[Git][xorg-team/app/xauth][debian-unstable] 14 commits: Fix segmentation fault on invalid add argument.

Timo Aaltonen pushed to branch debian-unstable at X Strike Force / app / xauth

Commits:

cb98d3b3

by Tobias Stoeckmann at 2020-05-03T12:25:21+02:00

Fix segmentation fault on invalid add argument.

The hex key supplied with an add command can be quoted, in which
case the quotation marks are removed.

The check itself makes sure that a given string starts with a
double quotation mark and ends with a double quotation mark.

Buf if only " is supplied, the code crashes because it subtracts
2 from the length (which is 1) and therefore copies too much
memory into a 0 allocated memory area.

Proof of concept:

$ xauth add :0 0 \"

f5af3b21

by Tobias Stoeckmann at 2020-05-10T18:03:48+00:00

Prevent OOB write with long file names.

If an -f argument is exactly 1022 characters in size, an off-by-one
stack overflow happens in auth_finalize. The overflow could be even
larger if locks are ignored for authentication files.

Make sure that a given authentication file name fits into temporary
buffer and that this buffer matches buffer sizes of libXau which is
used by xauth.

af7a74e2

by Alan Coopersmith at 2020-05-10T11:27:25-07:00

Avoid memory leak when realloc() fails in split_into_words()

Reported by Oracle Parfait:
Error: Memory leak
   Memory leak [memory-leak] (CWE 401):
      Memory leak of pointer argv allocated with malloc(32)
        at line 283 of process.c in function 'split_into_words'.
          argv allocated at line 264 with malloc(32)
          argv leaks when cur == total at line 280.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

4faf0f63

by Alan Coopersmith at 2020-05-10T11:47:33-07:00

Use reallocarray() when adding members to array in split_into_words()

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

aaf037ec

by Alan Coopersmith at 2020-05-10T13:21:50-07:00

Avoid memory leaks in error paths in do_generate

Reported by Oracle Parfait:
Error: Memory leak
   Memory leak [memory-leak] (CWE 401):
      Memory leak of pointer authdata allocated with malloc((authdatalen - 1))
        at line 1955 of process.c in function 'do_generate'.
          authdata allocated at line 1946 with malloc((authdatalen - 1))
      Memory leak of pointer authdata allocated with malloc((authdatalen - 1))
        at line 1971 of process.c in function 'do_generate'.
          authdata allocated at line 1946 with malloc((authdatalen - 1))
          authdata leaks when (i + 1) >= argc at line 1910.
        at line 1980 of process.c in function 'do_generate'.
          authdata allocated at line 1946 with malloc((authdatalen - 1))
          authdata leaks when (i + 1) >= argc at line 1910.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

18a3c3a7

by Dr. Tilmann Bubeck at 2020-08-20T20:28:52+02:00

Additionally check socket file with S_ISSOCK
This fixes bug https://bugzilla.redhat.com/show_bug.cgi?id=1870201

d7e50214

by Karol Herbst at 2021-04-22T13:30:14+02:00

Check malloc calls in process.c

Fixes warnings like

warning[-Wanalyzer-possible-null-argument]: use of possibly-NULL 'authdata' where non-null expected

Found-by: gcc static analysis
Signed-off-by: Karol Herbst <kherbst@redhat.com>

c2811c95

by Alex Gendin at 2021-08-02T20:30:21+00:00

Fix segfault when X starts

This patch potentially fixes bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884934

System log entries when this bug occurs:
    kernel: xauth[16729]: segfault at 1 ip 00007f51f517f5a5 sp 00007ffdec846568 error 4
                          in libc-2.31.so[7f51f5102000+144000]
    kernel: Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0
                  0f 49 29 d0 48 8d 7c 17 31 e9 8f 0b 00 00 66 0f ef c0 <f3> 0f 6f 0e f3
                  0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8 11 0f

This bug happens when function get_address_info() in gethost.c is called
with a display name without forward slash, for example 'myhost.mydomain:0'

