wok-current rev 25779
Build geany for x64, patch xorg-server (CVE-2025-[49175,49176,49178,49180])
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Thu Jun 19 08:34:55 2025 +0000 (3 months ago) |
| parents | d362da14387d |
| children | 8042ca312770 |
| files | geany-dev/receipt geany-plugins/receipt geany/receipt xorg-server/receipt xorg-server/stuff/CVE-2025-49175.patch xorg-server/stuff/CVE-2025-49176.patch xorg-server/stuff/CVE-2025-49178.patch xorg-server/stuff/CVE-2025-49180_1.patch xorg-server/stuff/CVE-2025-49180_2.patch |
line diff
1.1 --- a/geany-dev/receipt Mon Jun 09 10:46:07 2025 +0000 1.2 +++ b/geany-dev/receipt Thu Jun 19 08:34:55 2025 +0000 1.3 @@ -8,7 +8,7 @@ 1.4 LICENSE="GPL2" 1.5 WANTED="geany" 1.6 WEB_SITE="https://www.geany.org/" 1.7 -HOST_ARCH="i486 arm" 1.8 +HOST_ARCH="i486 arm x86_64" 1.9 1.10 DEPENDS="geany pkg-config" 1.11 1.12 @@ -16,7 +16,6 @@ 1.13 genpkg_rules() 1.14 { 1.15 mkdir -p $fs/usr/lib/geany 1.16 - cp -a $install/usr/lib/geany/*.*a $fs/usr/lib/geany 1.17 cp -a $install/usr/lib/pkgconfig $fs/usr/lib 1.18 cp -a $install/usr/include $fs/usr 1.19 }
2.1 --- a/geany-plugins/receipt Mon Jun 09 10:46:07 2025 +0000 2.2 +++ b/geany-plugins/receipt Thu Jun 19 08:34:55 2025 +0000 2.3 @@ -9,7 +9,7 @@ 2.4 TARBALL="$PACKAGE-$VERSION.tar.gz" 2.5 WEB_SITE="https://plugins.geany.org/" 2.6 WGET_URL="$WEB_SITE/$PACKAGE/$TARBALL" 2.7 -#HOST_ARCH="i486 arm" 2.8 +HOST_ARCH="i486 arm x86_64" 2.9 COOKOPTS="!pngquant !optipng" 2.10 2.11 DEPENDS="enchant gtkspell geany lua" 2.12 @@ -17,7 +17,7 @@ 2.13 2.14 # Handle cross compilation. 2.15 case "$ARCH" in 2.16 - i?86) 2.17 + i?86|x86_64) 2.18 BUILD_DEPENDS="gtkspell-dev geany-dev lua-dev libxml2-dev vte-dev" 2.19 esac 2.20
3.1 --- a/geany/receipt Mon Jun 09 10:46:07 2025 +0000 3.2 +++ b/geany/receipt Thu Jun 19 08:34:55 2025 +0000 3.3 @@ -11,20 +11,20 @@ 3.4 WEB_SITE="https://www.geany.org/" 3.5 WGET_URL="https://github.com/geany/geany/archive/refs/tags/$VERSION.tar.gz" 3.6 TAGS="text-editor" 3.7 -HOST_ARCH="i486 arm" 3.8 +HOST_ARCH="i486 arm x86_64" 3.9 3.10 DEPENDS="glibc-base glib gcc-lib-base libgio expat zlib libxcb xcb-util \ 3.11 gtk+ atk cairo pango pixman libpng fontconfig freetype xorg-libX11 \ 3.12 xorg-libXau xorg-libXcomposite xorg-libXcursor xorg-libXdamage \ 3.13 xorg-libXdmcp xorg-libXext xorg-libXfixes xorg-libXinerama xorg-libXrender" 3.14 -BUILD_DEPENDS="glib-dev expat-dev gtk+-dev atk-dev pango-dev cairo-dev \ 3.15 -pixman-dev libpng-dev freetype-dev fontconfig-dev xorg-libXrender-dev \ 3.16 -xorg-xproto xorg-renderproto xorg-libX11-dev xorg-kbproto xorg-libXau-dev \ 3.17 -xorg-libXdmcp-dev libxml2-dev" 3.18 +BUILD_DEPENDS="automake libtool glib-dev expat-dev gtk+-dev atk-dev \ 3.19 +pango-dev cairo-dev pixman-dev libpng-dev freetype-dev fontconfig-dev \ 3.20 +xorg-libXrender-dev xorg-xproto xorg-renderproto xorg-libX11-dev \ 3.21 +xorg-kbproto xorg-libXau-dev xorg-libXdmcp-dev libxml2-dev" 3.22 3.23 # Handle cross compilation. 3.24 case "$ARCH" in 3.25 - i?86) BUILD_DEPENDS="$BUILD_DEPENDS perl-xml-parser intltool gettext glibc-locale" ;; 3.26 + i?86|x86_64) BUILD_DEPENDS="$BUILD_DEPENDS perl-xml-parser intltool gettext glibc-locale" ;; 3.27 arm*) ARCH_ARGS="--disable-vte" ;; 3.28 esac 3.29 3.30 @@ -38,6 +38,8 @@ 3.31 # Rules to configure and make the package. 3.32 compile_rules() 3.33 { 3.34 + ./autogen.sh 3.35 + 3.36 ./configure \ 3.37 ${CONFIGURE_ARGS} ${ARCH_ARGS} && 3.38 make && make install
