Update libX11 to v1.8.7 to fix CVEs 2023-43785, 2023-43786 and 2023-43787 (#6467)

* Update libX11 to v1.8.7 to fix CVEs 2023-43785, 2023-43786 and 2023-43787 * Update xorg-x11-proto-devel to v2023.2
2023-10-30 09:44:36 -07:00 · 2023-10-30 09:44:36 -07:00 · 0633a5fda6
--- a/SPECS/libX11/CVE-2023-3138.patch
+++ b/SPECS/libX11/CVE-2023-3138.patch
@ -1,111 +0,0 @@
-From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 10 Jun 2023 16:30:07 -0700
-Subject: [PATCH] InitExt.c: Add bounds checks for extension request, event, &
- error codes
-
-Fixes CVE-2023-3138: X servers could return values from XQueryExtension
-that would cause Xlib to write entries out-of-bounds of the arrays to
-store them, though this would only overwrite other parts of the Display
-struct, not outside the bounds allocated for that structure.
-
-Backported by @mfrw for version 1.6.12
-
-Reported-by: Gregory James DUCK <gjduck@gmail.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
---
- src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 42 insertions(+)
-
-diff --git a/src/InitExt.c b/src/InitExt.c
-index 4de46f15..afc00a6b 100644
--- a/src/InitExt.c
-+++ b/src/InitExt.c
-@@ -33,6 +33,18 @@ from The Open Group.
- #include <X11/Xos.h>
- #include <stdio.h>
- 
-+/* The X11 protocol spec reserves events 64 through 127 for extensions */
-+#ifndef LastExtensionEvent
-+#define LastExtensionEvent 127
-+#endif
-+
-+/* The X11 protocol spec reserves requests 128 through 255 for extensions */
-+#ifndef LastExtensionRequest
-+#define FirstExtensionRequest 128
-+#define LastExtensionRequest 255
-+#endif
-+
-+
- /*
-  * This routine is used to link a extension in so it will be called
-  * at appropriate times.
-@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent(
- 	WireToEventType proc)	/* routine to call when converting event */
- {
- 	register WireToEventType oldproc;
-+	if (event_number < 0 ||
-+	    event_number > LastExtensionEvent) {
-+	    fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
-+		    event_number);
-+	    return (WireToEventType)_XUnknownWireEvent;
-+	}
- 	if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent;
- 	LockDisplay (dpy);
- 	oldproc = dpy->event_vec[event_number];
-@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie(
-     )
- {
- 	WireToEventCookieType oldproc;
-+	if (extension < FirstExtensionRequest ||
-+	    extension > LastExtensionRequest) {
-+	    fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
-+		    extension);
-+	    return (WireToEventCookieType)_XUnknownWireEventCookie;
-+	}
- 	if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie;
- 	LockDisplay (dpy);
- 	oldproc = dpy->generic_event_vec[extension & 0x7F];
-@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie(
-     )
- {
- 	CopyEventCookieType oldproc;
-+	if (extension < FirstExtensionRequest ||
-+	    extension > LastExtensionRequest) {
-+	    fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
-+		    extension);
-+	    return (CopyEventCookieType)_XUnknownCopyEventCookie;
-+	}
- 	if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie;
- 	LockDisplay (dpy);
- 	oldproc = dpy->generic_event_copy_vec[extension & 0x7F];
-@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire(
- 	EventToWireType proc)	/* routine to call when converting event */
- {
- 	register EventToWireType oldproc;
-+	if (event_number < 0 ||
-+	    event_number > LastExtensionEvent) {
-+	    fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
-+		    event_number);
-+	    return (EventToWireType)_XUnknownNativeEvent;
-+	}
- 	if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent;
- 	LockDisplay (dpy);
- 	oldproc = dpy->wire_vec[event_number];
-@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError(
- 	WireToErrorType proc)	/* routine to call when converting error */
- {
- 	register WireToErrorType oldproc = NULL;
-+	if (error_number < 0 ||
-+	    error_number > LastExtensionError) {
-+	   fprintf(stderr, "Xlib: ignoring invalid extension error %d\n",
-+		    error_number);
-+	   return (WireToErrorType)_XDefaultWireError;
-+	}
- 	if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError;
- 	LockDisplay (dpy);
- 	if (!dpy->error_vec) {
-- 
-GitLab
-
--- a/SPECS/libX11/libX11-race-condition.patch
+++ b/SPECS/libX11/libX11-race-condition.patch
@ -1,109 +0,0 @@
-diff --git a/src/Xxcbint.h b/src/Xxcbint.h