1bfa5bff

by Alan Coopersmith at 2021-11-28T15:04:58-08:00

Fix spelling/wording issues

Found by using:
    codespell --builtin clear,rare,usage,informal,code,names

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

477307d0

by Alan Coopersmith at 2021-11-28T15:32:37-08:00

xauth 1.1.1

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

7b2be2b6

by Timo Aaltonen at 2022-04-01T10:01:05+03:00

Merge branch 'upstream-unstable' into debian-unstable

e1d78914
by Timo Aaltonen at 2022-04-01T10:02:01+03:00
```
version bump
```
ad834de2
by Timo Aaltonen at 2022-04-01T10:02:58+03:00
```
control, rules: Bump debhelper-compat to 13.
```
83ff9b2c
by Timo Aaltonen at 2022-04-01T10:06:01+03:00
```
release to sid
```

Changes:

README.md

@@ -22,7 +22,7 @@ Xorg mailing list:
    https://lists.x.org/mailman/listinfo/xorg
 -The master development code repository can be found at:
 +The primary development code repository can be found at:
    https://gitlab.freedesktop.org/xorg/app/xauth

configure.ac

@@ -22,7 +22,7 @@ dnl Process this file with autoconf to create configure.
  AC_PREREQ([2.60])
  AC_INIT([xauth],
 -	[1.1],
 +	[1.1.1],
  	[https://gitlab.freedesktop.org/xorg/app/xauth/issues],
  	[xauth])
  AM_INIT_AUTOMAKE([foreign dist-bzip2])
@@ -42,7 +42,7 @@ XORG_DEFAULT_OPTIONS
  AC_CHECK_HEADERS([net/errno.h])
 -AC_CHECK_FUNCS([strlcpy])
 +AC_CHECK_FUNCS([reallocarray strlcpy])
  # Checks for pkg-config packages
  PKG_CHECK_MODULES(XAUTH, x11 xau xext xmuu xproto >= 7.0.17)

debian/changelog

 +xauth (1:1.1.1-1) unstable; urgency=medium
++
 +  * New upstream release.
 +  * control, rules: Bump debhelper-compat to 13.
++
 + -- Timo Aaltonen <tjaalton@debian.org>  Fri, 01 Apr 2022 10:05:54 +0300
++
  xauth (1:1.1-1) unstable; urgency=medium
    * New upstream release.

debian/control

@@ -3,7 +3,7 @@ Section: x11
  Priority: optional
  Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
  Build-Depends:
 - debhelper-compat (= 12),
 + debhelper-compat (= 13),
   quilt,
   pkg-config,
   libx11-dev (>= 2:1.0.0),

debian/rules

@@ -4,10 +4,6 @@
  override_dh_auto_install:
  	dh_auto_install --destdir=debian/tmp
 -# Forget no-one:
 -override_dh_missing:
 -	dh_missing --fail-missing
+-
  override_dh_auto_test:
  	dh_auto_test -- VERBOSE=1

gethost.c

@@ -199,17 +199,17 @@ struct addrlist *get_address_info (
  #ifdef HAVE_STRLCPY
  	    strlcpy(path, fulldpyname, sizeof(path));
  #else
 -	    strncpy(path, fulldpyname, sizeof(path));
 +	    strncpy(path, fulldpyname, sizeof(path) - 1);
  	    path[sizeof(path) - 1] = '\0';
  #endif
 -	    if (0 == stat(path, &sbuf)) {
 +	    if (0 == stat(path, &sbuf) && S_ISSOCK(sbuf.st_mode) ) {
  		is_path_to_socket = 1;
  	    } else {
  		char *dot = strrchr(path, '.');
  		if (dot) {
  		    *dot = '\0';
  		    /* screen = atoi(dot + 1); */
 -		    if (0 == stat(path, &sbuf)) {
 +		    if (0 == stat(path, &sbuf) && S_ISSOCK(sbuf.st_mode)) {
  		        is_path_to_socket = 1;
+ 		    }
+ 		}
@@ -218,10 +218,11 @@ struct addrlist *get_address_info (
  	    if (is_path_to_socket) {
  		/* Use the bundle id (part preceding : in the basename) as our src id */
  		char *c;
 +		c = strrchr(fulldpyname, '/');
  #ifdef HAVE_STRLCPY
 -		strlcpy(buf, strrchr(fulldpyname, '/') + 1, sizeof(buf));
 +		strlcpy(buf, (NULL != c) ? c + 1 : fulldpyname, sizeof(buf));
  #else
 -		strncpy(buf, strrchr(fulldpyname, '/') + 1, sizeof(buf));
 +		strncpy(buf, (NULL != c) ? c + 1 : fulldpyname, sizeof(buf) - 1);
  		buf[sizeof(buf) - 1] = '\0';
  #endif