4.1 --- a/xorg-server/receipt Mon Jun 09 10:46:07 2025 +0000 4.2 +++ b/xorg-server/receipt Thu Jun 19 08:34:55 2025 +0000 4.3 @@ -108,6 +108,14 @@ 4.4 patch -p1 < $stuff/CVE-2025-26601.03.patch 4.5 patch -p1 < $stuff/CVE-2025-26601.04.patch 4.6 4.7 + # Patch xorg CVEs June 2025 4.8 + # see https://lists.x.org/archives/xorg/2025-June/062055.html 4.9 + patch -p1 < $stuff/CVE-2025-49175.patch 4.10 + patch -p1 < $stuff/CVE-2025-49176.patch 4.11 + patch -p1 < $stuff/CVE-2025-49178.patch 4.12 + patch -p1 < $stuff/CVE-2025-49180_1.patch 4.13 + patch -p1 < $stuff/CVE-2025-49180_2.patch 4.14 + 4.15 # Fix libshadow 4.16 # See https://gitlab.archlinux.org/archlinux/packaging/packages/xorg-server/-/tree/1.20.13-3?ref_type=tags 4.17 patch -p1 < $stuff/fix-libshadow.patch
5.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 5.2 +++ b/xorg-server/stuff/CVE-2025-49175.patch Thu Jun 19 08:34:55 2025 +0000 5.3 @@ -0,0 +1,87 @@ 5.4 +From 0885e0b26225c90534642fe911632ec0779eebee Mon Sep 17 00:00:00 2001 5.5 +From: Olivier Fourdan <ofourdan@redhat.com> 5.6 +Date: Fri, 28 Mar 2025 09:43:52 +0100 5.7 +Subject: [PATCH] render: Avoid 0 or less animated cursors 5.8 +MIME-Version: 1.0 5.9 +Content-Type: text/plain; charset=UTF-8 5.10 +Content-Transfer-Encoding: 8bit 5.11 + 5.12 +Animated cursors use a series of cursors that the client can set. 5.13 + 5.14 +By default, the Xserver assumes at least one cursor is specified 5.15 +while a client may actually pass no cursor at all. 5.16 + 5.17 +That causes an out-of-bound read creating the animated cursor and a 5.18 +crash of the Xserver: 5.19 + 5.20 + | Invalid read of size 8 5.21 + | at 0x5323F4: AnimCursorCreate (animcur.c:325) 5.22 + | by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817) 5.23 + | by 0x52DC80: ProcRenderDispatch (render.c:1999) 5.24 + | by 0x4A1E9D: Dispatch (dispatch.c:560) 5.25 + | by 0x4B0169: dix_main (main.c:284) 5.26 + | by 0x4287F5: main (stubmain.c:34) 5.27 + | Address 0x59aa010 is 0 bytes after a block of size 0 alloc'd 5.28 + | at 0x48468D3: reallocarray (vg_replace_malloc.c:1803) 5.29 + | by 0x52D3DA: ProcRenderCreateAnimCursor (render.c:1802) 5.30 + | by 0x52DC80: ProcRenderDispatch (render.c:1999) 5.31 + | by 0x4A1E9D: Dispatch (dispatch.c:560) 5.32 + | by 0x4B0169: dix_main (main.c:284) 5.33 + | by 0x4287F5: main (stubmain.c:34) 5.34 + | 5.35 + | Invalid read of size 2 5.36 + | at 0x5323F7: AnimCursorCreate (animcur.c:325) 5.37 + | by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817) 5.38 + | by 0x52DC80: ProcRenderDispatch (render.c:1999) 5.39 + | by 0x4A1E9D: Dispatch (dispatch.c:560) 5.40 + | by 0x4B0169: dix_main (main.c:284) 5.41 + | by 0x4287F5: main (stubmain.c:34) 5.42 + | Address 0x8 is not stack'd, malloc'd or (recently) free'd 5.43 + 5.44 +To avoid the issue, check the number of cursors specified and return a 5.45 +BadValue error in both the proc handler (early) and the animated cursor 5.46 +creation (as this is a public function) if there is 0 or less cursor. 5.47 + 5.48 +CVE-2025-49175 5.49 + 5.50 +This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and 5.51 +reported by Julian Suleder via ERNW Vulnerability Disclosure. 