-index 4ef13d2f..d8293259 100644
--- a/src/Xxcbint.h
-+++ b/src/Xxcbint.h
-@@ -27,6 +27,7 @@ typedef struct _X11XCBPrivate {
- 	PendingRequest *pending_requests;
- 	PendingRequest *pending_requests_tail;
- 	xcb_generic_event_t *next_event;
-+	void *next_response;
- 	char *real_bufmax;
- 	char *reply_data;
- 	int reply_length;
-diff --git a/src/xcb_io.c b/src/xcb_io.c
-index 0bd1fdf9..4be75408 100644
--- a/src/xcb_io.c
-+++ b/src/xcb_io.c
-@@ -282,22 +282,83 @@ static xcb_generic_reply_t *poll_for_event(Display *dpy, Bool queued_only)
- static xcb_generic_reply_t *poll_for_response(Display *dpy)
- {
- 	void *response;
-	xcb_generic_error_t *error;
-+	xcb_generic_reply_t *event;
- 	PendingRequest *req;
-	while(!(response = poll_for_event(dpy, False)) &&
-	      (req = dpy->xcb->pending_requests) &&
-	      !req->reply_waiter)
-+
-+	while(1)
- 	{
-+		xcb_generic_error_t *error = NULL;
- 		uint64_t request;
-+		Bool poll_queued_only = dpy->xcb->next_response != NULL;
- 
-		if(!xcb_poll_for_reply64(dpy->xcb->connection, req->sequence,
-					 &response, &error)) {
-			/* xcb_poll_for_reply64 may have read events even if
-			 * there is no reply. */
-			response = poll_for_event(dpy, True);
-+		/* Step 1: is there an event in our queue before the next
-+		 * reply/error? Return that first.
-+		 *
-+		 * If we don't have a reply/error saved from an earlier
-+		 * invocation we check incoming events too, otherwise only
-+		 * the ones already queued.
-+		 */
-+		response = poll_for_event(dpy, poll_queued_only);
-+		if(response)
- 			break;
-+
-+		/* Step 2:
-+		 * Response is NULL, i.e. we have no events.
-+		 * If we are not waiting for a reply or some other thread
-+		 * had dibs on the next reply, exit.
-+		 */
-+		req = dpy->xcb->pending_requests;
-+		if(!req || req->reply_waiter)
-+			break;
-+
-+		/* Step 3:
-+		 * We have some response (error or reply) related to req
-+		 * saved from an earlier invocation of this function. Let's
-+		 * use that one.
-+		 */
-+		if(dpy->xcb->next_response)
-+		{
-+			if (((xcb_generic_reply_t*)dpy->xcb->next_response)->response_type == X_Error)
-+			{
-+				error = dpy->xcb->next_response;
-+				response = NULL;
-+			}
-+			else
-+			{
-+				response = dpy->xcb->next_response;
-+				error = NULL;
-+			}
-+			dpy->xcb->next_response = NULL;
-+		}
-+		else
-+		{
-+			/* Step 4: pull down the next response from the wire. This
-+			 * should be the 99% case.
-+			 * xcb_poll_for_reply64() may also pull down events that
-+			 * happened before the reply.
-+			 */
-+			if(!xcb_poll_for_reply64(dpy->xcb->connection, req->sequence,
-+						 &response, &error)) {
-+				/* if there is no reply/error, xcb_poll_for_reply64
-+				 * may have read events. Return that. */
-+				response = poll_for_event(dpy, True);
-+				break;
-+			}
-+
-+			/* Step 5: we have a new response, but we may also have some
-+			 * events that happened before that response. Return those
-+			 * first and save our reply/error for the next invocation.
-+			 */
-+			event = poll_for_event(dpy, True);
-+			if(event)
-+			{
-+				dpy->xcb->next_response = error ? error : response;
-+				response = event;
-+				break;
-+			}
- 		}
- 
-+		/* Step 6: actually handle the reply/error now... */
- 		request = X_DPY_GET_REQUEST(dpy);
- 		if(XLIB_SEQUENCE_COMPARE(req->sequence, >, request))
- 		{
--- a/SPECS/libX11/libX11.signatures.json
+++ b/SPECS/libX11/libX11.signatures.json
@ -1,5 +1,5 @@
 {
 "Signatures": {
-  "libX11-1.6.12.tar.bz2": "f108227469419ac04d196df0f3b80ce1f7f65059bb54c0de811f4d8e03fd6ec7"
+  "libX11-1.8.7.tar.gz": "793ebebf569f12c864b77401798d38814b51790fce206e01a431e5feb982e20b"
 }
 }
--- a/SPECS/libX11/libX11.spec
+++ b/SPECS/libX11/libX11.spec
@ -1,17 +1,13 @@
 Summary:        Core X11 protocol client library
 Name:           libX11
-Version:        1.6.12
-Release:        7%{?dist}
+Version:        1.8.7
+Release:        1%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            https://www.x.org
-Source0:        https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.tar.bz2
-
+Source0:        https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.tar.gz
 Patch2:         dont-forward-keycode-0.patch
-# diff from https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/53
-Patch3:         libX11-race-condition.patch
-Patch4:         CVE-2023-3138.patch

