Summary: | <x11-libs/{libX11-1.6.4,libXfixes-5.0.3,libXi-1.7.7,libXrandr-1.5.1,libXrender-0.9.10,libXtst-1.2.3,libXv-1.0.11,libXvMC-1.0.10}: Multiple vulnerabilities | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Manuel Rüger (RETIRED) <mrueg> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | normal | CC: | nobrowser, x11 | ||||||
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
URL: | https://lists.x.org/archives/xorg-announce/2016-October/002720.html | ||||||||
Whiteboard: | A3 [glsa cve] | ||||||||
Package list: |
x11-libs/libX11-1.6.4 alpha amd64 arm arm64 hppa ia64 ppc ppc64 sparc x86
x11-libs/libXfixes-5.0.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
x11-libs/libXrender-0.9.10 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
x11-libs/libXi-1.7.8 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
x11-libs/libXrandr-1.5.1 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
x11-libs/libXv-1.0.11 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
x11-libs/libXtst-1.2.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
x11-libs/libXvMC-1.0.10 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
|
Runtime testing required: | --- | ||||||
Bug Depends on: | 579266 | ||||||||
Bug Blocks: | 611056 | ||||||||
Attachments: |
|
Description
Manuel Rüger (RETIRED)
2016-10-04 23:15:30 UTC
All versions with fixes have been added to the tree. *** Bug 596164 has been marked as a duplicate of this bug. *** Created attachment 449222 [details]
Stabilization list
Arches, your turn. Most of these only contain security and safe janitorial fixes, except for libX11, which has some other small changed as well, but should be good. ia64, ppc, ppc64, sparc - as you still haven't completed bug 579266, it might be a dependency of this security stabilization. At least a newer libxcb is necessary (which bug 559062 even older stabilization would bump to a high enough version too though). But probably best to just go for latest stabilization requested versions in one go by now. Stable for HPPA PPC64. amd64 stable x86 stable *** Bug 596574 has been marked as a duplicate of this bug. *** For awhile a number of these had digest mismatch issues which were all cleaned up a couple of days ago except for this one: >>> Fetching (13 of 118) x11-libs/libXtst-1.2.3::gentoo !!! Digest verification failed: !!! /usr/portage/x11-libs/libXtst/libXtst-1.2.3.ebuild !!! Reason: Filesize does not match recorded size !!! Got: 831 !!! Expected: 832 >>> Failed to emerge x11-libs/libXtst-1.2.3 Portage 2.3.0 (python 2.7.10-final-0, default/linux/amd64/13.0/desktop/plasma, gcc-4.9.3, glibc-2.22-r4, 4.4.6-gentoo x86_64) ================================================================= System uname: Linux-4.4.6-gentoo-x86_64-Intel-R-_Core-TM-_i7_CPU_X_980_@_3.33GHz-with-gentoo-2.2 KiB Mem: 24685404 total, 11648972 free KiB Swap: 12582904 total, 12582904 free Timestamp of repository gentoo: Tue, 11 Oct 2016 12:15:01 +0000 sh bash 4.3_p46-r1 ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1 app-shells/bash: 4.3_p46-r1::gentoo dev-java/java-config: 2.2.0-r3::gentoo dev-lang/perl: 5.22.2::gentoo dev-lang/python: 2.7.10-r1::gentoo, 3.4.3-r1::gentoo dev-util/cmake: 3.5.2-r1::gentoo dev-util/pkgconfig: 0.28-r2::gentoo sys-apps/baselayout: 2.2::gentoo sys-apps/openrc: 0.21.7::gentoo sys-apps/sandbox: 2.10-r1::gentoo sys-devel/autoconf: 2.13::gentoo, 2.69::gentoo sys-devel/automake: 1.11.6-r1::gentoo, 1.14.1::gentoo, 1.15::gentoo sys-devel/binutils: 2.25.1-r1::gentoo sys-devel/gcc: 4.9.3::gentoo sys-devel/gcc-config: 1.7.3::gentoo sys-devel/libtool: 2.4.6::gentoo sys-devel/make: 4.1-r1::gentoo sys-kernel/linux-headers: 4.3::gentoo (virtual/os-headers) sys-libs/glibc: 2.22-r4::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.namerica.gentoo.org/gentoo-portage priority: -1000 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA dlj-1.1 PUEL AdobeFlash-10.3 skype-eula google-chrome skype-4.0.0.7-copyright google-talkplugin Google-TOS" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=native -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -march=native -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--with-bdeps=y --jobs=5" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs buildpkg config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync webrsync-gpg xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://gentoo.osuosl.org/ " LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j13 -l8" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="X a52 aac acl acpi alsa amd64 berkdb branding bzip2 cairo cdda cdr cleartype cli consolekit corefonts cracklib crypt cxx dbus declarative dri dts dvd dvdr emboss encode exif fam firefox flac fortran gdbm gif glamor gpm gstreamer gtk iconv java jpeg jpeg2k kde kipi lcms ldap libav libnotify mad mmx mmxext mng modules mp3 mp4 mpeg multilib ncurses nls nptl ogg opengl openmp pam pango pcre pdf phonon plasma png policykit ppds qml qt3support qt4 qt5 readline sdl seccomp session spell sse sse2 ssl ssse3 startup-notification svg tcpd threads tiff truetype type1 udev udisks unicode upower usb vdpau vorbis widgets wxwidgets x264 xattr xcb xcomposite xinerama xml xscreensaver xv xvid xvmc zlib" ABI_X86="64 32" ALSA_CARDS="hda-intel" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev" KERNEL="linux" L10N="en-US" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby20 ruby21" USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON c2RAID6 ~ # (In reply to Mark Knecht from comment #9) > For awhile a number of these had digest mismatch issues which were all > cleaned up a couple of days ago except for this one: > > >>> Fetching (13 of 118) x11-libs/libXtst-1.2.3::gentoo > > !!! Digest verification failed: > !!! /usr/portage/x11-libs/libXtst/libXtst-1.2.3.ebuild > !!! Reason: Filesize does not match recorded size > !!! Got: 831 > !!! Expected: 832 > > >>> Failed to emerge x11-libs/libXtst-1.2.3 > > > Portage 2.3.0 (python 2.7.10-final-0, > default/linux/amd64/13.0/desktop/plasma, gcc-4.9.3, glibc-2.22-r4, > 4.4.6-gentoo x86_64) > ================================================================= > System uname: > Linux-4.4.6-gentoo-x86_64-Intel-R-_Core-TM-_i7_CPU_X_980_@_3.33GHz-with- > gentoo-2.2 > KiB Mem: 24685404 total, 11648972 free > KiB Swap: 12582904 total, 12582904 free > Timestamp of repository gentoo: Tue, 11 Oct 2016 12:15:01 +0000 > sh bash 4.3_p46-r1 > ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1 > app-shells/bash: 4.3_p46-r1::gentoo > dev-java/java-config: 2.2.0-r3::gentoo > dev-lang/perl: 5.22.2::gentoo > dev-lang/python: 2.7.10-r1::gentoo, 3.4.3-r1::gentoo > dev-util/cmake: 3.5.2-r1::gentoo > dev-util/pkgconfig: 0.28-r2::gentoo > sys-apps/baselayout: 2.2::gentoo > sys-apps/openrc: 0.21.7::gentoo > sys-apps/sandbox: 2.10-r1::gentoo > sys-devel/autoconf: 2.13::gentoo, 2.69::gentoo > sys-devel/automake: 1.11.6-r1::gentoo, 1.14.1::gentoo, 1.15::gentoo > sys-devel/binutils: 2.25.1-r1::gentoo > sys-devel/gcc: 4.9.3::gentoo > sys-devel/gcc-config: 1.7.3::gentoo > sys-devel/libtool: 2.4.6::gentoo > sys-devel/make: 4.1-r1::gentoo > sys-kernel/linux-headers: 4.3::gentoo (virtual/os-headers) > sys-libs/glibc: 2.22-r4::gentoo > Repositories: > > gentoo > location: /usr/portage > sync-type: rsync > sync-uri: rsync://rsync.namerica.gentoo.org/gentoo-portage > priority: -1000 > > ACCEPT_KEYWORDS="amd64" > ACCEPT_LICENSE="* -@EULA dlj-1.1 PUEL AdobeFlash-10.3 skype-eula > google-chrome skype-4.0.0.7-copyright google-talkplugin Google-TOS" > CBUILD="x86_64-pc-linux-gnu" > CFLAGS="-O2 -march=native -pipe" > CHOST="x86_64-pc-linux-gnu" > CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt" > CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d > /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild > /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d > /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" > CXXFLAGS="-O2 -march=native -pipe" > DISTDIR="/usr/portage/distfiles" > EMERGE_DEFAULT_OPTS="--with-bdeps=y --jobs=5" > FCFLAGS="-O2 -pipe" > FEATURES="assume-digests binpkg-logs buildpkg config-protect-if-modified > distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch > preserve-libs protect-owned sandbox sfperms strict unknown-features-warn > unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync > webrsync-gpg xattr" > FFLAGS="-O2 -pipe" > GENTOO_MIRRORS="http://gentoo.osuosl.org/ " > LDFLAGS="-Wl,-O1 -Wl,--as-needed" > MAKEOPTS="-j13 -l8" > PKGDIR="/usr/portage/packages" > PORTAGE_CONFIGROOT="/" > PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times > --omit-dir-times --compress --force --whole-file --delete --stats > --human-readable --timeout=180 --exclude=/distfiles --exclude=/local > --exclude=/packages --exclude=/.git" > PORTAGE_TMPDIR="/var/tmp" > USE="X a52 aac acl acpi alsa amd64 berkdb branding bzip2 cairo cdda cdr > cleartype cli consolekit corefonts cracklib crypt cxx dbus declarative dri > dts dvd dvdr emboss encode exif fam firefox flac fortran gdbm gif glamor gpm > gstreamer gtk iconv java jpeg jpeg2k kde kipi lcms ldap libav libnotify mad > mmx mmxext mng modules mp3 mp4 mpeg multilib ncurses nls nptl ogg opengl > openmp pam pango pcre pdf phonon plasma png policykit ppds qml qt3support > qt4 qt5 readline sdl seccomp session spell sse sse2 ssl ssse3 > startup-notification svg tcpd threads tiff truetype type1 udev udisks > unicode upower usb vdpau vorbis widgets wxwidgets x264 xattr xcb xcomposite > xinerama xml xscreensaver xv xvid xvmc zlib" ABI_X86="64 32" > ALSA_CARDS="hda-intel" APACHE2_MODULES="authn_core authz_core socache_shmcb > unixd actions alias auth_basic authn_alias authn_anon authn_dbm > authn_default authn_file authz_dbm authz_default authz_groupfile authz_host > authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate > dir disk_cache env expires ext_filter file_cache filter headers include info > log_config logio mem_cache mime mime_magic negotiation rewrite setenvif > speling status unique_id userdir usertrack vhost_alias" > CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon > braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load > memory rrdtool swap syslog" CPU_FLAGS_X86="aes mmx mmxext popcnt sse sse2 > sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm > earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip > navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 > timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev" KERNEL="linux" > L10N="en-US" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 > mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console > presenter-minimizer" LINGUAS="en" OFFICE_IMPLEMENTATION="libreoffice" > PHP_TARGETS="php5-6" PYTHON_SINGLE_TARGET="python2_7" > PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby20 ruby21" > USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan > length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq > steal rawnat logmark ipmark dhcpmac delude chaos account" > Unset: CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LANG, LC_ALL, > PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, > PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON > > c2RAID6 ~ # Seems fixed here. When was your last sync? Please check again and if the problem persists open a new bug. This is a stabilization bug. Stable on alpha arm stable Created attachment 451372 [details]
Stabilization list
Updated stabilization list to s/libXi-1.7.7/libXi-1.7.8/ since the latter fixes a crash introduced in the former. The changes are minor, so I've retained the stable keywords added in this bug.
ppc stable. arm64 stable. sparc stable ia64 please complete stabilization. New GLSA Request filed. Note that you can do the newer versions of libX11 and libXi from the blocking bug 611056 instead. ia64 stable. Maintainer(s), please cleanup. Vulnerable versions cleaned. Arches and Maintainer(s), Thank you for your work. This issue was resolved and addressed in GLSA 201704-03 at https://security.gentoo.org/glsa/201704-03 by GLSA coordinator Kristian Fiskerstrand (K_F). |