From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by mail.openembedded.org (Postfix) with ESMTP id 5FC5C79707 for ; Wed, 26 Sep 2018 01:10:31 +0000 (UTC) Received: from sinanubuntu1604.mkjiurmyylmellclgttazegk5f.bx.internal.cloudapp.net (unknown [40.76.73.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3A481208E4; Wed, 26 Sep 2018 01:10:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1537924232; bh=rFkENT3HIbieGznkUG7POv+VUTArZr7CaNCr6AeKHnY=; h=From:To:Cc:Subject:Date:From; b=w3PC3W9yq755UIkltEEJVvvchDE+kvCJ6qpZjl1QvEEzfRTkGQ1DLyLAv1TK9144f HBCiDnXzbA3VETrJuWJ1vovD+cGBd8Rp0Duxzp/T2chQNpNW2q9Q4MnalS3Gbf4mPN BAFcicynQBtYAqs8ppIfKmVBaqv6AAww0r+8386c= From: Sinan Kaya To: openembedded-core@lists.openembedded.org Date: Wed, 26 Sep 2018 01:10:26 +0000 Message-Id: <20180926011027.21818-1-okaya@kernel.org> X-Mailer: git-send-email 2.19.0 MIME-Version: 1.0 Subject: [sumo] [PATCH v2 1/2] libice: CVE-2017-2626 X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2018 01:10:31 -0000 Content-Transfer-Encoding: 8bit * CVE-2017-2626 It was discovered that libICE before 1.0.9-8 used a weak entropy to generate keys. A local attacker could potentially use this flaw for session hijacking using the information available from the process list. Affects libice < 1.0.9-8 CVE: CVE-2017-2626 Ref: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2626 Signed-off-by: Sinan Kaya --- .../xorg-lib/libice/CVE-2017-2626.patch | 145 ++++++++++++++++++ .../recipes-graphics/xorg-lib/libice_1.0.9.bb | 4 + 2 files changed, 149 insertions(+) create mode 100644 meta/recipes-graphics/xorg-lib/libice/CVE-2017-2626.patch diff --git a/meta/recipes-graphics/xorg-lib/libice/CVE-2017-2626.patch b/meta/recipes-graphics/xorg-lib/libice/CVE-2017-2626.patch new file mode 100644 index 0000000000..88c3f6ddfe --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libice/CVE-2017-2626.patch @@ -0,0 +1,145 @@ +From da5dc9e3a7a7e96284512f976f864f7ef13755b7 Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Tue, 4 Apr 2017 19:12:53 +0200 +Subject: [PATCH] Use getentropy() if arc4random_buf() is not available + +This allows to fix CVE-2017-2626 on Linux platforms without pulling in +libbsd. +The libc getentropy() is available since glibc 2.25 but also on OpenBSD. +For Linux, we need at least a v3.17 kernel. If the recommended +arc4random_buf() function is not available, emulate it by first trying +to use getentropy() on a supported glibc and kernel. If the call fails, +fall back to the current (partly vulnerable) code. + +Signed-off-by: Benjamin Tissoires +Reviewed-by: Mark Kettenis +Reviewed-by: Alan Coopersmith +Signed-off-by: Peter Hutterer +Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/lib/libICE/commit/?id=ff5e59f32255913bb1cdf51441b98c9107ae165b] +CVE: CVE-2017-2626 +Signed-off-by: Sinan Kaya +--- + configure.ac | 2 +- + src/iceauth.c | 65 ++++++++++++++++++++++++++++++++++++--------------- + 2 files changed, 47 insertions(+), 20 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 458882a..c971ab6 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -38,7 +38,7 @@ AC_DEFINE(ICE_t, 1, [Xtrans transport type]) + + # Checks for library functions. + AC_CHECK_LIB([bsd], [arc4random_buf]) +-AC_CHECK_FUNCS([asprintf arc4random_buf]) ++AC_CHECK_FUNCS([asprintf arc4random_buf getentropy]) + + # Allow checking code with lint, sparse, etc. + XORG_WITH_LINT +diff --git a/src/iceauth.c b/src/iceauth.c +index ef66626..9b77eac 100644 +--- a/src/iceauth.c ++++ b/src/iceauth.c +@@ -42,31 +42,19 @@ Author: Ralph Mor, X Consortium + + static int was_called_state; + +-/* +- * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by +- * the SI. It is not part of standard ICElib. +- */ ++#ifndef HAVE_ARC4RANDOM_BUF + +- +-char * +-IceGenerateMagicCookie ( ++static void ++emulate_getrandom_buf ( ++ char *auth, + int len + ) + { +- char *auth; +-#ifndef HAVE_ARC4RANDOM_BUF + long ldata[2]; + int seed; + int value; + int i; +-#endif + +- if ((auth = malloc (len + 1)) == NULL) +- return (NULL); +- +-#ifdef HAVE_ARC4RANDOM_BUF +- arc4random_buf(auth, len); +-#else + #ifdef ITIMER_REAL + { + struct timeval now; +@@ -74,13 +62,13 @@ IceGenerateMagicCookie ( + ldata[0] = now.tv_sec; + ldata[1] = now.tv_usec; + } +-#else ++#else /* ITIMER_REAL */ + { + long time (); + ldata[0] = time ((long *) 0); + ldata[1] = getpid (); + } +-#endif ++#endif /* ITIMER_REAL */ + seed = (ldata[0]) + (ldata[1] << 16); + srand (seed); + for (i = 0; i < len; i++) +@@ -88,7 +76,46 @@ IceGenerateMagicCookie ( + value = rand (); + auth[i] = value & 0xff; + } +-#endif ++} ++ ++static void ++arc4random_buf ( ++ char *auth, ++ int len ++) ++{ ++ int ret; ++ ++#if HAVE_GETENTROPY ++ /* weak emulation of arc4random through the entropy libc */ ++ ret = getentropy (auth, len); ++ if (ret == 0) ++ return; ++#endif /* HAVE_GETENTROPY */ ++ ++ emulate_getrandom_buf (auth, len); ++} ++ ++#endif /* !defined(HAVE_ARC4RANDOM_BUF) */ ++ ++/* ++ * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by ++ * the SI. It is not part of standard ICElib. ++ */ ++ ++ ++char * ++IceGenerateMagicCookie ( ++ int len ++) ++{ ++ char *auth; ++ ++ if ((auth = malloc (len + 1)) == NULL) ++ return (NULL); ++ ++ arc4random_buf (auth, len); ++ + auth[len] = '\0'; + return (auth); + } +-- +2.19.0 + diff --git a/meta/recipes-graphics/xorg-lib/libice_1.0.9.bb b/meta/recipes-graphics/xorg-lib/libice_1.0.9.bb index f069749ce0..4962815ae3 100644 --- a/meta/recipes-graphics/xorg-lib/libice_1.0.9.bb +++ b/meta/recipes-graphics/xorg-lib/libice_1.0.9.bb @@ -8,6 +8,10 @@ negotiating versions, and for reporting errors. " require xorg-lib-common.inc +SRC_URI += "\ + file://CVE-2017-2626.patch \ +" + LICENSE = "MIT-style" LIC_FILES_CHKSUM = "file://COPYING;md5=d162b1b3c6fa812da9d804dcf8584a93" -- 2.19.0