5.52 + 5.53 +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> 5.54 +Reviewed-by: José Expósito <jexposit@redhat.com> 5.55 +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024> 5.56 +--- 5.57 + render/animcur.c | 3 +++ 5.58 + render/render.c | 2 ++ 5.59 + 2 files changed, 5 insertions(+) 5.60 + 5.61 +diff --git a/render/animcur.c b/render/animcur.c 5.62 +index f906cd8130..1194cee7e7 100644 5.63 +--- a/render/animcur.c 5.64 ++++ b/render/animcur.c 5.65 +@@ -305,6 +305,9 @@ AnimCursorCreate(CursorPtr *cursors, CARD32 *deltas, int ncursor, 5.66 + int rc = BadAlloc, i; 5.67 + AnimCurPtr ac; 5.68 + 5.69 ++ if (ncursor <= 0) 5.70 ++ return BadValue; 5.71 ++ 5.72 + for (i = 0; i < screenInfo.numScreens; i++) 5.73 + if (!GetAnimCurScreen(screenInfo.screens[i])) 5.74 + return BadImplementation; 5.75 +diff --git a/render/render.c b/render/render.c 5.76 +index 113f6e0c5a..fe9f03c8c8 100644 5.77 +--- a/render/render.c 5.78 ++++ b/render/render.c 5.79 +@@ -1799,6 +1799,8 @@ ProcRenderCreateAnimCursor(ClientPtr client) 5.80 + ncursor = 5.81 + (client->req_len - 5.82 + (bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1; 5.83 ++ if (ncursor <= 0) 5.84 ++ return BadValue; 5.85 + cursors = xallocarray(ncursor, sizeof(CursorPtr) + sizeof(CARD32)); 5.86 + if (!cursors) 5.87 + return BadAlloc; 5.88 +-- 5.89 +GitLab 5.90 +
6.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 6.2 +++ b/xorg-server/stuff/CVE-2025-49176.patch Thu Jun 19 08:34:55 2025 +0000 6.3 @@ -0,0 +1,88 @@ 6.4 +From 03731b326a80b582e48d939fe62cb1e2b10400d9 Mon Sep 17 00:00:00 2001 6.5 +From: Olivier Fourdan <ofourdan@redhat.com> 6.6 +Date: Mon, 7 Apr 2025 16:13:34 +0200 6.7 +Subject: [PATCH] os: Do not overflow the integer size with BigRequest 6.8 +MIME-Version: 1.0 6.9 +Content-Type: text/plain; charset=UTF-8 6.10 +Content-Transfer-Encoding: 8bit 6.11 + 6.12 +The BigRequest extension allows requests larger than the 16-bit length 6.13 +limit. 6.14 + 6.15 +It uses integers for the request length and checks for the size not to 6.16 +exceed the maxBigRequestSize limit, but does so after translating the 6.17 +length to integer by multiplying the given size in bytes by 4. 6.18 + 6.19 +In doing so, it might overflow the integer size limit before actually 6.20 +checking for the overflow, defeating the purpose of the test. 6.21 + 6.22 +To avoid the issue, make sure to check that the request size does not 6.23 +overflow the maxBigRequestSize limit prior to any conversion. 6.24 + 6.25 +The caller Dispatch() function however expects the return value to be in 6.26 +bytes, so we cannot just return the converted value in case of error, as 6.27 +that would also overflow the integer size. 6.28 + 6.29 +To preserve the existing API, we use a negative value for the X11 error 6.30 +code BadLength as the function only return positive values, 0 or -1 and 6.31 +update the caller Dispatch() function to take that case into account to 6.32 +return the error code to the offending client. 6.33 + 6.34 +CVE-2025-49176 6.35 + 6.36 +This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and 6.37 +reported by Julian Suleder via ERNW Vulnerability Disclosure. 6.38 + 6.39 +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> 6.40 +Reviewed-by: Michel Dänzer <mdaenzer@redhat.com> 6.41 +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024> 6.42 +--- 6.43 + dix/dispatch.c | 9 +++++---- 6.44 + os/io.c | 4 ++++ 6.45 + 2 files changed, 9 insertions(+), 4 deletions(-) 6.46 + 6.47 +diff --git a/dix/dispatch.c b/dix/dispatch.c 6.48 +index b3e5feacc2..2308cfe6d1 100644 6.49 +--- a/dix/dispatch.c 6.50 ++++ b/dix/dispatch.c 6.51 +@@ -527,9 +527,10 @@ Dispatch(void) 6.52 + 6.53 + /* now, finally, deal with client requests */ 6.54 + result = ReadRequestFromClient(client); 6.55 +- if (result <= 