Security update.

Import Ubuntu changes
2011-04-06 17:43:47 +03:00 · 2011-04-06 13:01:56 +03:00
6 changed files with 274 additions and 1 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,28 @@
+x11-xserver-utils (7.5+1ubuntu2.1) lucid-security; urgency=low
+
+  * SECURITY UPDATE: root escalation via rogue hostname (LP: #752315)
+    - xrdb: Create shell-escape-safe cpp options in the non-pathetic-cpp
+      case.
+    - http://cgit.freedesktop.org/xorg/app/xrdb/commit/?id=1027d5df07398c1507fb1fe3a9981aa6b4bc3a56
+    - CVE-2011-0465
+
+ -- Timo Aaltonen <tjaalton@ubuntu.com>  Wed, 06 Apr 2011 17:42:55 +0300
+
+x11-xserver-utils (7.5+1ubuntu2) lucid; urgency=low
+
+  * Add 101_xset_spellfix.patch: Spelling fix in help docs
+    (LP: #426152)
+
+ -- Bryce Harrington <bryce@ubuntu.com>  Wed, 17 Mar 2010 15:23:57 -0700
+
+x11-xserver-utils (7.5+1ubuntu1) lucid; urgency=low
+
+  * Merge from Debian.  Remaining Ubuntu changes:
+    - Add 100_xrandr-output.patch: When using --scale or --transform, verify
+      a valid output parameter is used; crashes otherwise.
+
+ -- Bryce Harrington <bryce@ubuntu.com>  Fri, 08 Jan 2010 18:38:47 -0800
+
 x11-xserver-utils (7.5+1) unstable; urgency=low

  [ Julien Cristau ]
@ -31,6 +56,28 @@ x11-xserver-utils (7.5+1) unstable; urgency=low

 -- Brice Goglin <bgoglin@debian.org>  Sun, 06 Dec 2009 20:41:37 +0100

+x11-xserver-utils (7.4+2ubuntu3) karmic; urgency=low
+
+  * 100_xrandr-output.patch: Refresh patch to apply cleanly, fixing
+    FTBFS.  LP: #432079
+
+ -- Michael Terry <michael.terry@canonical.com>  Thu, 17 Sep 2009 15:46:30 -0400
+
+x11-xserver-utils (7.4+2ubuntu2) karmic; urgency=low
+
+  * 100_xrandr-output.patch: Replace with patch sent upstream.
+    (LP: #354715)
+
+ -- Bryce Harrington <bryce@ubuntu.com>  Wed, 02 Sep 2009 02:15:48 -0700
+
+x11-xserver-utils (7.4+2ubuntu1) karmic; urgency=low
+
+  * Add 100_xrandr-output.patch: When using --scale or --transform, verify
+    a valid output parameter is used; crashes otherwise.
+    (LP: #354715)
+
+ -- Bryce Harrington <bryce@ubuntu.com>  Wed, 02 Sep 2009 01:18:10 -0700
+
 x11-xserver-utils (7.4+2) unstable; urgency=low

