[arch-commits] Commit in libxi/trunk (PKGBUILD git-fixes.diff)

Laurent Carlier lcarlier at nymeria.archlinux.org
Mon Jun 24 21:48:09 UTC 2013 

    Date: Monday, June 24, 2013 @ 23:48:09
  Author: lcarlier
Revision: 188903

upgpkg: libxi 1.7.1-3

Fix regression introduced by previous security fixes (FS#35919)

Modified:
  libxi/trunk/PKGBUILD
  libxi/trunk/git-fixes.diff

----------------+
 PKGBUILD       |    4 +--
 git-fixes.diff |   64 ++++++++++++++++++++++++++++++++++++++++++-------------
 2 files changed, 51 insertions(+), 17 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2013-06-24 18:26:17 UTC (rev 188902)
+++ PKGBUILD	2013-06-24 21:48:09 UTC (rev 188903)
@@ -4,7 +4,7 @@
 
 pkgname=libxi
 pkgver=1.7.1
-pkgrel=2
+pkgrel=3
 pkgdesc="X11 Input extension library"
 arch=('i686' 'x86_64')
 url="http://xorg.freedesktop.org"
@@ -15,7 +15,7 @@
 source=(${url}/releases/individual/lib/libXi-${pkgver}.tar.bz2
         git-fixes.diff)
 sha256sums=('e92adb6b69c53c51e05c1e65db97e23751b935a693000fb0606c11b88c0066c5'
-            '23e10f8a8a078dd109acbd5a66fe62a45233d3a2368649d5114107a790594c07')
+            'faa2f76f68e65f537062829ad45977561079ac8747bd8e24a82055e70a5bf0cc')
 
 prepare() {
   cd "${srcdir}/libXi-${pkgver}"

Modified: git-fixes.diff
===================================================================
--- git-fixes.diff	2013-06-24 18:26:17 UTC (rev 188902)
+++ git-fixes.diff	2013-06-24 21:48:09 UTC (rev 188903)
@@ -1,7 +1,7 @@
 From bb82c72a1d69eaf60b7586570faf797df967f661 Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith at oracle.com>
 Date: Mon, 29 Apr 2013 18:39:34 -0700
-Subject: [PATCH 01/15] Expand comment on the memory vs. reply ordering in
+Subject: [PATCH 01/16] Expand comment on the memory vs. reply ordering in
  XIGetSelectedEvents()
 
 Unpacking from the wire involves un-interleaving the structs & masks,
@@ -42,7 +42,7 @@
 From 5d43d4914dcabb6de69859567061e99300e56ef4 Mon Sep 17 00:00:00 2001
 From: Peter Hutterer <peter.hutterer at who-t.net>
 Date: Fri, 17 May 2013 09:07:44 +1000
-Subject: [PATCH 02/15] Copy the sequence number into the target event too
+Subject: [PATCH 02/16] Copy the sequence number into the target event too
  (#64687)
 
 X.Org Bug 64687 <http://bugs.freedesktop.org/show_bug.cgi?id=64687>
@@ -136,7 +136,7 @@
 From 59b8e1388a687f871831ac5a9e0ac11de75e2516 Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith at oracle.com>
 Date: Wed, 1 May 2013 23:58:39 -0700
-Subject: [PATCH 03/15] Use _XEatDataWords to avoid overflow of rep.length bit
+Subject: [PATCH 03/16] Use _XEatDataWords to avoid overflow of rep.length bit
  shifting
 
 rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
@@ -420,7 +420,7 @@
 From f3e08e4fbe40016484ba795feecf1a742170ffc1 Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith at oracle.com>
 Date: Sat, 9 Mar 2013 22:26:52 -0800
-Subject: [PATCH 04/15] Stack buffer overflow in XGetDeviceButtonMapping()
+Subject: [PATCH 04/16] Stack buffer overflow in XGetDeviceButtonMapping()
  [CVE-2013-1998 1/3]
 
 We copy the entire reply sent by the server into the fixed size
@@ -487,7 +487,7 @@
 From 91434737f592e8f5cc1762383882a582b55fc03a Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith at oracle.com>
 Date: Sat, 9 Mar 2013 23:37:23 -0800
-Subject: [PATCH 05/15] memory corruption in _XIPassiveGrabDevice()
+Subject: [PATCH 05/16] memory corruption in _XIPassiveGrabDevice()
  [CVE-2013-1998 2/3]
 
 If the server returned more modifiers than the caller asked for,
@@ -520,7 +520,7 @@
 From 5398ac0797f7516f2c9b8f2869a6c6d071437352 Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith at oracle.com>
 Date: Fri, 26 Apr 2013 22:48:36 -0700
-Subject: [PATCH 06/15] unvalidated lengths in XQueryDeviceState()
+Subject: [PATCH 06/16] unvalidated lengths in XQueryDeviceState()
  [CVE-2013-1998 3/3]
 
 If the lengths given for each class state in the reply add up to more
@@ -589,7 +589,7 @@
 From b0b13c12a8079a5a0e7f43b2b8983699057b2cec Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith at oracle.com>
 Date: Sat, 9 Mar 2013 22:55:23 -0800
-Subject: [PATCH 07/15] integer overflow in XGetDeviceControl() [CVE-2013-1984
+Subject: [PATCH 07/16] integer overflow in XGetDeviceControl() [CVE-2013-1984
  1/8]
 