0) { 6.56 +- if (result < 0) 6.57 +- CloseDownClient(client); 6.58 ++ if (result == 0) 6.59 ++ break; 6.60 ++ else if (result == -1) { 6.61 ++ CloseDownClient(client); 6.62 + break; 6.63 + } 6.64 + 6.65 +@@ -550,7 +551,7 @@ Dispatch(void) 6.66 + client->index, 6.67 + client->requestBuffer); 6.68 + #endif 6.69 +- if (result > (maxBigRequestSize << 2)) 6.70 ++ if (result < 0 || result > (maxBigRequestSize << 2)) 6.71 + result = BadLength; 6.72 + else { 6.73 + result = XaceHookDispatch(client, client->majorOp); 6.74 +diff --git a/os/io.c b/os/io.c 6.75 +index 1fffaf62c7..3e39c10e6f 100644 6.76 +--- a/os/io.c 6.77 ++++ b/os/io.c 6.78 +@@ -300,6 +300,10 @@ ReadRequestFromClient(ClientPtr client) 6.79 + needed = get_big_req_len(request, client); 6.80 + } 6.81 + client->req_len = needed; 6.82 ++ if (needed > MAXINT >> 2) { 6.83 ++ /* Check for potential integer overflow */ 6.84 ++ return -(BadLength); 6.85 ++ } 6.86 + needed <<= 2; /* needed is in bytes now */ 6.87 + } 6.88 + if (gotnow < needed) { 6.89 +-- 6.90 +GitLab 6.91 +
7.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 7.2 +++ b/xorg-server/stuff/CVE-2025-49178.patch Thu Jun 19 08:34:55 2025 +0000 7.3 @@ -0,0 +1,45 @@ 7.4 +From d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2 Mon Sep 17 00:00:00 2001 7.5 +From: Olivier Fourdan <ofourdan@redhat.com> 7.6 +Date: Mon, 28 Apr 2025 10:46:03 +0200 7.7 +Subject: [PATCH] os: Account for bytes to ignore when sharing input buffer 7.8 + 7.9 +When reading requests from the clients, the input buffer might be shared 7.10 +and used between different clients. 7.11 + 7.12 +If a given client sends a full request with non-zero bytes to ignore, 7.13 +the bytes to ignore may still be non-zero even though the request is 7.14 +full, in which case the buffer could be shared with another client who's 7.15 +request will not be processed because of those bytes to ignore, leading 7.16 +to a possible hang of the other client request. 7.17 + 7.18 +To avoid the issue, make sure we have zero bytes to ignore left in the 7.19 +input request when sharing the input buffer with another client. 7.20 + 7.21 +CVE-2025-49178 7.22 + 7.23 +This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and 7.24 +reported by Julian Suleder via ERNW Vulnerability Disclosure. 7.25 + 7.26 +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> 7.27 +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> 7.28 +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024> 7.29 +--- 7.30 + os/io.c | 2 +- 7.31 + 1 file changed, 1 insertion(+), 1 deletion(-) 7.32 + 7.33 +diff --git a/os/io.c b/os/io.c 7.34 +index 3e39c10e6f..e7b76b9cea 100644 7.35 +--- a/os/io.c 7.36 ++++ b/os/io.c 7.37 +@@ -441,7 +441,7 @@ ReadRequestFromClient(ClientPtr client) 7.38 + */ 7.39 + 7.40 + gotnow -= needed; 7.41 +- if (!gotnow) 7.42 ++ if (!gotnow && !oci->ignoreBytes) 7.43 + AvailableInput = oc; 7.44 + if (move_header) { 7.45 + if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) { 7.46 +-- 7.47 +GitLab 7.48 +