  * xrandr 1.3.
--- a/debian/control
+++ b/debian/control
@ -1,7 +1,8 @@
 Source: x11-xserver-utils
 Section: x11
 Priority: optional
-Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
 Uploaders: David Nusinow <dnusinow@debian.org>, Julien Cristau <jcristau@debian.org>, Brice Goglin <bgoglin@debian.org>
 Build-Depends: debhelper (>= 5.0.0), pkg-config, libx11-dev (>= 2:1.0.0),
 libxaw7-dev (>= 1:1.0.1), libxext-dev (>= 1:1.0.0),
--- a/debian/patches/100_xrandr-output.patch
+++ b/debian/patches/100_xrandr-output.patch
@ -0,0 +1,30 @@
+From dc627718d77b0e853311e480bba90eddefd0b891 Mon Sep 17 00:00:00 2001
+From: Bryce Harrington <bryce@bryceharrington.org>
+Date: Wed, 2 Sep 2009 01:46:50 -0700
+Subject: [PATCH] Check output pointer validity for --sale and --transform
+
+Signed-off-by: Bryce Harrington <bryce@bryceharrington.org>
+---
+ xrandr.c |    2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+Index: x11-xserver-utils-7.4+2ubuntu2/xrandr/xrandr.c
+===================================================================
+--- x11-xserver-utils-7.4+2ubuntu2.orig/xrandr/xrandr.c	2009-09-17 15:45:26.000000000 -0400
+++ x11-xserver-utils-7.4+2ubuntu2/xrandr/xrandr.c	2009-09-17 15:45:46.000000000 -0400
+@@ -2327,6 +2327,7 @@
+ 	{
+ 	    double  sx, sy;
+ 	    if (++i>=argc) usage();
+            if (!output) usage();
+ 	    if (sscanf (argv[i], "%lfx%lf", &sx, &sy) != 2)
+ 		usage ();
+ 	    init_transform (&output->transform);
+@@ -2346,6 +2347,7 @@
+ 	    double  transform[3][3];
+ 	    int	    k, l;
+ 	    if (++i>=argc) usage ();
+            if (!output) usage();
+ 	    init_transform (&output->transform);
+ 	    if (strcmp (argv[i], "none") != 0)
+ 	    {
--- a/debian/patches/101_xset_spellfix.patch
+++ b/debian/patches/101_xset_spellfix.patch
@ -0,0 +1,14 @@
+diff -Nurp x11-xserver-utils-7.4+2ubuntu3/xset/xset.c working/xset/xset.c
+--- x11-xserver-utils-7.4+2ubuntu3/xset/xset.c	2009-02-01 05:04:01.000000000 -0800
+++ working/xset/xset.c	2010-03-15 19:02:50.000000000 -0700
+@@ -1554,8 +1554,8 @@ usage(char *fmt, ...)
+ #ifdef FONTCACHE
+     fprintf(stderr, "    To control font cache:\n");
+     fprintf(stderr, "\t fc [hi-mark [low-mark [balance]]]\n");
+-    fprintf(stderr, "\t    both mark values spcecified in KB\n");
+-    fprintf(stderr, "\t    balance value spcecified in percent (10 - 90)\n");
+    fprintf(stderr, "\t    both mark values specified in KB\n");
+    fprintf(stderr, "\t    balance value specified in percent (10 - 90)\n");
+     fprintf(stderr, "    Show font cache statistics:\n");
+     fprintf(stderr, "\t fc s\n");
+ #endif
--- a/debian/patches/CVE-2011-0465.diff
+++ b/debian/patches/CVE-2011-0465.diff
@ -0,0 +1,178 @@
+commit 4ca7e1a5e4e9d52d062175e10c8fd58e218dea41
+Author: Matthias Hopf <mhopf@suse.de>
+Date:   Tue Mar 1 19:37:34 2011 +0100
+
+    xrdb: Create shell-escape-safe cpp options in the non-pathetic-cpp case.
+    
+    Fixes CVE-2011-0465.
+    
+    Signed-off-by: Matthias Hopf <mhopf@suse.de>
+    Reviewed-by: Adam Jackson <ajax@redhat.com>
+    Signed-off-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/xrdb/xrdb.c b/xrdb/xrdb.c
+index 6d266e5..bece59c 100644
+--- a/xrdb/xrdb.c
+++ b/xrdb/xrdb.c
+@@ -144,6 +144,8 @@ Entries newDB;
+ 
+ static void fatal(char *, ...);
+ static void addstring ( String *arg, const char *s );
+static void addescapedstring ( String *arg, const char *s );
+static void addtokstring ( String *arg, const char *s );
+ static void FormatEntries ( Buffer *buffer, Entries *entries );
+ static void StoreProperty ( Display *dpy, Window root, Atom res_prop );
+ static void Process ( int scrno, Bool doScreen, Bool execute );
+@@ -393,14 +395,20 @@ AddDef(String *buff, char *title, char *value)
+ 	    addstring(buff, " -D");
+     } else
+ 	addstring(buff, "-D");
+-    addstring(buff, title);
+    addtokstring(buff, title);
+     if (value && (value[0] != '\0')) {
+ 	addstring(buff, "=");
+-	addstring(buff, value);
+	addescapedstring(buff, value);
+     }
+ }
+ 
+ static void
+AddSimpleDef(String *buff, char *title)
+{
+    AddDef(buff, title, (char *)NULL);
+}
+
+static void
+ AddDefQ(String *buff, char *title, char *value)
+ {
+ #ifdef PATHETICCPP