 If the number of valuators reported by the server is large enough that
@@ -708,7 +708,7 @@
 From 322ee3576789380222d4403366e4fd12fb24cb6a Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith at oracle.com>
 Date: Sat, 9 Mar 2013 22:55:23 -0800
-Subject: [PATCH 08/15] integer overflow in XGetFeedbackControl()
+Subject: [PATCH 08/16] integer overflow in XGetFeedbackControl()
  [CVE-2013-1984 2/8]
 
 If the number of feedbacks reported by the server is large enough that
@@ -808,7 +808,7 @@
 From 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith at oracle.com>
 Date: Sat, 9 Mar 2013 22:55:23 -0800
-Subject: [PATCH 09/15] integer overflow in XGetDeviceDontPropagateList()
+Subject: [PATCH 09/16] integer overflow in XGetDeviceDontPropagateList()
  [CVE-2013-1984 3/8]
 
 If the number of event classes reported by the server is large enough
@@ -859,7 +859,7 @@
 From bb922ed4253b35590f0369f32a917ff89ade0830 Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith at oracle.com>
 Date: Sat, 9 Mar 2013 22:55:23 -0800
-Subject: [PATCH 10/15] integer overflow in XGetDeviceMotionEvents()
+Subject: [PATCH 10/16] integer overflow in XGetDeviceMotionEvents()
  [CVE-2013-1984 4/8]
 
 If the number of events or axes reported by the server is large enough
@@ -928,7 +928,7 @@
 From 242f92b490a695fbab244af5bad11b71f897c732 Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith at oracle.com>
 Date: Sat, 9 Mar 2013 22:55:23 -0800
-Subject: [PATCH 11/15] integer overflow in XIGetProperty() [CVE-2013-1984 5/8]
+Subject: [PATCH 11/16] integer overflow in XIGetProperty() [CVE-2013-1984 5/8]
 
 If the number of items reported by the server is large enough that
 it overflows when multiplied by the size of the appropriate item type,
@@ -985,7 +985,7 @@
 From 528419b9ef437e7eeafb41bf45e8ff7d818bd845 Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith at oracle.com>
 Date: Sat, 9 Mar 2013 22:55:23 -0800
-Subject: [PATCH 12/15] integer overflow in XIGetSelectedEvents()
+Subject: [PATCH 12/16] integer overflow in XIGetSelectedEvents()
  [CVE-2013-1984 6/8]
 
 If the number of events or masks reported by the server is large enough
@@ -1076,7 +1076,7 @@
 From 17071c1c608247800b2ca03a35b1fcc9c4cabe6c Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith at oracle.com>
 Date: Sun, 10 Mar 2013 13:30:55 -0700
-Subject: [PATCH 13/15] Avoid integer overflow in XGetDeviceProperties()
+Subject: [PATCH 13/16] Avoid integer overflow in XGetDeviceProperties()
  [CVE-2013-1984 7/8]
 
 If the number of items as reported by the Xserver is too large, it
@@ -1210,7 +1210,7 @@
 From ef82512288d8ca36ac0beeb289f158195b0a8cae Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith at oracle.com>
 Date: Sun, 10 Mar 2013 00:22:14 -0800
-Subject: [PATCH 14/15] Avoid integer overflow in XListInputDevices()
+Subject: [PATCH 14/16] Avoid integer overflow in XListInputDevices()
  [CVE-2013-1984 8/8]
 
 If the length of the reply as reported by the Xserver is too long, it
@@ -1265,7 +1265,7 @@
 From 81b4df8ac6aa1520c41c3526961014a6f115cc46 Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith at oracle.com>
 Date: Sun, 10 Mar 2013 00:16:22 -0800
-Subject: [PATCH 15/15] sign extension issue in XListInputDevices()
+Subject: [PATCH 15/16] sign extension issue in XListInputDevices()
  [CVE-2013-1995]
 
 nptr is (signed) char, which can be negative, and will sign extend
@@ -1350,3 +1350,37 @@
 -- 
 1.8.3.1
 
+
+From 661c45ca17c434dbd342a46fd3fb813852ae0ca9 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer at who-t.net>
+Date: Tue, 21 May 2013 12:23:05 +1000
+Subject: [PATCH 16/16] Don't overwrite the cookies serial number
+
+serial != sequenceNumber, see _XSetLastRequestRead()
+
+cookie->serial is already set at this point, setting it again directly from
+the sequenceNumber of the event causes a bunch of weird issues such as
+scrollbars and text drag-n-drop breaking.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=965347
+
+Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
+---
+ src/XExtInt.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/XExtInt.c b/src/XExtInt.c
+index 8e19b97..d3c6b7c 100644
+--- a/src/XExtInt.c
++++ b/src/XExtInt.c
+@@ -915,7 +915,6 @@ static void xge_copy_to_cookie(xGenericEvent* ev,
+     cookie->type = ev->type;
+     cookie->evtype = ev->evtype;
+     cookie->extension = ev->extension;
+-    cookie->serial = ev->sequenceNumber;
+ }
+ 
+ static Bool
+-- 
+1.8.3.1
+

More information about the arch-commits mailing list