diff --git a/CVE-2020-14344.patch b/CVE-2020-14344.patch new file mode 100644 index 0000000000000000000000000000000000000000..5faf2fa4d734e353b657893204a512f4e125f073 --- /dev/null +++ b/CVE-2020-14344.patch @@ -0,0 +1,302 @@ +From 9d1ac6f7ddbaa6036d999a2eccd7caaf92d0ea36 Mon Sep 17 00:00:00 2001 +Date: Tue, 8 Sep 2020 17:32:53 +0800 +Subject: [PATCH] fix CVE-2020-14344 + +--- + modules/im/ximcp/imDefIc.c | 6 +++-- + modules/im/ximcp/imDefIm.c | 25 +++++++++++------ + modules/im/ximcp/imRmAttr.c | 53 +++++++++++++++++++++++-------------- + 3 files changed, 54 insertions(+), 30 deletions(-) + +diff --git a/modules/im/ximcp/imDefIc.c b/modules/im/ximcp/imDefIc.c +index 7564dba..cf4b8fc 100644 +--- a/modules/im/ximcp/imDefIc.c ++++ b/modules/im/ximcp/imDefIc.c +@@ -350,7 +350,7 @@ _XimProtoGetICValues( + + sizeof(INT16) + + XIM_PAD(2 + buf_size); + +- if (!(buf = Xmalloc(buf_size))) ++ if (!(buf = Xcalloc(buf_size, 1))) + return arg->name; + buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE]; + +@@ -708,6 +708,7 @@ _XimProtoSetICValues( + #endif /* XIM_CONNECTABLE */ + + _XimGetCurrentICValues(ic, &ic_values); ++ memset(tmp_buf, 0, sizeof(tmp_buf32)); + buf = tmp_buf; + buf_size = XIM_HEADER_SIZE + + sizeof(CARD16) + sizeof(CARD16) + sizeof(INT16) + sizeof(CARD16); +@@ -730,7 +731,7 @@ _XimProtoSetICValues( + + buf_size += ret_len; + if (buf == tmp_buf) { +- if (!(tmp = Xmalloc(buf_size + data_len))) { ++ if (!(tmp = Xcalloc(buf_size + data_len, 1))) { + return tmp_name; + } + memcpy(tmp, buf, buf_size); +@@ -740,6 +741,7 @@ _XimProtoSetICValues( + Xfree(buf); + return tmp_name; + } ++ memset(&tmp[buf_size], 0, data_len); + buf = tmp; + } + } +diff --git a/modules/im/ximcp/imDefIm.c b/modules/im/ximcp/imDefIm.c +index cf922e4..bd43513 100644 +--- a/modules/im/ximcp/imDefIm.c ++++ b/modules/im/ximcp/imDefIm.c +@@ -62,6 +62,7 @@ PERFORMANCE OF THIS SOFTWARE. + #include "XimTrInt.h" + #include "Ximint.h" + ++#include + + int + _XimCheckDataSize( +@@ -807,12 +808,16 @@ _XimOpen( + int buf_size; + int ret_code; + char *locale_name; ++ size_t locale_len; + + locale_name = im->private.proto.locale_name; +- len = strlen(locale_name); +- buf_b[0] = (BYTE)len; /* length of locale name */ +- (void)strcpy((char *)&buf_b[1], locale_name); /* locale name */ +- len += sizeof(BYTE); /* sizeof length */ ++ locale_len = strlen(locale_name); ++ if (locale_len > UCHAR_MAX) ++ return False; ++ memset(buf32, 0, sizeof(buf32)); ++ buf_b[0] = (BYTE)locale_len; /* length of locale name */ ++ memcpy(&buf_b[1], locale_name, locale_len); /* locale name */ ++ len = (INT16)(locale_len + sizeof(BYTE)); /* sizeof length */ + XIM_SET_PAD(buf_b, len); /* pad */ + + _XimSetHeader((XPointer)buf, XIM_OPEN, 0, &len); +@@ -1287,6 +1292,7 @@ _XimProtoSetIMValues( + #endif /* XIM_CONNECTABLE */ + + _XimGetCurrentIMValues(im, &im_values); ++ memset(tmp_buf, 0, sizeof(tmp_buf32)); + buf = tmp_buf; + buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16); + data_len = BUFSIZE - buf_size; +@@ -1307,7 +1313,7 @@ _XimProtoSetIMValues( + + buf_size += ret_len; + if (buf == tmp_buf) { +- if (!