[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Fwd: [ANNOUNCE] libICE 1.0.10
From:       Alan Coopersmith <alan.coopersmith () oracle ! com>
Date:       2019-07-14 17:59:24
Message-ID: d24b7c57-3e3e-1d98-6775-a3c15bd08835 () oracle ! com
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]

[Attachment #4 (multipart/mixed)]


The CVE-2017-2626 issue was already disclosed at:
  https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/
  https://www.openwall.com/lists/oss-security/2017/02/28/3

This just upgrades the fix from a git commit/patch to a released tarball.=


    -Alan Coopersmith-              alan.coopersmith@oracle.com
      X.Org Security Response Team - xorg-security@lists.x.org

["[ANNOUNCE] libICE 1_0_10.eml" (message/rfc822)]


[Attachment #9 (multipart/signed)]


libICE provides the API for the Inter-Client Exchange protocol.

This release provides a fix for CVE-2017-2626 for platforms which don't have
arc4random_buf() in their default libraries but do have getentropy(), such
as Linux platforms with a kernel version of 3.17 or newer and a glibc version
of 2.25 or newer.   (libICE 1.0.9 already ensured that arc4random_buf()
is used on platforms that have it to provide sufficient entropy in ICE
key generation, but left other platforms with the weaker methods.  Linux
platforms could also have linked against libbsd to use arc4random_buf()
with libICE 1.0.9 for stronger keys.)

Alan Coopersmith (7):
      spec: Convert troff \*Q..\*U to DocBook <quote>...</quote>
      Remove obsolete B16 & B32 tags in struct definitions
      Update README for gitlab migration
      Update configure.ac bug URL for gitlab migration
      IceOpenConnection: check for malloc failure on connect_to_you too
      IceWritePad: always use zero values for pad bytes
      libICE 1.0.10

Allison Lortie (2):
      authutil: fix an out-of-bounds access
      authutil: support $XDG_RUNTIME_DIR/ICEauthority

Benjamin Tissoires (1):
      Use getentropy() if arc4random_buf() is not available

Emil Velikov (6):
      autogen.sh: use quoted string variables
      Kill off Strstr macro
      Kill off Time_t macro
      Remove unneeded ^L symbols.
      Kill off local ICE_t definitions
      configure.ac: set TRANS_CLIENT/SERVER

Eric Engestrom (3):
      Make sure errorStr is a free-able string
      Make sure error_message is a free-able string
      Make sure string is never NULL

Jon TURNEY (1):
      Include unistd.h for getpid()

Mihail Konev (1):
      autogen: add default patch prefix

Olivier Fourdan (3):
      IceListenForWellKnownConnections: Fix memleak
      _IceRead: Avoid possible use-after-free
      cleanup: Separate variable assignment and test

Peter Hutterer (1):
      autogen.sh: use exec instead of waiting for configure to finish

Remko van der Vossen (1):
      Bug 90616 - libICE build fails on array bounds check

Tobias Stoeckmann (2):
      Fix use after free on subsequent calls
      Always terminate strncpy results.

walter harms (3):
      Drop NULL check prior to free()
      make IceProtocolShutdown() more readable
      iceauth.c: FIX warning: unused variable 'ret' in 'arc4random_buf'

git tag: libICE-1.0.10

https://xorg.freedesktop.org/archive/individual/lib/libICE-1.0.10.tar.bz2
MD5:  76d77499ee7120a56566891ca2c0dbcf  libICE-1.0.10.tar.bz2
SHA1: 5b5eb125d4f43a3ab8153b0f850963ee6c982c24  libICE-1.0.10.tar.bz2
SHA256: 6f86dce12cf4bcaf5c37dddd8b1b64ed2ddf1ef7b218f22b9942595fb747c348  libICE-1.0.10.tar.bz2
SHA512: 2f1ef2c32c833c71894a08fa7e7ed53f301f6c7bd22485d71c12884d8e8b36b99f362ec886349dcc84d08edc81c8b2cea035320831d64974edeba021b433c468 \
                libICE-1.0.10.tar.bz2
PGP:  https://xorg.freedesktop.org/archive/individual/lib/libICE-1.0.10.tar.bz2.sig

https://xorg.freedesktop.org/archive/individual/lib/libICE-1.0.10.tar.gz
MD5:  25825f4caca2f75b112f287849455f15  libICE-1.0.10.tar.gz
SHA1: b042c56b8a9cb42324c1ee7c8ac43f1bb54cc835  libICE-1.0.10.tar.gz
SHA256: 1116bc64c772fd127a0d0c0ffa2833479905e3d3d8197740b3abd5f292f22d2d  libICE-1.0.10.tar.gz
SHA512: 2d4757f7325eb01180b5d7433cc350eb9606bd3afe82dabc8aa164feda75ef03a0624d74786e655c536c24a80d0ccb2f1e3ecbb04d3459b23f85455006ca8a91 \
                libICE-1.0.10.tar.gz
PGP:  https://xorg.freedesktop.org/archive/individual/lib/libICE-1.0.10.tar.gz.sig


-- 
	-Alan Coopersmith-               alan.coopersmith@oracle.com
	 Oracle Solaris Engineering - https://blogs.oracle.com/alanc


["signature.asc" (application/pgp-signature)]
[Attachment #13 (text/plain)]

_______________________________________________
xorg@lists.x.org: X.Org support
Archives: http://lists.freedesktop.org/archives/xorg
Info: https://lists.x.org/mailman/listinfo/xorg
Your subscription address: %(user_address)s
["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic