http://invisible-island.net/ansification
Copyright © 2012-2013,2014 by Thomas E. Dickey


Background

I overlooked this on the Xorg mailing list, but noticed it in a web search shortly after:

X.Org security advisory: DoS/info leak in xfs prior to X11R6.7/XFree86 3.3.3 — Alan Coopersmith (24 Jul 17:31 2012).

It quotes my changelog comment:

Prototype/ansification cleanup for Xserver/XIE, xfs, fontlib, mkfontdir, and fix some bugs found along the way (#2103, Thomas Dickey).

but does not give a date. Some discussion is in order, to put this in its proper context.

XFree86 work

I started working with XFree86 in January 1996, on xterm. While my main interest was xterm, I felt inclined to help on the larger project scope.

I started by getting a copy of the source, and learning how to build it. That took about 6 hours on a 56Kb modem. This was a given in the 1990s, for anyone who was not using resources owned by a university or company.

I sent patch files to the mailing list. These were integrated by the XFree86 core developers. This was the basis for the versioning which I use for xterm, referring to "patch #".

Periodically the XFree86 developers provided patches to the next incremental version. I applied those, and thereby kept in sync with their versions for a few years, until early 2001 when high-speed Internet connections to the home became a reality. Around that point, I (and several other proficient developers) were given CVS commit privileges in XFree86.

The change cited for the CVE is noted in the XFree86 changelog in this section:

XFree86 3.9Nk (25 October 1998)

and my corresponding patch was dated 23 October 1998.

It is nice to get credit, but it is nicer to credit people correctly.

XFree86 versus Xorg (early)

Reviewing my patches (outside xterm), I see that I changed about 15,000 lines of code between 1996-2000 (15491 inserts, 14417 deletes). My changes to xterm were more extensive over the same period (66710 inserts, 29132 deletes).

My intent was to reduce compiler warnings, to make it possible to see real problems. Initially I made a few fixes in Xlib.h, and later in the Xserver tree. More than half the roughly 600 files which I touched are under Xserver. However, I also modified libraries (X11, Xau, Xaw, Xdmcp, Xi, Xmu, dps, dpstk, font, xkbfile) and programs (mkfontdir, patch, pswrap, setxkbmap, xclipboard, xconsole, xdm, xfs, xkbcomp, xmag, xman, xvidtune).

The reduction was real. When I started, there were 60-70 thousand warning messages from my build logs (which were stricter than the default). After the initial changes (chiefly the changes to Xlib.h), I got it down to about half that amount. With more work, it came down to a little over 20 thousand warning messages. (There are 3.3 million lines of code in my last CVS pull from XFree86 in 2006).

By "more work", I mean that I worked on all files in a library or program, converting them to ANSI C and checking the compiler warnings.

Referring to email for relevant dates:

XFree86 versus Xorg (later)

With that background in mind, consider this posting in 2004 by Daniel Barkalow (iabervon) on Linux Weekly News:

Posted Apr 8, 2004 0:42 UTC (Thu) by subscriber iabervon

X.org has been releasing X versions all along, which XFree86 has been taking and incorporating into their distributions. If you look at an XFree86 distribution, it will have a set of release notes for the X.org portion as well as the main release notes. It has been X.org's versions of things like xrdb, xterm, xfontsel, etc. which you get if you get XFree86. With this release, X.org has started releasing complete distributions, including the stuff that XFree86 would formerly have added. The last like this was done, the organization doing it was still the X Consortium, so this is the first complete X distribution by X.org, despite the fact that they've made a number of previous incomplete distributions. The odd part is mainly that they've kept the same version numbering when going from the incomplete distribution intended for repackaging to the complete one intended for end users.

There are several parts to the posting. The principal one is the assertion that "It has been X.org's versions of things", etc., stating in so many words that XFree86's contribution to the whole was a minor, subservient role. The remainder of the paragraph builds up to that point, reiterates it and ends with a quibble about version numbering.

At that point, I had been developing xterm for 8 years, and knew well that it was not "X.org's versions of things like xrdb, xterm, xfontsel, etc."

Besides xterm, my changes touched the other programs. The resulting changes were used in released versions of XFree86. Barkalow's posting misattributed the work done. In the case of my work which he pointedly mentioned, this is more than three-quarters of the work which I did.

The point of the CVE description is that X.org began at this point to distribute the XFree86 code, which included my fixes. So the problem "went away". Until that point, X.org had not incorporated any of my work.

It was not "odd" that they kept the same version numbering, because after all it was X.org plus a few new people such as Daniel Stone (daniels) commenting in the LWN thread.

At this writing (late July 2012), X.org's webpage is available via the Internet archive:

April 2, 2003
describes "X.Org, a global consortium". The current members page lists Hewlett Packard, Sun, IBM, Hummingbird, SGI, WRQ, Shiman Associates, Metro Link. XFree86 is listed as an honorary member.
June 2, 2004
notes that it was reorganized on 22 January 2004; the members page still listed XFree86. It was removed sometime between October 9 and December 4.

At no point in X.Org's webpages is found a discontinuity: it was the essentially same people throughout.

Corrected attribution

Reviewing my patches, I do not see the cited change.

There is another source of information. Looking at the XFree86 CVS for events.c, My changes are revision 3.3. I see that the CVE fix was introduced in the next revision (3.4). The changelog comment by David Dawes says only

initial 3.9Nr patches

The XFree86 changelog is not much help. However, the same commit as above touches on compiler warning fixes. Looking at revision 3.653 offers this possibility:

2086. LP64 compiler warning fixes from the NetBSD xsrc tree (#2019, Ross Harvey).

But that is only an educated guess (unless Ross Harvey happens to have his original patches, etc).

On the other hand, my changes helped find the bug. They added function prototypes for SendErrToClient in client.h, and in a new header file dispatch.h. Compiling on my 32-bit machine did not yield a warning message, but it was not unusual for someone to report warnings in "quiet" code when building on a 64-bit machine.


Email: dickey@invisible-island.net