(tmp = Xmalloc(buf_size + data_len))) { ++ if (!(tmp = Xcalloc(buf_size + data_len, 1))) { + return arg->name; + } + memcpy(tmp, buf, buf_size); +@@ -1317,6 +1323,7 @@ _XimProtoSetIMValues( + Xfree(buf); + return arg->name; + } ++ memset(&tmp[buf_size], 0, data_len); + buf = tmp; + } + } +@@ -1458,7 +1465,7 @@ _XimProtoGetIMValues( + + sizeof(INT16) + + XIM_PAD(buf_size); + +- if (!(buf = Xmalloc(buf_size))) ++ if (!(buf = Xcalloc(buf_size, 1))) + return arg->name; + buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE]; + +@@ -1720,7 +1727,7 @@ _XimEncodingNegotiation( + + sizeof(CARD16) + + detail_len; + +- if (!(buf = Xmalloc(XIM_HEADER_SIZE + len))) ++ if (!(buf = Xcalloc(XIM_HEADER_SIZE + len, 1))) + goto free_detail_ptr; + + buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE]; +@@ -1816,6 +1823,7 @@ _XimSendSavedIMValues( + int ret_code; + + _XimGetCurrentIMValues(im, &im_values); ++ memset(tmp_buf, 0, sizeof(tmp_buf32)); + buf = tmp_buf; + buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16); + data_len = BUFSIZE - buf_size; +@@ -1838,7 +1846,7 @@ _XimSendSavedIMValues( + + buf_size += ret_len; + if (buf == tmp_buf) { +- if (!(tmp = Xmalloc(buf_size + data_len))) { ++ if (!(tmp = Xcalloc(buf_size + data_len, 1))) { + return False; + } + memcpy(tmp, buf, buf_size); +@@ -1848,6 +1856,7 @@ _XimSendSavedIMValues( + Xfree(buf); + return False; + } ++ memset(&tmp[buf_size], 0, data_len); + buf = tmp; + } + } +diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c +index 9d4e462..cf491ea 100644 +--- a/modules/im/ximcp/imRmAttr.c ++++ b/modules/im/ximcp/imRmAttr.c +@@ -29,6 +29,7 @@ PERFORMANCE OF THIS SOFTWARE. + #ifdef HAVE_CONFIG_H + #include + #endif ++#include + #include "Xlibint.h" + #include "Xlcint.h" + #include "Ximint.h" +@@ -214,7 +215,7 @@ _XimAttributeToValue( + Xic ic, + XIMResourceList res, + CARD16 *data, +- INT16 data_len, ++ CARD16 data_len, + XPointer value, + BITMASK32 mode) + { +@@ -250,18 +251,23 @@ _XimAttributeToValue( + + case XimType_XIMStyles: + { +- INT16 num = data[0]; ++ CARD16 num = data[0]; + register CARD32 *style_list = (CARD32 *)&data[2]; + XIMStyle *style; + XIMStyles *rep; + register int i; + char *p; +- int alloc_len; ++ unsigned int alloc_len; + + if (!(value)) + return False; +- ++ if (num > (USHRT_MAX / sizeof(XIMStyle))) ++ return False; ++ if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len) ++ return False; + alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num; ++ if (alloc_len < sizeof(XIMStyles)) ++ return False; + if (!(p = Xmalloc(alloc_len))) + return False; + +@@ -313,7 +319,7 @@ _XimAttributeToValue( + + case XimType_XFontSet: + { +- INT16 len = data[0]; ++ CARD16 len = data[0]; + char *base_name; + XFontSet rep = (XFontSet)NULL; + char **missing_list = NULL; +@@ -324,11 +330,12 @@ _XimAttributeToValue( + return False; + if (!ic) + return False; +- ++ if (len > data_len) ++ return False; + if (!