8.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 8.2 +++ b/xorg-server/stuff/CVE-2025-49180_1.patch Thu Jun 19 08:34:55 2025 +0000 8.3 @@ -0,0 +1,40 @@ 8.4 +From 3c3a4b767b16174d3213055947ea7f4f88e10ec6 Mon Sep 17 00:00:00 2001 8.5 +From: Olivier Fourdan <ofourdan@redhat.com> 8.6 +Date: Tue, 20 May 2025 15:18:19 +0200 8.7 +Subject: [PATCH] randr: Check for overflow in RRChangeProviderProperty() 8.8 + 8.9 +A client might send a request causing an integer overflow when computing 8.10 +the total size to allocate in RRChangeProviderProperty(). 8.11 + 8.12 +To avoid the issue, check that total length in bytes won't exceed the 8.13 +maximum integer value. 8.14 + 8.15 +CVE-2025-49180 8.16 + 8.17 +This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and 8.18 +reported by Julian Suleder via ERNW Vulnerability Disclosure. 8.19 + 8.20 +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> 8.21 +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> 8.22 +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024> 8.23 +--- 8.24 + randr/rrproviderproperty.c | 3 ++- 8.25 + 1 file changed, 2 insertions(+), 1 deletion(-) 8.26 + 8.27 +diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c 8.28 +index 69f66ed278..0c3dcd1bc5 100644 8.29 +--- a/randr/rrproviderproperty.c 8.30 ++++ b/randr/rrproviderproperty.c 8.31 +@@ -182,7 +182,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type, 8.32 + 8.33 + if (mode == PropModeReplace || len > 0) { 8.34 + void *new_data = NULL, *old_data = NULL; 8.35 +- 8.36 ++ if (total_len > MAXINT / size_in_bytes) 8.37 ++ return BadValue; 8.38 + total_size = total_len * size_in_bytes; 8.39 + new_value.data = (void *) malloc(total_size); 8.40 + if (!new_value.data && total_size) { 8.41 +-- 8.42 +GitLab 8.43 +
9.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 9.2 +++ b/xorg-server/stuff/CVE-2025-49180_2.patch Thu Jun 19 08:34:55 2025 +0000 9.3 @@ -0,0 +1,48 @@ 9.4 +From 0235121c6a7a6eb247e2addb3b41ed6ef566853d Mon Sep 17 00:00:00 2001 9.5 +From: Olivier Fourdan <ofourdan@redhat.com> 9.6 +Date: Mon, 28 Apr 2025 14:59:46 +0200 9.7 +Subject: [PATCH] xfree86: Check for RandR provider functions 9.8 + 9.9 +Changing XRandR provider properties if the driver has set no provider 9.10 +function such as the modesetting driver will cause a NULL pointer 9.11 +dereference and a crash of the Xorg server. 9.12 + 9.13 +Related to CVE-2025-49180 9.14 + 9.15 +This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and 9.16 +reported by Julian Suleder via ERNW Vulnerability Disclosure. 9.17 + 9.18 +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> 9.19 +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> 9.20 +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024> 9.21 +--- 9.22 + hw/xfree86/modes/xf86RandR12.c | 6 ++++-- 9.23 + 1 file changed, 4 insertions(+), 2 deletions(-) 9.24 + 9.25 +diff --git a/hw/xfree86/modes/xf86RandR12.c b/hw/xfree86/modes/xf86RandR12.c 9.26 +index ddcf5e748a..bf33da377a 100644 9.27 +--- a/hw/xfree86/modes/xf86RandR12.c 9.28 ++++ b/hw/xfree86/modes/xf86RandR12.c 9.29 +@@ -2146,7 +2146,8 @@ xf86RandR14ProviderSetProperty(ScreenPtr pScreen, 9.30 + /* If we don't have any property handler, then we don't care what the 9.31 + * user is setting properties to. 9.32 + */ 9.33 +- if (config->provider_funcs->set_property == NULL) 9.34 ++ if (config->provider_funcs == NULL || 9.35 ++ config->provider_funcs->set_property == NULL) 9.36 + return TRUE; 9.37 + 9.38 + /* 9.39 +@@ -2164,7 +2165,8 @@ xf86RandR14ProviderGetProperty(ScreenPtr pScreen, 9.40 + ScrnInfoPtr pScrn = xf86ScreenToScrn(pScreen); 9.41 + xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(pScrn); 9.42 + 9.43 +- if (config->provider_funcs->get_property == NULL) 9.44 ++ if (config->provider_funcs == NULL || 9.45 ++ config->provider_funcs->get_property == NULL) 9.46 + return TRUE; 9.47 + 9.48 + /* Should be safe even w/o vtSema */ 9.49 +-- 9.50 +GitLab 9.51 +