man/xauth.man

@@ -238,10 +238,10 @@ Xserver(__appmansuffix__), xdm(__appmansuffix__), startx(__appmansuffix__),
  Xau(__libmansuffix__).
  .SH BUGS
  .PP
 -Users that have unsecure networks should take care to use encrypted
 +Users that have insecure networks should take care to use encrypted
  file transfer mechanisms to copy authorization entries between machines.
  Similarly, the \fIMIT-MAGIC-COOKIE-1\fP protocol is not very useful in
 -unsecure environments.  Sites that are interested in additional security
 +insecure environments.  Sites that are interested in additional security
  may need to use encrypted authorization mechanisms such as Kerberos.
  .PP
  Spaces are currently not allowed in the protocol name.  Quoting could be

parsedpy.c

@@ -35,7 +35,7 @@ in this Software without prior written authorization from The Open Group.
  #include <stdio.h>			/* for NULL */
  #include <ctype.h>			/* for isascii() and isdigit() */
  #include <X11/Xos.h>			/* for strchr() and string routines */
 -#include <X11/Xlib.h>			/* for Family contants */
 +#include <X11/Xlib.h>			/* for Family constants */
  #ifdef hpux
  #include <sys/utsname.h>		/* for struct utsname */
  #endif
@@ -172,7 +172,7 @@ parse_displayname (const char *displayname,
  #ifdef HAVE_STRLCPY
          strlcpy(path, displayname, sizeof(path));
  #else
 -        strncpy(path, displayname, sizeof(path));
 +        strncpy(path, displayname, sizeof(path) - 1);
          path[sizeof(path) - 1] = '\0';
  #endif
          if (0 == stat(path, &sbuf)) {

