GNU bug report logs - #29488
[PATCH] gnu: libxfont@2: Update replacement to 2.0.3 [fixes CVE-2017-16611].

Previous Next

Package: guix-patches;

Reported by: Marius Bakke <mbakke <at> fastmail.com>

Date: Tue, 28 Nov 2017 17:03:04 UTC

Severity: normal

Tags: fixed, patch

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 29488 in the body.
You can then email your comments to 29488 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#29488; Package guix-patches. (Tue, 28 Nov 2017 17:03:04 GMT) Full text and rfc822 format available.
Acknowledgement sent to Marius Bakke <mbakke <at> fastmail.com>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Tue, 28 Nov 2017 17:03:04 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: guix-patches <at> gnu.org
Cc: Marius Bakke <mbakke <at> fastmail.com>
Subject: [PATCH] gnu: libxfont <at> 2: Update replacement to 2.0.3 [fixes
 CVE-2017-16611].
Date: Tue, 28 Nov 2017 18:02:17 +0100

* gnu/packages/xorg.scm (libxfont2/fixed): Rename to ...
(libxfont2-2.0.3): ... this.  Make public.
[version]: New field.
[source]: Add URI and SHA256.  Remove patches.
(libxfont2)[replacement]: Change LIBXFONT2/FIXED to LIBXFONT2-2.0.3.
* gnu/packages/patches/libxfont-CVE-2017-13720.patch,
gnu/packages/patches/libxfont-CVE-2017-13722.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
---
 gnu/local.mk                                       |  2 -
 gnu/packages/patches/libxfont-CVE-2017-13720.patch | 36 ---------------
 gnu/packages/patches/libxfont-CVE-2017-13722.patch | 53 ----------------------
 gnu/packages/xorg.scm                              | 16 +++++--
 4 files changed, 12 insertions(+), 95 deletions(-)
 delete mode 100644 gnu/packages/patches/libxfont-CVE-2017-13720.patch
 delete mode 100644 gnu/packages/patches/libxfont-CVE-2017-13722.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 26845954e..0a46bfd3d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -841,8 +841,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/libvirt-CVE-2017-1000256.patch		\
   %D%/packages/patches/libvpx-CVE-2016-2818.patch		\
   %D%/packages/patches/libxcb-python-3.5-compat.patch		\
-  %D%/packages/patches/libxfont-CVE-2017-13720.patch		\
-  %D%/packages/patches/libxfont-CVE-2017-13722.patch		\
   %D%/packages/patches/libxml2-CVE-2016-4658.patch		\
   %D%/packages/patches/libxml2-CVE-2016-5131.patch		\
   %D%/packages/patches/libxml2-CVE-2017-0663.patch		\
diff --git a/gnu/packages/patches/libxfont-CVE-2017-13720.patch b/gnu/packages/patches/libxfont-CVE-2017-13720.patch
deleted file mode 100644
index 093617106..000000000
--- a/gnu/packages/patches/libxfont-CVE-2017-13720.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Fix CVE-2017-13720.
-
-Copied from upstream source repository:
-<https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d1e670a4a8704b8708e493ab6155589bcd570608>
-
-
-From d1e670a4a8704b8708e493ab6155589bcd570608 Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb <at> suse.com>
-Date: Thu, 20 Jul 2017 13:38:53 +0200
-Subject: Check for end of string in PatternMatch (CVE-2017-13720)
-
-If a pattern contains '?' character, any character in the string is skipped,
-even if it is '\0'. The rest of the matching then reads invalid memory.
-
-Reviewed-by: Peter Hutterer <peter.hutterer <at> who-t.net>
-Signed-off-by: Julien Cristau <jcristau <at> debian.org>
-
-diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c
-index 4ce2473..996b7d1 100644
---- a/src/fontfile/fontdir.c
-+++ b/src/fontfile/fontdir.c
-@@ -400,8 +400,10 @@ PatternMatch(char *pat, int patdashes, char *string, int stringdashes)
- 		}
- 	    }
- 	case '?':
--	    if (*string++ == XK_minus)
-+	    if ((t = *string++) == XK_minus)
- 		stringdashes--;
-+	    if (!t)
-+		return 0;
- 	    break;
- 	case '\0':
- 	    return (*string == '\0');
--- 
-cgit v0.10.2
-
diff --git a/gnu/packages/patches/libxfont-CVE-2017-13722.patch b/gnu/packages/patches/libxfont-CVE-2017-13722.patch
deleted file mode 100644
index 458fdfd1a..000000000
--- a/gnu/packages/patches/libxfont-CVE-2017-13722.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-Fix CVE-2017-13722.
-
-Copied from upstream source repository:
-<https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=672bb944311392e2415b39c0d63b1e1902905bcd>
-
-From 672bb944311392e2415b39c0d63b1e1902905bcd Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb <at> suse.com>
-Date: Thu, 20 Jul 2017 17:05:23 +0200
-Subject: pcfGetProperties: Check string boundaries (CVE-2017-13722)
-
-Without the checks a malformed PCF file can cause the library to make
-atom from random heap memory that was behind the `strings` buffer.
-This may crash the process or leak information.
-
-Signed-off-by: Julien Cristau <jcristau <at> debian.org>
-
-diff --git a/src/bitmap/pcfread.c b/src/bitmap/pcfread.c
-index dab1c44..ae34c28 100644
---- a/src/bitmap/pcfread.c
-+++ b/src/bitmap/pcfread.c
-@@ -45,6 +45,7 @@ from The Open Group.
- 
- #include <stdarg.h>
- #include <stdint.h>
-+#include <string.h>
- 
- void
- pcfError(const char* message, ...)
-@@ -311,11 +312,19 @@ pcfGetProperties(FontInfoPtr pFontInfo, FontFilePtr file,
-     if (IS_EOF(file)) goto Bail;
-     position += string_size;
-     for (i = 0; i < nprops; i++) {
-+	if (props[i].name >= string_size) {
-+	    pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].name, string_size);
-+	    goto Bail;
-+	}
- 	props[i].name = MakeAtom(strings + props[i].name,
--				 strlen(strings + props[i].name), TRUE);
-+				 strnlen(strings + props[i].name, string_size - props[i].name), TRUE);
- 	if (isStringProp[i]) {
-+	    if (props[i].value >= string_size) {
-+		pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].value, string_size);
-+		goto Bail;
-+	    }
- 	    props[i].value = MakeAtom(strings + props[i].value,
--				      strlen(strings + props[i].value), TRUE);
-+				      strnlen(strings + props[i].value, string_size - props[i].value), TRUE);
- 	}
-     }
-     free(strings);
--- 
-cgit v0.10.2
-
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 1c1ddd4bf..8c32608f8 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -4892,7 +4892,7 @@ new API's in libXft, or the legacy API's in libX11.")
   (package
     (inherit libxfont)
     (version "2.0.1")
-    (replacement libxfont2/fixed)
+    (replacement libxfont2-2.0.3)
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://xorg/individual/lib/libXfont2-"
@@ -4901,14 +4901,22 @@ new API's in libXft, or the legacy API's in libX11.")
                (base32
                 "0znvwk36nhmyqpmhbm9mzisgixp1mp5qkfald8x1n5yxbm3vpyz9"))))))
 
