| Summary: | <x11-base/xorg-server-1.18.4: integer underflow when handling trapezoids (CVE-2013-6424) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | x11 |
| Priority: | Normal | Flags: | kensington:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1037984 | ||
| Whiteboard: | A2 [glsa cve cleanup] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 579266, 611350, 633910 | ||
| Bug Blocks: | |||
CVE-2013-6424 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6424): Integer underflow in the xTrapezoidValid macro in render/picture.h in X.Org allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value. It appears that this patch was still not accepted into fdo git. http://lists.x.org/archives/xorg-devel/2013-October/037996.html @maintainer(s), 1.18.4 has the appropriate fix, but 1.16.4 and 1.17.4 do not. Stable keywords do not match the older versions so we can request stable here if you like. What would you like to do? Yes, please stabilize. Thanks. (In reply to Aaron Bauman from comment #3) > @maintainer(s), 1.18.4 has the appropriate fix, but 1.16.4 and 1.17.4 do > not. So what are you going to do for people stuck on those older versions? (In reply to Jeroen Roovers from comment #5) > (In reply to Aaron Bauman from comment #3) > > @maintainer(s), 1.18.4 has the appropriate fix, but 1.16.4 and 1.17.4 do > > not. > > So what are you going to do for people stuck on those older versions? Can the maintainers backport the appropriate patch? We are not trying to isolate anyone here. Should these last arches not be stabilized? Already stable on alpha amd64 hppa x86. (In reply to Agostino Sarubbo from comment #7) > Already stable on alpha amd64 hppa x86. Yes, I am aware, but his concern seems to be the older versions. (In reply to Aaron Bauman from comment #8) > Yes, I am aware, but his concern seems to be the older versions. Fine for me. CC back the interested arches when there will be a defined target. @arches, please finalize stabilization. arm stable Ping for final arches. ping for final arches. It mustn't only be xorg-server-1.18.4 to be stabled. There's a few other things that should be done in parallel (xorg-drivers, various drivers that might need to be stabled to actually be compatible with that xserver, etc), and these are included in the dependent bug 579266 (though there's some things that don't HAVE to be done at the same time, but...). sanity-check+ is happening because kensingtons checker also included all the atoms in bug 579266 in the check as well, because it's marked as a dependency. I am removing xorg-server atom here to avoid confusion that might end up with only xserver being stabilized without all the rest. xorg-server-1.18.4 is already included in bug 579266 list. (In reply to Mart Raudsepp from comment #14) > It mustn't only be xorg-server-1.18.4 to be stabled. There's a few other > things that should be done in parallel (xorg-drivers, various drivers that > might need to be stabled to actually be compatible with that xserver, etc), > and these are included in the dependent bug 579266 (though there's some > things that don't HAVE to be done at the same time, but...). > sanity-check+ is happening because kensingtons checker also included all the > atoms in bug 579266 in the check as well, because it's marked as a > dependency. > I am removing xorg-server atom here to avoid confusion that might end up > with only xserver being stabilized without all the rest. xorg-server-1.18.4 > is already included in bug 579266 list. Thanks, my bad on missing that. pending arches should do bug 579266 then This issue was resolved and addressed in GLSA 201701-64 at https://security.gentoo.org/glsa/201701-64 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for cleanup. @ Maintainer(s): Please cleanup and drop <x11-base/xorg-server-1.18.4 or apply masks indicating a security problem. Cleanup dependency Bug 611350 1.18 is now gone from the tree, and versions <1.19.2 are now package.mask'd. Please proceed. This issue was resolved and addressed in GLSA 201710-30 at https://security.gentoo.org/glsa/201710-30 by GLSA coordinator Aaron Bauman (b-man). |
From ${URL} : An integer underflow flaw was found in the X.Org server when handling trapezoids. A malicious, authorized client could use this flaw to crash the X.Org server. References: http://seclists.org/oss-sec/2013/q4/399 http://patchwork.freedesktop.org/patch/14769/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.