$uname -a 2>/dev/null` ++myuname=`$uname -s 2>/dev/null` + $test -z "$myuname" && myuname=`hostname 2>/dev/null` + # Downcase everything to avoid ambiguity. + # Remove slashes and single quotes so we can use parts of this in +@@ -3845,10 +3845,10 @@ + . ./posthint.sh + + : who configured the system +-cf_time=`LC_ALL=C; LANGUAGE=C; export LC_ALL; export LANGUAGE; $date 2>&1` ++cf_time="1970-01-01" + case "$cf_by" in + "") +- cf_by=`(logname) 2>/dev/null` ++ cf_by="guix" + case "$cf_by" in + "") + cf_by=`(whoami) 2>/dev/null` diff --git a/gnu/packages/patches/perl-source-date-epoch.patch b/gnu/packages/patches/perl-source-date-epoch.patch deleted file mode 100644 index 37330c9537..0000000000 --- a/gnu/packages/patches/perl-source-date-epoch.patch +++ /dev/null @@ -1,19 +0,0 @@ -Adapted from <https://bugs.debian.org/801621>. -Make Pod::Man honor the SOURCE_DATE_EPOCH environment variable. - ---- perl-5.22.0/cpan/podlators/lib/Pod/Man.pm 2015-12-12 22:33:03.321787590 +0100 -+++ perl-5.22.0/cpan/podlators/lib/Pod/Man.pm 2015-12-12 22:36:33.367361338 +0100 -@@ -884,7 +884,12 @@ sub devise_date { - my ($self) = @_; - my $input = $self->source_filename; - my $time; -- if ($input) { -+ -+ if (defined($ENV{SOURCE_DATE_EPOCH}) && -+ $ENV{SOURCE_DATE_EPOCH} !~ /\D/) { -+ $time = $ENV{SOURCE_DATE_EPOCH}; -+ } -+ elsif ($input) { - $time = (stat $input)[9] || time; - } else { - $time = time; diff --git a/gnu/packages/patches/procps-non-linux.patch b/gnu/packages/patches/procps-non-linux.patch deleted file mode 100644 index 9d369aeb2c..0000000000 --- a/gnu/packages/patches/procps-non-linux.patch +++ /dev/null @@ -1,40 +0,0 @@ -From aa9bd38d0a6fe53aff7f78fb2d9f61e55677c7b5 Mon Sep 17 00:00:00 2001 -From: Craig Small <csmall@enc.com.au> -Date: Sun, 17 Apr 2016 09:09:41 +1000 -Subject: [PATCH] tests: Conditionally add prctl to test process - -prctl was already bypassed on Cygwin systems. This extends to -non-Linux systems such as kFreeBSD and Hurd. - ---- - lib/test_process.c | 4 ++-- - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/lib/test_process.c b/lib/test_process.c -index 6e652ed..6a4776c 100644 ---- a/lib/test_process.c -+++ b/lib/test_process.c -@@ -21,7 +21,9 @@ - #include <stdlib.h> - #include <unistd.h> - #include <signal.h> -+#ifdef __linux__ - #include <sys/prctl.h> -+#endif - #include "c.h" - - #define DEFAULT_SLEEPTIME 300 -@@ -78,8 +80,10 @@ - sigaction(SIGUSR1, &signal_action, NULL); - sigaction(SIGUSR2, &signal_action, NULL); - -+#ifdef __linux__ - /* set process name */ - prctl(PR_SET_NAME, MY_NAME, NULL, NULL, NULL); -+#endif - - while (sleep_time > 0) { - sleep_time = sleep(sleep_time); --- -2.8.2 - diff --git a/gnu/packages/patches/python-3.4-fix-tests.patch b/gnu/packages/patches/python-3.4-fix-tests.patch new file mode 100644 index 0000000000..d1f8138e79 --- /dev/null +++ b/gnu/packages/patches/python-3.4-fix-tests.patch @@ -0,0 +1,12 @@ +--- Lib/test/test_posixpath.py 2014-03-01 05:46:56.984311000 +0100 ++++ Lib/test/test_posixpath.py 2014-03-07 00:59:20.888311000 +0100 +@@ -319,7 +319,11 @@ + del env['HOME'] + home = pwd.getpwuid(os.getuid()).pw_dir + # $HOME can end with a trailing /, so strip it (see #17809) +- self.assertEqual(posixpath.expanduser("~"), home.rstrip("/")) ++ # The Guix builders have '/' as a home directory, so ++ # home.rstrip("/") will be an empty string and the test will ++ # fail. Let's just disable it since it does not really make ++ # sense with such a bizarre setup. ++ # self.assertEqual(posixpath.expanduser("~"), home.rstrip("/")) diff --git a/gnu/packages/patches/python-3.5-fix-tests.patch b/gnu/packages/patches/python-3.5-fix-tests.patch new file mode 100644 index 0000000000..46d2a84efb --- /dev/null +++ b/gnu/packages/patches/python-3.5-fix-tests.patch @@ -0,0 +1,46 @@ +Additional test fixes which affect Python 3.5 (and presumably later) but not +prior revisions of Python. + +--- Lib/test/test_pathlib.py 2014-03-01 03:02:36.088311000 +0100 ++++ Lib/test/test_pathlib.py 2014-03-01 04:56:37.768311000 +0100 +@@ -1986,8 +1986,9 @@ + expect = set() if not support.fs_is_case_insensitive(BASE) else given + self.assertEqual(given, expect) + self.assertEqual(set(p.rglob("FILEd*")), set()) + ++ @unittest.skipIf(True, "Guix builder home is '/' which causes trouble for these tests") + def test_expanduser(self): + P = self.cls + support.import_module('pwd') + import