Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 189696

Summary: x11-base/xorg-server xserver not patched by GLSA-200705-10
Product: Gentoo Security Reporter: Seth Hanford <shanford>
Component: GLSA ErrorsAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: x11
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: jaervosz
Package list:
Runtime testing required: ---

Description Seth Hanford 2007-08-21 12:19:51 UTC 
Looking at GLSA-200705-10, it does not appear that CVE-2007-1003 is fixed.

Specifically, the bug report:
http://bugs.gentoo.org/show_bug.cgi?id=172575

initially mentions that the issue is about CVE-2007-1351 and -1352, which are in libxfont and tightvnc (BDF parsing). However, a patch is attached to the bug report and tested for XC Misc (CVE-2007-1003). My concern is that the resulting GLSA only prompts users to emerge libxfont and tightvnc, and NOT the xorg server.

It seems that the appropriate patch is available, but that users may not have been prompted to update for it. Looking at the list of subsequent GLSAs, it does not seem that there are any later xorg issues to date, and therefore xorg installations may remain unpatched to this issue.

Would you please update the advisory to alert users to upgrade their xorg installs?
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-21 20:40:40 UTC 
x11 please advise.
Comment 2 Donnie Berkholz (RETIRED) gentoo-dev 2007-08-21 21:27:39 UTC 
I agree with the reporter -- the GLSA omitted the information about xorg-server.

Safe versions: all currently in the tree.

Safe: 1.1.1-r5, >=1.2.0-r3
Unsafe: 1.2.0 earlier than -r3, <1.1.1-r5
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-15 05:13:53 UTC 
I think we can close this one now since we have GLSA-200710-16 anyway...