Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 208343
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 208343 depends on: Show dependency tree
Bug 208343 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-01-31 19:48 0000 
According to dbkerkholz, "the mit-shm patch only does the security test on
pixmaps of a certain bit depth rather than all of them"
This means CVE-2007-6429 is incompletely fixed in bug 204362.
http://gitweb.freedesktop.org/?p=xorg/xserver.git;a=commit;h=be6c17fcf9efebc0bbcc3d9a25f8c5a2450c2161

There is also a better fix for CVE-2007-3920, "Don't break grab and focus state
for a window when redirecting it." -- The fix we had in bug 196878 is "a huge
hack" to quote donnie again ;-)
http://gitweb.freedesktop.org/?p=xorg/xserver.git;a=commit;h=a6a7fadbb03ee99312dfb15ac478ab3c414c1c0b

------- Comment #1 From Robert Buchholz 2008-01-31 19:49:36 0000 ------- 
[20:42] <dberkholz> i can get ebuilds underway later this afternoon

------- Comment #2 From Chris Gianelloni (RETIRED) 2008-02-01 21:49:53 0000 ------- 
I'm going to go ahead and add release@ so I can track this one.

Donnie has just bumped the version in the tree.

<CIA-3> dberkholz * gentoo-x86/x11-base/xorg-server/ (5 files in 2 dirs):

------- Comment #3 From Donnie Berkholz 2008-02-01 21:50:02 0000 ------- 
New ebuilds in the tree -- xorg-server-1.3.0.0-r5 and xorg-server-1.4.0.90-r3.
1.3.0.0-r5 is the stable target.

------- Comment #4 From Robert Buchholz 2008-02-01 22:20:34 0000 ------- 
Arches, please test and mark stable:
=x11-base/xorg-server-1.3.0.0-r5
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 release sh sparc
x86"

------- Comment #5 From Markus Meier 2008-02-02 02:02:45 0000 ------- 
x86 stable

------- Comment #6 From Brent Baude 2008-02-02 14:41:49 0000 ------- 
ppc64 stable

------- Comment #7 From Tobias Scherbaum 2008-02-02 15:56:52 0000 ------- 
ppc stable

------- Comment #8 From Jeroen Roovers 2008-02-02 16:10:18 0000 ------- 
Stable for HPPA.

------- Comment #9 From Raúl Porcel 2008-02-09 11:30:13 0000 ------- 
alpha/ia64/sparc stable

I can't believe amd64 didn't do this one yet...

------- Comment #10 From Wulf Krueger (RETIRED) 2008-02-11 06:04:39 0000 ------- 
Marked stable on amd64.

------- Comment #11 From Sune Kloppenborg Jeppesen 2008-02-11 18:35:34 0000 ------- 
Request filed.

------- Comment #12 From Robert Buchholz 2008-02-11 23:58:19 0000 ------- 
I would handle this as an erratum to the previous GLSA, no?

------- Comment #13 From Sune Kloppenborg Jeppesen 2008-02-12 10:34:07 0000 ------- 
Sure I wasn' thinking straight. Could someone with ssh access to finch delete
the draft I made?

------- Comment #14 From Peter Volkov 2008-02-25 10:57:47 0000 ------- 
This bug was fixed in release snapshot.

------- Comment #15 From Ryan Hill 2008-03-02 21:55:56 0000 ------- 
no stable for mips.

------- Comment #16 From Robert Buchholz 2008-03-05 22:25:54 0000 ------- 
errata sent, thanks.
http://archives.gentoo.org/gentoo-announce/msg_e75f5d493fea7c6f718a850abd59598a.xml
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug