Update to libXfont 1.5.4

2017-11-28 15:47:29 +00:00 · 2017-11-28 15:47:29 +00:00 · 698c744cef
commit 698c744cef
parent e19bfc2895
5 changed files with 90 additions and 15 deletions
--- a/lib/libXfont/ChangeLog
+++ b/lib/libXfont/ChangeLog
@ -1,3 +1,56 @@
+commit 7d246751628bb877e04da762ec1a2e41ffa62154
+Author: Matthieu Herrb <matthieu@herrb.eu>
+Date:   Tue Nov 28 15:33:15 2017 +0100
+
+    libXfont 1.5.4
+
+commit 5ed8ac0e4f063825b8ecda48e9a111d3ce92e825
+Author: Michal Srb <msrb@suse.com>
+Date:   Thu Oct 26 09:48:13 2017 +0200
+
+    Open files with O_NOFOLLOW. (CVE-2017-16611)
+    
+    A non-privileged X client can instruct X server running under root to open any
+    file by creating own directory with "fonts.dir", "fonts.alias" or any font file
+    being a symbolic link to any other file in the system. X server will then open
+    it. This can be issue with special files such as /dev/watchdog.
+    
+    Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+
+commit f581c2346d025d5b15926db9e58f254173fb58dc
+Author: Matt Turner <mattst88@gmail.com>
+Date:   Thu Oct 19 13:45:58 2017 -0700
+
+    libXfont 1.5.3
+    
+    Signed-off-by: Matt Turner <mattst88@gmail.com>
+
+commit 3b08934dca75e4c559db7d83797bc3d365c2a50a
+Author: Michal Srb <msrb@suse.com>
+Date:   Thu Jul 20 17:05:23 2017 +0200
+
+    pcfGetProperties: Check string boundaries (CVE-2017-13722)
+    
+    Without the checks a malformed PCF file can cause the library to make
+    atom from random heap memory that was behind the `strings` buffer.
+    This may crash the process or leak information.
+    
+    Signed-off-by: Julien Cristau <jcristau@debian.org>
+    (cherry picked from commit 672bb944311392e2415b39c0d63b1e1902905bcd)
+
+commit a2a5fa591762b430037e33f1df55b460550ab406
+Author: Michal Srb <msrb@suse.com>
+Date:   Thu Jul 20 13:38:53 2017 +0200
+
+    Check for end of string in PatternMatch (CVE-2017-13720)
+    
+    If a pattern contains '?' character, any character in the string is skipped,
+    even if it is '\0'. The rest of the matching then reads invalid memory.
+    
+    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+    Signed-off-by: Julien Cristau <jcristau@debian.org>
+    (cherry picked from commit d1e670a4a8704b8708e493ab6155589bcd570608)
+
 commit 8cce9834b2e74dccad94ca0adf79ae5585e37d48
 Author: Adam Jackson <ajax@redhat.com>
 Date:   Wed Aug 31 16:19:11 2016 -0400
--- a/lib/libXfont/configure
+++ b/lib/libXfont/configure
@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for libXfont 1.5.3.
+# Generated by GNU Autoconf 2.69 for libXfont 1.5.4.
 #
 # Report bugs to <https://bugs.freedesktop.org/enter_bug.cgi?product=xorg>.
 #
@ -651,8 +651,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='libXfont'
 PACKAGE_TARNAME='libXfont'
-PACKAGE_VERSION='1.5.3'
-PACKAGE_STRING='libXfont 1.5.3'
+PACKAGE_VERSION='1.5.4'
+PACKAGE_STRING='libXfont 1.5.4'
 PACKAGE_BUGREPORT='https://bugs.freedesktop.org/enter_bug.cgi?product=xorg'
 PACKAGE_URL=''

@ -1468,7 +1468,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures libXfont 1.5.3 to adapt to many kinds of systems.
+\`configure' configures libXfont 1.5.4 to adapt to many kinds of systems.

 Usage: $0 [OPTION]... [VAR=VALUE]...

@ -1538,7 +1538,7 @@ fi

 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of libXfont 1.5.3:";;
+     short | recursive ) echo "Configuration of libXfont 1.5.4:";;
   esac
  cat <<\_ACEOF

@ -1687,7 +1687,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-libXfont configure 1.5.3
+libXfont configure 1.5.4
 generated by GNU Autoconf 2.69

 Copyright (C) 2012 Free Software Foundation, Inc.
@ -2213,7 +2213,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.