-(define libxfont2/fixed
+;; Fixes the following security vulnerabilities:
+;; https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13720
+;; https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13722
+;; https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16612
+(define-public libxfont2-2.0.3
   (package
     (inherit libxfont2)
+    (version "2.0.3")
     (source
      (origin
        (inherit (package-source libxfont2))
-       (patches (search-patches "libxfont-CVE-2017-13720.patch"
-                                "libxfont-CVE-2017-13722.patch"))))))
+       (uri (string-append "mirror://xorg/individual/lib/libXfont2-"
+                           version ".tar.bz2"))
+       (sha256
+        (base32
+         "0klwmimmhm3axpj8pwn5l41lbggh47r5aazhw63zxkbwfgyvg2hf"))))))
 
 (define-public libxi
   (package
-- 
2.15.0
Information forwarded to guix-patches <at> gnu.org:
bug#29488; Package guix-patches. (Tue, 28 Nov 2017 18:18:01 GMT) Full text and rfc822 format available.

Message #8 received at 29488 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: 29488 <at> debbugs.gnu.org
Subject: Re: [bug#29488] [PATCH] gnu: libxfont <at> 2: Update replacement to 2.0.3
 [fixes CVE-2017-16611].
Date: Tue, 28 Nov 2017 13:17:33 -0500

[Message part 1 (text/plain, inline)]
On Tue, Nov 28, 2017 at 06:02:17PM +0100, Marius Bakke wrote:
> * gnu/packages/xorg.scm (libxfont2/fixed): Rename to ...
> (libxfont2-2.0.3): ... this.  Make public.
> [version]: New field.
> [source]: Add URI and SHA256.  Remove patches.
> (libxfont2)[replacement]: Change LIBXFONT2/FIXED to LIBXFONT2-2.0.3.
> * gnu/packages/patches/libxfont-CVE-2017-13720.patch,
> gnu/packages/patches/libxfont-CVE-2017-13722.patch: Delete files.
> * gnu/local.mk (dist_patch_DATA): Remove them.

LGTM, thanks!  

[signature.asc (application/pgp-signature, inline)]
Added tag(s) fixed. Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Thu, 30 Nov 2017 14:44:01 GMT) Full text and rfc822 format available.
bug closed, send any further explanations to 29488 <at> debbugs.gnu.org and Marius Bakke <mbakke <at> fastmail.com> Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Thu, 30 Nov 2017 14:44:01 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Fri, 29 Dec 2017 12:24:06 GMT) Full text and rfc822 format available.
This bug report was last modified 7 years and 178 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.