 BuildRequires:  libxcb-devel >= 1.2
 BuildRequires:  make
@ -52,10 +48,7 @@ Conflicts:      %{name} < %{version}-%{release}
 libX11/libxcb interoperability library

 %prep
-%setup -q
-%patch2 -p1 -b .dont-forward-keycode-0
-%patch3 -p1 -b .race-condition
-%patch4 -p1
+%autosetup -p1

 %build
 autoreconf -v --install --force
@ -86,7 +79,7 @@ make %{?_smp_mflags} check

 %files
 %{_libdir}/libX11.so.6
-%{_libdir}/libX11.so.6.3.0
+%{_libdir}/libX11.so.6.4.0

 %files xcb
 %{_libdir}/libX11-xcb.so.1
@ -94,7 +87,7 @@ make %{?_smp_mflags} check

 %files common
 %license COPYING
-%doc AUTHORS README.md NEWS
+%doc AUTHORS README.md
 %{_datadir}/X11/locale/
 %{_datadir}/X11/XErrorDB
 %dir %{_var}/cache/libX11
@ -122,6 +115,10 @@ make %{?_smp_mflags} check
 %{_mandir}/man5/*.5*

 %changelog
+* Wed Oct 18 2023 Neha Agarwal <nehaagarwal@microsoft.com> - 1.8.7-1
+- Update to v1.8.7 to fix CVEs 2023-43785, 2023-43786 and 2023-43787
+- Remove patches that don't apply to the new version
+
 * Wed Sep 20 2023 Jon Slobodzian <joslobo@microsoft.com> - 1.6.12-7
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)

--- a/SPECS/xorg-x11-proto-devel/xorg-x11-proto-devel.signatures.json
+++ b/SPECS/xorg-x11-proto-devel/xorg-x11-proto-devel.signatures.json
@ -1,5 +1,5 @@
 {
 "Signatures": {
-  "xorgproto-2019.1.tar.bz2": "a6daaa7a6cbc8e374032d83ff7f47d41be98f1e0f4475d66a4da3aa766a0d49b"
+  "xorgproto-2023.2.tar.gz": "c791aad9b5847781175388ebe2de85cb5f024f8dabf526d5d699c4f942660cc3"
 }
 }
--- a/SPECS/xorg-x11-proto-devel/xorg-x11-proto-devel.spec
+++ b/SPECS/xorg-x11-proto-devel/xorg-x11-proto-devel.spec
@ -3,13 +3,13 @@
 # rebuild libX11
 Summary:        X.Org X11 Protocol headers
 Name:           xorg-x11-proto-devel
-Version:        2019.1
-Release:        6%{?dist}
+Version:        2023.2
+Release:        1%{?dist}
 License:        MIT AND BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            https://www.x.org
-Source0:        https://www.x.org/pub/individual/proto/xorgproto-%{version}.tar.bz2
+Source0:        https://www.x.org/pub/individual/proto/xorgproto-%{version}.tar.gz