process.c

@@ -37,6 +37,7 @@ from The Open Group.
  #include "xauth.h"
  #include <ctype.h>
  #include <errno.h>
 +#include <stdint.h>
  #include <sys/stat.h>
  #ifndef WIN32
  #include <sys/socket.h>
@@ -251,6 +252,18 @@ skip_nonspace(register char *s)
      return s;
+ }
 +#ifndef HAVE_REALLOCARRAY
 +static inline void *
 +reallocarray(void *optr, size_t nmemb, size_t size)
 +{
 +    if ((nmemb > 0) && (SIZE_MAX / nmemb < size)) {
 +        errno = ENOMEM;
 +        return NULL;
 +    }
 +    return realloc(optr, size * nmemb);
 +}
 +#endif
++
  static const char **
  split_into_words(char *src, int *argcp)  /* argvify string */
+ {
@@ -278,9 +291,15 @@ split_into_words(char *src, int *argcp)  /* argvify string */
  	savec = *src;
  	*src = '\0';
  	if (cur == total) {
 +	    const char **new_argv;
  	    total += WORDSTOALLOC;
 -	    argv = realloc (argv, total * sizeof (char *));
 -	    if (!argv) return NULL;
 +	    new_argv = reallocarray (argv, total, sizeof (char *));
 +	    if (new_argv != NULL) {
 +		argv = new_argv;
 +	    } else {
 +		free(argv);
 +		return NULL;
 +	    }
+ 	}
  	argv[cur++] = jword;
  	if (savec) src++;		/* if not last on line advance */
@@ -633,7 +652,7 @@ static Bool xauth_modified = False;	/* if added, removed, or merged */
  static Bool xauth_allowed = True;	/* if allowed to write auth file */
  static Bool xauth_locked = False;     /* if has been locked */
  static const char *xauth_filename = NULL;
 -static volatile Bool dieing = False;
 +static volatile Bool dying = False;
  /* poor man's puts(), for under signal handlers,
@@ -645,7 +664,7 @@ _X_NORETURN
  static void
  die(int sig)
+ {
 -    dieing = True;
 +    dying = True;
      _exit (auth_finalize ());
      /* NOTREACHED */
+ }
@@ -697,6 +716,10 @@ auth_initialize(const char *authfilename)
      FILE *authfp;
      Bool exists;
 +    if (strlen(authfilename) > 1022) {
 +	fprintf (stderr, "%s: authority file name \"%s\" too long\n",
 +		 ProgramName, authfilename);
 +    }
      xauth_filename = authfilename;    /* used in cleanup, prevent race with
                                           signals */
      register_signals ();
@@ -854,10 +877,10 @@ write_auth_file(char *tmp_nam)
  int
  auth_finalize(void)
+ {
 -    char temp_name[1024];	/* large filename size */
 +    char temp_name[1025];	/* large filename size */
      if (xauth_modified) {
 -	if (dieing) {
 +	if (dying) {
  	    if (verbose) {
  		/*
  		 * called from a signal handler -- printf is *not* reentrant; also
@@ -1614,13 +1637,22 @@ do_add(const char *inputfilename, int lineno, int argc, const char **argv)
      hexkey = argv[3];
      len = strlen(hexkey);
 -    if (hexkey[0] == '"' && hexkey[len-1] == '"') {
 +    if (len > 1 && hexkey[0] == '"' && hexkey[len-1] == '"') {
  	key = malloc(len-1);
 +	if (!key) {
 +	    fprintf(stderr, "unable to allocate memory\n");
 +	    return 1;
 +	}
  	strncpy(key, hexkey+1, len-2);
 +	key[len-1] = '\0';
  	len -= 2;
      } else if (!strcmp(protoname, SECURERPC) ||
  	       !strcmp(protoname, K5AUTH)) {
  	key = malloc(len+1);
 +	if (!key) {
 +	    fprintf(stderr, "unable to allocate memory\n");
 +	    return 1;
 +	}
  	strcpy(key, hexkey);
      } else {
  	len = cvthexkey (hexkey, &key);
@@ -1859,10 +1891,10 @@ do_generate(const char *inputfilename, int lineno, int argc, const char **argv)
      const char *displayname;
      int major_version, minor_version;
      XSecurityAuthorization id_return;
 -    Xauth *auth_in, *auth_return;
 +    Xauth *auth_in = NULL, *auth_return = NULL;
      XSecurityAuthorizationAttributes attributes;
      unsigned long attrmask = 0;
 -    Display *dpy;
 +    Display *dpy = NULL;
      int status;
      const char *args[4];
      const char *protoname = ".";
@@ -1870,7 +1902,7 @@ do_generate(const char *inputfilename, int lineno, int argc, const char **argv)
      int authdatalen = 0;
      const char *hexdata;
      char *authdata = NULL;