pwd +--- Lib/test/test_tarfile.py 2016-02-24 19:22:52.597208055 +0000 ++++ Lib/test/test_tarfile.py 2016-02-24 20:50:48.941950135 +0000 +@@ -2305,11 +2305,14 @@ + try: + import pwd, grp + except ImportError: + return False +- if pwd.getpwuid(0)[0] != 'root': +- return False +- if grp.getgrgid(0)[0] != 'root': ++ try: ++ if pwd.getpwuid(0)[0] != 'root': ++ return False ++ if grp.getgrgid(0)[0] != 'root': ++ return False ++ except KeyError: + return False + return True + + +--- Lib/test/test_asyncio/test_base_events.py ++++ Lib/test/test_asyncio/test_base_events.py +@@ -142,6 +142,8 @@ class BaseEventTests(test_utils.TestCase): + (INET, STREAM, TCP, '', ('1.2.3.4', 1)), + base_events._ipaddr_info('1.2.3.4', b'1', INET, STREAM, TCP)) + ++ @unittest.skipUnless(support.is_resource_enabled('network'), ++ 'network is not enabled') + def test_getaddrinfo_servname(self): + INET = socket.AF_INET + STREAM = socket.SOCK_STREAM diff --git a/gnu/packages/patches/python-disable-ssl-test.patch b/gnu/packages/patches/python-disable-ssl-test.patch deleted file mode 100644 index e351c77505..0000000000 --- a/gnu/packages/patches/python-disable-ssl-test.patch +++ /dev/null @@ -1,12 +0,0 @@ -Disable a test that fails with openssl-1.0.2b. - ---- Lib/test/test_ssl.py.orig 2015-02-25 06:27:45.000000000 -0500 -+++ Lib/test/test_ssl.py 2015-06-12 03:14:09.395212502 -0400 -@@ -2718,6 +2718,7 @@ - chatty=True, connectionchatty=True) - self.assertIs(stats['compression'], None) - -+ @unittest.skipIf(True, "openssl 1.0.2b complains: dh key too small") - def test_dh_params(self): - # Check we can get a connection with ephemeral Diffie-Hellman - context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) diff --git a/gnu/packages/patches/python-fix-tests.patch b/gnu/packages/patches/python-fix-tests.patch index 82c19980f9..e093307c51 100644 --- a/gnu/packages/patches/python-fix-tests.patch +++ b/gnu/packages/patches/python-fix-tests.patch @@ -20,21 +20,6 @@ http://bugs.python.org/issue20868 . def test_tarfile_root_owner(self): tmpdir, tmpdir2, base_name = self._create_files() ---- Lib/test/test_posixpath.py 2014-03-01 05:46:56.984311000 +0100 -+++ Lib/test/test_posixpath.py 2014-03-07 00:59:20.888311000 +0100 -@@ -319,7 +319,11 @@ - del env['HOME'] - home = pwd.getpwuid(os.getuid()).pw_dir - # $HOME can end with a trailing /, so strip it (see #17809) -- self.assertEqual(posixpath.expanduser("~"), home.rstrip("/")) -+ # The Guix builders have '/' as a home directory, so -+ # home.rstrip("/") will be an empty string and the test will -+ # fail. Let's just disable it since it does not really make -+ # sense with such a bizarre setup. -+ # self.assertEqual(posixpath.expanduser("~"), home.rstrip("/")) - - def test_normpath(self): - self.assertEqual(posixpath.normpath(""), ".") --- Lib/test/test_socket.py.orig 2014-03-02 22:14:12.264311000 +0100 +++ Lib/test/test_socket.py 2014-03-21 03:50:45.660311000 +0100 @@ -819,6 +819,8 @@ diff --git a/gnu/packages/patches/tcsh-do-not-define-BSDWAIT.patch b/gnu/packages/patches/tcsh-do-not-define-BSDWAIT.patch new file mode 100644 index 0000000000..1426883216 --- /dev/null +++ b/gnu/packages/patches/tcsh-do-not-define-BSDWAIT.patch @@ -0,0 +1,33 @@ +Do not define BSDWAIT to avoid error "storage size of ‘w’ isn’t known". + +This is an adapted version of the upstream patch taken from here: +https://github.com/tcsh-org/tcsh/commit/4689eb60a74bf13bc146ca3d76e9d7a124ab7b49.patch + +From 4689eb60a74bf13bc146ca3d76e9d7a124ab7b49 Mon Sep 17 00:00:00 2001 +From: christos <christos> +Date: Fri, 23 Sep 2016 19:17:28 +0000 +Subject: [PATCH] Don't define BSDWAIT for linux anymore. + +--- + sh.proc.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/sh.proc.c b/sh.proc.c +index 49b199f..874d67c 100644 +--- sh.proc.c ++++ sh.proc.c +@@ -47,11 +47,9 @@ RCSID("$tcsh$") + # define HZ 16 + #endif /* aiws */ + +-#if defined(_BSD) || (defined(IRIS4D) && __STDC__) || defined(__lucid) || defined(__linux__) || defined(__GNU__) || defined(__GLIBC__) +-# if !defined(__ANDROID__) +-# define BSDWAIT +-# endif +-#endif /* _BSD || (IRIS4D && __STDC__) || __lucid || glibc */ ++#if defined(_BSD) || (defined(IRIS4D) && __STDC__) || defined(__lucid) ++# define BSDWAIT ++#endif /* _BSD || (IRIS4D && __STDC__) || __lucid */ + #ifndef WTERMSIG + # define WTERMSIG(w) (((union wait *) &(w))->w_termsig) + # ifndef BSDWAIT |