 BuildArch:      noarch

@ -90,7 +90,6 @@ rm -f %{buildroot}%{_docdir}/*/*.{html,svg}
 %{_includedir}/X11/extensions/XI2proto.h
 %{_includedir}/X11/extensions/XIproto.h
 %{_includedir}/X11/extensions/XKB.h
-%{_includedir}/X11/extensions/XKBgeom.h
 %{_includedir}/X11/extensions/XKBproto.h
 %{_includedir}/X11/extensions/XKBsrv.h
 %{_includedir}/X11/extensions/XKBstr.h
@ -149,7 +148,6 @@ rm -f %{buildroot}%{_docdir}/*/*.{html,svg}
 %{_includedir}/X11/extensions/syncconst.h
 %{_includedir}/X11/extensions/syncproto.h
 %{_includedir}/X11/extensions/syncstr.h
-%{_includedir}/X11/extensions/vldXvMC.h
 %{_includedir}/X11/extensions/xcmiscproto.h
 %{_includedir}/X11/extensions/xcmiscstr.h
 %{_includedir}/X11/extensions/xf86bigfont.h
@ -171,6 +169,7 @@ rm -f %{buildroot}%{_docdir}/*/*.{html,svg}
 %{_includedir}/X11/extensions/xtestext1const.h
 %{_includedir}/X11/extensions/xtestext1proto.h
 %{_includedir}/X11/extensions/xtestproto.h
+%{_includedir}/X11/extensions/xwaylandproto.h
 %dir %{_includedir}/X11/fonts
 %{_includedir}/X11/fonts/FS.h
 %{_includedir}/X11/fonts/FSproto.h
@ -184,6 +183,7 @@ rm -f %{buildroot}%{_docdir}/*/*.{html,svg}
 %{_datadir}/pkgconfig/compositeproto.pc
 %{_datadir}/pkgconfig/damageproto.pc
 %{_datadir}/pkgconfig/dmxproto.pc
+%{_datadir}/pkgconfig/dpmsproto.pc
 %{_datadir}/pkgconfig/dri2proto.pc
 %{_datadir}/pkgconfig/dri3proto.pc
 %{_datadir}/pkgconfig/fixesproto.pc
@ -206,9 +206,13 @@ rm -f %{buildroot}%{_docdir}/*/*.{html,svg}
 %{_datadir}/pkgconfig/xf86vidmodeproto.pc
 %{_datadir}/pkgconfig/xineramaproto.pc
 %{_datadir}/pkgconfig/xproto.pc
+%{_datadir}/pkgconfig/xwaylandproto.pc
 %{_docdir}/xorgproto/*

 %changelog
+* Mon Oct 23 2023 Neha Agarwal <nehaagarwal@microsoft.com> - 2023.2-1
+- Update to v2023.2
+
 * Fri Apr 22 2022 Olivia Crain <oliviacrain@microsoft.com> - 2019.1-6
 - Remove explicit pkgconfig provides that are now automatically generated by RPM

--- a/cgmanifest.json
+++ b/cgmanifest.json
@ -11581,8 +11581,8 @@
        "type": "other",
        "other": {
          "name": "libX11",
-          "version": "1.6.12",
-          "downloadUrl": "https://xorg.freedesktop.org/archive/individual/lib/libX11-1.6.12.tar.bz2"
+          "version": "1.8.7",
+          "downloadUrl": "https://xorg.freedesktop.org/archive/individual/lib/libX11-1.8.7.tar.gz"
        }
      }
    },
@ -30359,8 +30359,8 @@
        "type": "other",
        "other": {
          "name": "xorg-x11-proto-devel",
-          "version": "2019.1",
-          "downloadUrl": "https://www.x.org/pub/individual/proto/xorgproto-2019.1.tar.bz2"
+          "version": "2023.2",
+          "downloadUrl": "https://www.x.org/pub/individual/proto/xorgproto-2023.2.tar.gz"
        }
      }
    },