-It was created by libXfont $as_me 1.5.3, which was
+It was created by libXfont $as_me 1.5.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was

  $ $0 $@
@ -3042,7 +3042,7 @@ fi

 # Define the identity of the package.
 PACKAGE='libXfont'
- VERSION='1.5.3'
+ VERSION='1.5.4'


 cat >>confdefs.h <<_ACEOF
@ -19970,7 +19970,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by libXfont $as_me 1.5.3, which was
+This file was extended by libXfont $as_me 1.5.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was

  CONFIG_FILES    = $CONFIG_FILES
@ -20036,7 +20036,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-libXfont config.status 1.5.3
+libXfont config.status 1.5.4
 configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"

--- a/lib/libXfont/configure.ac
+++ b/lib/libXfont/configure.ac
@ -21,7 +21,7 @@

 # Initialize Autoconf
 AC_PREREQ([2.60])
-AC_INIT([libXfont], [1.5.3],
+AC_INIT([libXfont], [1.5.4],
 	[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXfont])
 AC_CONFIG_SRCDIR([Makefile.am])
 AC_CONFIG_HEADERS([config.h include/X11/fonts/fontconf.h])
--- a/lib/libXfont/src/fontfile/dirfile.c
+++ b/lib/libXfont/src/fontfile/dirfile.c
@ -41,6 +41,7 @@ in this Software without prior written authorization from The Open Group.
 #include <stdio.h>
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <fcntl.h>
 #include <errno.h>
 #include <limits.h>

@ -60,8 +61,9 @@ FontFileReadDirectory (const char *directory, FontDirectoryPtr *pdir)
    char        dir_file[MAXFONTFILENAMELEN];
    char	dir_path[MAXFONTFILENAMELEN];
    char	*ptr;
-    FILE       *file;
-    int         count,
+    FILE       *file = 0;
+    int         file_fd,
+                count,
                num_fonts,
                status;
    struct stat	statb;
@ -91,7 +93,14 @@ FontFileReadDirectory (const char *directory, FontDirectoryPtr *pdir)
    if (dir_file[strlen(dir_file) - 1] != '/')
 	strcat(dir_file, "/");
    strcat(dir_file, FontDirFile);
+#ifndef WIN32
+    file_fd = open(dir_file, O_RDONLY | O_NOFOLLOW);
+    if (file_fd >= 0) {
+	file = fdopen(file_fd, "rt");
+    }
+#else
    file = fopen(dir_file, "rt");
+#endif
    if (file) {
 #ifndef WIN32
 	if (fstat (fileno(file), &statb) == -1)
@ -261,7 +270,8 @@ ReadFontAlias(char *directory, Bool isFile, FontDirectoryPtr *pdir)
    char		alias[MAXFONTNAMELEN];
    char		font_name[MAXFONTNAMELEN];
    char		alias_file[MAXFONTFILENAMELEN];
-    FILE		*file;
+    int			file_fd;
+    FILE		*file = 0;
    FontDirectoryPtr	dir;
    int			token;
    char		*lexToken;
@ -279,7 +289,16 @@ ReadFontAlias(char *directory, Bool isFile, FontDirectoryPtr *pdir)
 	    strcat(alias_file, "/");
 	strcat(alias_file, FontAliasFile);
    }
+
+#ifndef WIN32
+    file_fd = open(alias_file, O_RDONLY | O_NOFOLLOW);
+    if (file_fd >= 0) {
+	file = fdopen(file_fd, "rt");
+    }
+#else
    file = fopen(alias_file, "rt");
+#endif
+
    if (!file)
 	return ((errno == ENOENT) ? Successful : BadFontPath);
    if (!dir)
--- a/lib/libXfont/src/fontfile/fileio.c
+++ b/lib/libXfont/src/fontfile/fileio.c
@ -39,6 +39,9 @@ in this Software without prior written authorization from The Open Group.
 #ifndef O_CLOEXEC
 #define O_CLOEXEC 0
 #endif
+#ifndef O_NOFOLLOW
+#define O_NOFOLLOW 0
+#endif

 FontFilePtr
 FontFileOpen (const char *name)
@ -47,7 +50,7 @@ FontFileOpen (const char *name)
    int		len;
    BufFilePtr	raw, cooked;

-    fd = open (name, O_BINARY|O_CLOEXEC);
+    fd = open (name, O_BINARY|O_CLOEXEC|O_NOFOLLOW);
    if (fd < 0)
 	return 0;
    raw = BufFileOpenRead (fd);