+@@ -409,8 +417,9 @@ AddDefQ(String *buff, char *title, char *value)
+     else
+ #endif
+     if (value && (value[0] != '\0')) {
+-	AddDef(buff, title, "\"");
+-	addstring(buff, value);
+	AddSimpleDef(buff, title);
+	addstring(buff, "=\"");
+	addescapedstring(buff, value);
+ 	addstring(buff, "\"");
+     } else
+ 	AddDef(buff, title, NULL);
+@@ -425,24 +434,28 @@ AddNum(String *buff, char *title, int value)
+ }
+ 
+ static void
+-AddSimpleDef(String *buff, char *title)
+AddDefTok(String *buff, char *prefix, char *title)
+ {
+-    AddDef(buff, title, (char *)NULL);
+    char name[512];
+
+    snprintf(name, sizeof(name), "%s%s", prefix, title);
+    AddSimpleDef(buff, name);
+ }
+ 
+ static void
+-AddDefTok(String *buff, char *prefix, char *title)
+AddDefHostname(String *buff, char *title, char *value)
+ {
+     char *s;
+     char name[512];
+     char c;
+ 
+-    snprintf(name, sizeof(name), "%s%s", prefix, title);
+    strncpy (name, value, sizeof(name)-1);
+    name[sizeof(name)-1] = '\0';
+     for (s = name; (c = *s); s++) {
+-	if (!isalpha(c) && !isdigit(c) && c != '_')
+	if (!isalpha(c) && !isdigit(c) && c != '_' && c != '.' && c != ':' && c != '-')
+ 	    *s = '_';
+     }
+-    AddSimpleDef(buff, name);
+    AddDef(buff, title, name);
+ }
+ 
+ static void
+@@ -462,7 +475,7 @@ AddUndef(String *buff, char *title)
+ 	    addstring(buff, " -U");
+     } else
+ 	addstring(buff, "-U");
+-    addstring(buff, title);
+    addtokstring(buff, title);
+ }
+ 
+ static void 
+@@ -522,11 +535,11 @@ DoDisplayDefines(Display *display, String *defs, char *host)
+     }
+     if (!*server || !strcmp(server, "unix") || !strcmp(server, "localhost"))
+ 	strcpy(server, client);
+-    AddDef(defs, "HOST", server); /* R3 compatibility */
+-    AddDef(defs, "SERVERHOST", server);
+    AddDefHostname(defs, "HOST", server); /* R3 compatibility */
+    AddDefHostname(defs, "SERVERHOST", server);
+     AddDefTok(defs, "SRVR_", server);
+     AddNum(defs, "DISPLAY_NUM", n);
+-    AddDef(defs, "CLIENTHOST", client);
+    AddDefHostname(defs, "CLIENTHOST", client);
+     AddDefTok(defs, "CLNT_", client);
+     AddNum(defs, "VERSION", ProtocolVersion(display));
+     AddNum(defs, "REVISION", ProtocolRevision(display));
+@@ -569,7 +582,7 @@ DoScreenDefines(Display *display, int scrno, String *defs)
+     AddNum(defs, "Y_RESOLUTION", Resolution(screen->height,screen->mheight));
+     AddNum(defs, "PLANES", DisplayPlanes(display, scrno));
+     AddNum(defs, "BITS_PER_RGB", visual->bits_per_rgb);
+-    AddDef(defs, "CLASS", ClassNames[visual->class]);
+    AddDefQ(defs, "CLASS", ClassNames[visual->class]);
+     snprintf(name, sizeof(name), "CLASS_%s", ClassNames[visual->class]);
+     AddNum(defs, name, (int)visual->visualid);
+     switch(visual->class) {
+@@ -762,6 +775,40 @@ addstring(String *arg, const char *s)
+     arg->used += strlen(s);
+ }   
+ 
+static void
+addescapedstring(String *arg, const char *s)
+{
+    char copy[512], *c;
+
+    for (c = copy; *s && c < &copy[sizeof(copy)-1]; s++) {
+	switch (*s) {
+	case '"':       case '\'':      case '`':
+	case '$':       case '\\':
+	    *c++ = '_';
+	    break;
+	default:
+	    *c++ = *s;
+	}
+    }
+    *c = 0;
+    addstring (arg, copy);
+}
+
+static void
+addtokstring(String *arg, const char *s)
+{
+    char copy[512], *c;
+
+    for (c = copy; *s && c < &copy[sizeof(copy)-1]; s++) {
+	if (!isalpha(*s) && !isdigit(*s) && *s != '_')
+	    *c++ = '_';
+	else
+	    *c++ = *s;
+    }
+    *c = 0;
+    addstring (arg, copy);
+}
+
+ 
+ int
+ main(int argc, char *argv[])
+@@ -857,7 +904,7 @@ main(int argc, char *argv[])
+ 		continue;
+ 	    } else if (arg[1] == 'I') {
+ 		addstring(&includes, " ");
+-		addstring(&includes, arg);
+		addescapedstring(&includes, arg);
+ 		continue;
+ 	    } else if (arg[1] == 'U' || arg[1] == 'D') {
+ 		if (num_cmd_defines < MAX_CMD_DEFINES) {
--- a/debian/patches/series
+++ b/debian/patches/series
@ -1 +1,4 @@
 01_sessreg_implement_hostname_hashing.diff
+100_xrandr-output.patch
+101_xset_spellfix.patch
+CVE-2011-0465.diff
Author	SHA1	Message	Date
Timo Aaltonen	5b966137db	Security update.	2011-04-06 17:43:47 +03:00
Timo Aaltonen	3adad0e69c	Import Ubuntu changes	2011-04-06 13:01:56 +03:00