Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!

Full Text Bug Listing

Multiple vulnerabilities were reported in X.Org Server. 

CVE-2007-5958:
  xorg does not enforce restrictions when a user specifies a security policy,
  allowing for disclosure of the existence of a file (and an attempt to open
it)

CVE-2007-5760:
  Invalid array index vulnerability in the XFree86-Misc extension when
  processing PassMessage requests, leading to arbitrary code execution.

CVE-2007-6427:
  Heap memory corruption vulnerability in various functions within
  the XInput extension.

CVE-2007-6428:
  Failure to sanitize an index value, leading to arbitrary memory access in
  the ProcGetReservedColormapEntries() function in the TOG-CUP extension.

CVE-2007-6429:
  Integer overflow in the ProcEVIGetVisualInfo() function in the EVI extension
  and in the VERIFY_SHMSIZE macro in the MIT-SHM extension leading to buffer
  overflows

Donnie, I'll be attaching patches to this bug in a moment.
Please prepare updated ebuilds (at least for our stable 1.3) and attach them to
this bug. Do not commit anything yet as these vulnerabilities are under embargo
until Jan. 8 (delay was requested).

Created an attachment (id=140148) [details]
1.4-security-204362.patch

Upstream proposed patch

Created an attachment (id=140149) [details]
1.3.0.0-security-204362.patch

Backported version for 1.3.0.0 -- mostly declarations were changed, please
check though.

Delay accepted by upstream.

I'll post ebuilds in the next couple of days. In case someone else wants to do
it before I get to it, my plan is to add individual patches, one for each vuln,
to the PATCHES variable of the ebuild. I'll make a 1.3.0.0-r3 and 1.4.0.90-r1.
xorg-server-1.2 will not be supported anymore.

Just FYI, I follow upstream xorg security bugs so I have most of the info.

Created an attachment (id=140734) [details]
Tarred up x11-base/xorg-server/

Unpack this in the base of your overlay.

Arch Security Liaisons, please test the attached ebuild and report it stable on
this bug.
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc x86"

CC'ing current Liaisons:
  alpha : ferdy
  amd64 : welp
   hppa : jer
    ppc : dertobi123
  ppc64 : corsair
  sparc : fmccor
    x86 : opfer

So that you know, I probably can't get to this before Monday because to test X
things like this (the server) I need to be physically where the system I use
for testing is.  I doubt that will be possible before the 14th.

fmccor for sparc.

(In reply to comment #8)
> So that you know, I probably can't get to this before Monday

Not a problem, we have a buffer till Thursday, 17th currently. Thanks for
notifying.

Good to go on x86 (tested 1.3).

1.3 is OK for HPPA.

looks good on ppc64

x11-base/xorg-server-1.3.0.0-r3 good on sparc.

Adding Tobias (Blackb|rd) for alpha

Looks good on ppc

Tobias says it looks fine on alpha.

I say it looks fine on ia64.

1.3, that is.

amd64 -- 1.3.0.0-r3 looks good here.

We have all security-relevant stable keywords:
  "alpha amd64 hppa ia64 ppc ppc64 sparc x86"

Hi arches, (i'm back :) )

The confidential delay has expired. It's public from now.



Donnie, or X11 maintainers, could you commit the stuff please, thanks. The GLSA
is ready. You did good work, thanks.

(In reply to comment #18)
> Donnie, or X11 maintainers, could you commit the stuff please, thanks. The GLSA
> is ready. You did good work, thanks.

Working on it. We missed a libXfont patch, so we'll need to re-add arches once
I get that in. It will be a few hours.

libXfont 1.3.1-r1 is in the tree, targeted for stable. Please re-add arches to
get it there.

Thx Donnie.

Arches please test and mark stable. Target keywords are:

libXfont-1.3.1-r1.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc
ppc64 s390 sh sparc x86 ~x86-fbsd"

Adding CVE-2008-0006 for the libXfont issue.

x86 stable

x11-libs/libXfont-1.3.1-r1  USE="ipv6 -debug"

1. Emerges on AMD64. 
2. No collisions etc. 
3. Works. XOrg still works after upgrade. 

Portage 2.1.3.19 (default-linux/amd64/2007.0/desktop, gcc-4.1.2,
glibc-2.6.1-r0, 2.6.23-gentoo-r3 x86_64)
=================================================================
System uname: 2.6.23-gentoo-r3 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz
Timestamp of tree: Fri, 11 Jan 2008 22:46:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632)
[enabled]
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p17-r1
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.10-r5
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.23-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo
/etc/udev/rules.d"
CXXFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distcc distlocks metadata-transfer
multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans
userfetch"
GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/
http://trumpetti.atm.tut.fi/gentoo/
http://ftp.snt.utwente.nl/pub/os/linux/gentoo
http://ds.thn.htu.se/linux/gentoo"
LC_ALL="en_DK.utf8"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/php-testing
/usr/portage/local/layman/mozilla /usr/portage/local/layman/kde
/usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi aiglx alsa amd64 apache2 arts atk berkdb bitmap-fonts
cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread
eds emboss encode evo fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2
gpm gstreamer gtk hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde kerberos
live lm_sensors mad midi mikmod mjpeg mmx mozilla mp2 mp3 mpeg mplayer msn
mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf
perl png ppds pppd python qt qt3 qt3support qt4 quicktime readline reflection
samba sdl session spell spl sse sse2 sse3 ssl svg tcpd test threads tiff
truetype truetype-fonts type1-fonts unicode vorbis x264 xcomposite xml xorg
xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem
bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel
intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file
hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route
share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias
authn_anon authn_dbm authn_default authn_file authz_dbm authz_default
authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs
dav_lock deflate dir disk_cache env expires ext_filter file_cache filter
headers include info log_config logio mem_cache mime mime_magic negotiation
rewrite setenvif speling status unique_id userdir usertrack vhost_alias"
ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad
cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU"
VIDEO_CARDS="radeon"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS,
LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

ppc64 done

libXfont-1.3.1-r1 stable on sparc, and we are done.

alpha/ia64 stable

ppc stable

Seems like the patch introduced a regression with xine-ui, vlc and others. Back
to ebuild for now.

http://gitweb.freedesktop.org/?p=xorg/xserver.git;a=commitdiff;h=e9fa7c1c88a8130a48f772c92b186b8b777986b5

Donnie please verify and update patches accordingly. Sorry for the extra work.

I just revbumped, maintaining the same keywords as in the original
security-marked revisions since this is a small modification to that.

Thx for the quick fix Donnie. Back to stable marking.

And now even with arches CC'ed :)

Stable for HPPA.

*** Bug 206633 has been marked as a duplicate of this bug. ***

libXfont-1.3.1-r1.ebuild: amd64 stable

Let's get the GLSA out.

GLSA 200801-09, thanks.

Failed to update libXfont for me, probably because it was typoed as libxfont.
According to glsa-check --dump 200801-09:

...
Affected package:  x11-libs/libxfont
Affected archs:    All
Vulnerable:        <1.3.1-r1
Unaffected:        >=1.3.1-r1
...

(In reply to comment #36)
> Failed to update libXfont for me, probably because it was typoed as libxfont.
> According to glsa-check --dump 200801-09:

Sorry, the error is fixed in CVS, please emerge --sync.
I don't think this warrants an errata mail, as the "Resolution" section was
correct and the affected/unaffected section is mostly used by automated tools,
which will get the updated XML.