Filing a short note now as no patches are currently available. iDefense has contacted the X.Org security team about 3 vulnerabilities they found in X.Org Render and DBE extensions.
CVE-2006-6101 iDefense X.org ProcRenderAddGlyphs CVE-2006-6102 iDefense X.org ProcDbeGetVisualInfo CVE-2006-6103 iDefense X.org ProcDbeSwapBuffers
Created attachment 105779 [details, diff] dbe-render.diff
Created attachment 105781 [details] Memory Corruption Vulnerability1.txt
Created attachment 105783 [details] Memory Corruption Vulnerability2.txt
Created attachment 105785 [details] Memory Corruption Vulnerability3.txt
Joshua please advise and attach an updated ebuild to this bug. Note that this is still confidential
Created attachment 105885 [details, diff] 1.0.2-dbe-render.diff
Created attachment 105887 [details] xorg-server-1.0.2-r8.ebuild
Created attachment 105889 [details, diff] 1.1.1-dbe-render.diff This is the same as the original dbe-render.diff.
Created attachment 105891 [details] xorg-server-1.1.1-r4.ebuild
Hi Sune, These two ebuilds replace all 1.0* and stable/testing 1.1* ebuilds. 1.1.99* and 1.2.99* will not be brought out of p.mask until new versions are released anyway, and those versions should include these fixes. The patch needed a small change for the 1.0 server, but otherwise applied OK. I re-did the patch so it should apply cleanly. Although the advisories only talk about 1.1+, it does look like the 1.0 series is affected by this issue as well.
*** Bug 161163 has been marked as a duplicate of this bug. ***
For future reference, the Gentoo X lead should be informed of Gentoo's version of security issues. It's a lot better than making me look like a dunce filing dupes of bugs I should already know about (and did already know about, upstream). Please don't repeat this.
If a maintainer is listed in metadata he get's CC'ed. Otherwise a victim is chosen from the Changelog. This time apparently the wrong one. Sorry about that.
(In reply to comment #13) > For future reference, the Gentoo X lead should be informed of Gentoo's version > of security issues. It's a lot better than making me look like a dunce filing > dupes of bugs I should already know about (and did already know about, > upstream). Please don't repeat this. > Sorry, I barely had time to look at this and didn't realize you weren't notified. Now that the issue is public, are we waiting for something? Am I supposed to be doing something?
(In reply to comment #15) > Now that the issue is public, are we waiting for something? Am I supposed to > be doing something? Stick this stuff into the tree and tell us which arches need to stable it.
Ebuilds are in the tree. I'll clean out all the old ebuilds later once everything's stabled up. Archs, please stable the appropriate ebuilds below: everyone: xorg-server-1.1.1-r4.ebuild amd64, hppa, ppc64, x86: xorg-server-1.0.2-r8.ebuild
x11-base/xorg-server-1.1.1-r4 USE="aiglx dri ipv6 nptl sdl xorg xprint -3dfx -debug -dmx -kdrive -minimal" 1. emerges on x86, please note: QA Notice: the following files are setXid, dyn linked, and using lazy bindings LAZY usr/bin/Xorg 2. passes collision test 3. works Gentoo Base System version 1.12.6 Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18.5 i686) ================================================================= System uname: 2.6.18.5 i686 AMD Athlon(TM) XP1800+ Last Sync: Sat, 13 Jan 2007 16:30:04 +0000 ccache version 2.4 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r6 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" FEATURES="autoconfig ccache collision-protect distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LANG="en_GB.utf8" LINGUAS="en de en_GB" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/pack ages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/normal" SYNC="rsync://192.168.2.1/gentoo-portage" USE="x86 3dnow 3dnowext X a52 aac alsa alsa_cards_ali5451 alsa_cards_als4000 alsa_cards_atiixp alsa_cards_atiixp-modem alsa_cards_bt87x alsa_cards_ca0106 alsa_cards_cmipci alsa_cards_emu10k1x alsa_cards_en s1370 alsa_cards_ens1371 alsa_cards_es1938 alsa_cards_es1968 alsa_cards_fm801 alsa_cards_hda-intel alsa_cards_intel8x0 alsa_cards_intel8x0m alsa_cards_maestro3 alsa_cards_trident alsa_cards_usb-audio alsa_ cards_via82xx alsa_cards_via82xx-modem alsa_cards_ymfpci alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym alsa_pcm_plugins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare alsa_pcm_plug ins_dsnoop alsa_pcm_plugins_empty alsa_pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958 alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat alsa_ pcm_plugins_linear alsa_pcm_plugins_meter alsa_pcm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug alsa_pcm_plugins_rate alsa_pcm_plugins_route alsa_pcm_plugins_share alsa_ pcm_plugins_shm alsa_pcm_plugins_softvol apache2 berkdb bitmap-fonts bzip2 cairo cdr cli cracklib crypt cups dbus divx4linux dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss exif fam ffmpeg firefox fortran gdbm gif gnome gphoto2 gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kernel_linux ldap libg++ linguas_de linguas_en linguas_en_GB mad mikmod mmx mmxext mono mp3 mpeg ncurses network nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl seamonkey session spell spl ssl tcpd test tetex tiff truetype truetype-fonts type1-fonts udev unicode usb userland_GNU vcd video_cards_none video_cards_nv vorbis win32codecs xine xinerama xml xorg xprint xv xvid zlib" Unset: CTARGET, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
ppc stable
Both 1.0.2-r8 and 1.1.1-r4 stable on x86.
xorg-server-1.1.1-r4 stable on sparc.
ppc64 stable
Marked stable for HPPA by killerfox.
1.1.1-r4 stable on Alpha.
ping amd64, a problem?
(In reply to comment #17) > Ebuilds are in the tree. I'll clean out all the old ebuilds later once > everything's stabled up. > > Archs, please stable the appropriate ebuilds below: > > everyone: > xorg-server-1.1.1-r4.ebuild > > amd64, hppa, ppc64, x86: > xorg-server-1.0.2-r8.ebuild amd64 stable >
(In reply to comment #17) > everyone: > xorg-server-1.1.1-r4.ebuild > > amd64, hppa, ppc64, x86: > xorg-server-1.0.2-r8.ebuild hppa, you also want to mark 1.0.2-r8 stable?
(In reply to comment #27) > hppa, you also want to mark 1.0.2-r8 stable? nope, ppl will have to upgrade to latest. Tnx for checking
We just stopped supporting xorg-server 1.0 because of the release of 1.2 (two "major" versions later). We now support only 1.1 and 1.2. So feel free to leave 1.0 out of the GLSA entirely -- >=xorg-server-1.1.1-r4 is safe and that's it.
Looks like we're just waiting for ARM and MIPS.
GLSA 200701-25 thanks everyone