(base_name = Xmalloc(len + 1))) + return False; + +- (void)strncpy(base_name, (char *)&data[1], (int)len); ++ (void)strncpy(base_name, (char *)&data[1], (size_t)len); + base_name[len] = '\0'; + + if (mode & XIM_PREEDIT_ATTR) { +@@ -357,19 +364,24 @@ _XimAttributeToValue( + + case XimType_XIMHotKeyTriggers: + { +- INT32 num = *((CARD32 *)data); ++ CARD32 num = *((CARD32 *)data); + register CARD32 *key_list = (CARD32 *)&data[2]; + XIMHotKeyTrigger *key; + XIMHotKeyTriggers *rep; + register int i; + char *p; +- int alloc_len; ++ unsigned int alloc_len; + + if (!(value)) + return False; +- ++ if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger))) ++ return False; ++ if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len) ++ return False; + alloc_len = sizeof(XIMHotKeyTriggers) + + sizeof(XIMHotKeyTrigger) * num; ++ if (alloc_len < sizeof(XIMHotKeyTriggers)) ++ return False; + if (!(p = Xmalloc(alloc_len))) + return False; + +@@ -1378,13 +1390,13 @@ _XimEncodeSavedICATTRIBUTE( + + static unsigned int + _XimCountNumberOfAttr( +- INT16 total, +- CARD16 *attr, +- int *names_len) ++ CARD16 total, ++ CARD16 *attr, ++ unsigned int *names_len) + { + unsigned int n; +- INT16 len; +- INT16 min_len = sizeof(CARD16) /* sizeof attribute ID */ ++ CARD16 len; ++ CARD16 min_len = sizeof(CARD16) /* sizeof attribute ID */ + + sizeof(CARD16) /* sizeof type of value */ + + sizeof(INT16); /* sizeof length of attribute */ + +@@ -1392,6 +1404,9 @@ _XimCountNumberOfAttr( + *names_len = 0; + while (total > min_len) { + len = attr[2]; ++ if (len >= (total - min_len)) { ++ return 0; ++ } + *names_len += (len + 1); + len += (min_len + XIM_PAD(len + 2)); + total -= len; +@@ -1406,17 +1421,15 @@ _XimGetAttributeID( + Xim im, + CARD16 *buf) + { +- unsigned int n; ++ unsigned int n, names_len, values_len; + XIMResourceList res; + char *names; +- int names_len; + XPointer tmp; + XIMValuesList *values_list; + char **values; +- int values_len; + register int i; +- INT16 len; +- INT16 min_len = sizeof(CARD16) /* sizeof attribute ID */ ++ CARD16 len; ++ CARD16 min_len = sizeof(CARD16) /* sizeof attribute ID */ + + sizeof(CARD16) /* sizeof type of value */ + + sizeof(INT16); /* sizeof length of attr */ + /* +-- +2.23.0 + diff --git a/libX11.spec b/libX11.spec index 45c18441befe60a44a4652a7ca69940014b9eadd..04d9e23bf401e170a8c58c05164935e62727ebad 100644 --- a/libX11.spec +++ b/libX11.spec @@ -1,13 +1,13 @@ Name: libX11 Version: 1.6.9 -Release: 2 +Release: 3 Summary: Core X11 protocol client library License: MIT URL: http://www.x.org Source0: https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.tar.bz2 Patch1: dont-forward-keycode-0.patch - +Patch2: CVE-2020-14344.patch BuildRequires: xorg-x11-util-macros >= 1.11 xorg-x11-proto-devel perl-Pod-Usage libXau-devel BuildRequires: libxcb-devel >= 1.2 libXdmcp-devel xorg-x11-xtrans-devel >= 1.0.3-4 @@ -73,6 +73,12 @@ make %{?_smp_mflags} check %{_mandir}/*/* %changelog +* Tue Sep 8 2020 zhanghua - 1.6.9-3 +- Type:bugfix +- Id:NA +- SUG:NA +- DESC:fix CVE-2020-14344 + * Mon Nov 4 2019 openEuler Buildteam - 1.6.9-2 - Type:bugfix - Id:NA