 -    char *hex;
 +    char *hex = NULL;
      if (argc < 2 || !argv[1]) {
  	prefix (inputfilename, lineno);
@@ -1889,7 +1921,8 @@ do_generate(const char *inputfilename, int lineno, int argc, const char **argv)
  	    if (++i == argc) {
  		prefix (inputfilename, lineno);
  		badcommandline (argv[i-1]);
 -		return 1;
 +		status = 1;
 +		goto exit_generate;
+ 	    }
  	    attributes.timeout = atoi(argv[i]);
  	    attrmask |= XSecurityTimeout;
@@ -1906,7 +1939,8 @@ do_generate(const char *inputfilename, int lineno, int argc, const char **argv)
  	    if (++i == argc) {
  		prefix (inputfilename, lineno);
  		badcommandline (argv[i-1]);
 -		return 1;
 +		status = 1;
 +		goto exit_generate;
+ 	    }
  	    attributes.group = atoi(argv[i]);
  	    attrmask |= XSecurityGroup;
@@ -1915,13 +1949,20 @@ do_generate(const char *inputfilename, int lineno, int argc, const char **argv)
  	    if (++i == argc) {
  		prefix (inputfilename, lineno);
  		badcommandline (argv[i-1]);
 -		return 1;
 +		status = 1;
 +		goto exit_generate;
+ 	    }
  	    hexdata = argv[i];
  	    authdatalen = strlen(hexdata);
  	    if (hexdata[0] == '"' && hexdata[authdatalen-1] == '"') {
  		authdata = malloc(authdatalen-1);
 +		if (!authdata) {
 +		    fprintf(stderr, "unable to allocate memory\n");
 +		    status = 1;
 +		    goto exit_generate;
 +		}
  		strncpy(authdata, hexdata+1, authdatalen-2);
 +		authdata[authdatalen-1] = '\0';
  		authdatalen -= 2;
  	    } else {
  		authdatalen = cvthexkey (hexdata, &authdata);
@@ -1929,13 +1970,15 @@ do_generate(const char *inputfilename, int lineno, int argc, const char **argv)
  		    prefix (inputfilename, lineno);
  		    fprintf (stderr,
  			     "data contains odd number of or non-hex characters\n");
 -		    return 1;
 +		    status = 1;
 +		    goto exit_generate;
+ 		}
+ 	    }
  	} else {
  	    prefix (inputfilename, lineno);
  	    badcommandline (argv[i]);
 -	    return 1;
 +	    status = 1;
 +	    goto exit_generate;
+ 	}
+     }
@@ -1945,7 +1988,8 @@ do_generate(const char *inputfilename, int lineno, int argc, const char **argv)
      if (!dpy) {
  	prefix (inputfilename, lineno);
  	fprintf (stderr, "unable to open display \"%s\".\n", displayname);
 -	return 1;
 +	status = 1;
 +	goto exit_generate;
+     }
      status = XSecurityQueryExtension(dpy, &major_version, &minor_version);
@@ -1954,7 +1998,8 @@ do_generate(const char *inputfilename, int lineno, int argc, const char **argv)
  	prefix (inputfilename, lineno);
  	fprintf (stderr, "couldn't query Security extension on display \"%s\"\n",
  		 displayname);
 -        return 1;
 +	status = 1;
 +	goto exit_generate;
+     }
      /* fill in input Xauth struct */
@@ -1979,7 +2024,8 @@ do_generate(const char *inputfilename, int lineno, int argc, const char **argv)
+     {
  	prefix (inputfilename, lineno);
  	fprintf (stderr, "couldn't generate authorization\n");
 -	return 1;
 +	status = 1;
 +	goto exit_generate;
+     }
      if (verbose)
@@ -1994,10 +2040,12 @@ do_generate(const char *inputfilename, int lineno, int argc, const char **argv)
      status = do_add(inputfilename, lineno, 4, args);
 -    if (authdata) free(authdata);
 +  exit_generate:
 +    free(authdata);
      XSecurityFreeXauth(auth_in);
      XSecurityFreeXauth(auth_return);
      free(hex);
 -    XCloseDisplay(dpy);
 +    if (dpy != NULL)
 +	XCloseDisplay(dpy);
      return status;
+ }

tests/030-xauth-extract.script

@@ -8,7 +8,7 @@ xauth add examplehost1/unix:0 . b90b0fd1cf6a0e7a2c74c00000000001
  xauth add examplehost2/unix:0 . b90b0fd1cf6a0e7a2c74c00000000002
  xauth add examplehost3/unix:0 . b90b0fd1cf6a0e7a2c74c00000000003
 -# Use xauth_silent because otherwise the system dependant pathes are printed
 +# Use xauth_silent because otherwise the system dependent paths are printed
  XAUTHORITY2=$DATADIR/.Xauthority2
  xauth_silent extract $XAUTHORITY2 examplehost2/unix:0
  xauth_silent -f $XAUTHORITY2 list