Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 633910 (CVE-2017-13721, CVE-2017-13723)

Summary: <x11-base/xorg-server-1.19.4: multiple vulnerabilities
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: x11
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.x.org/archives/xorg-announce/2017-October/002809.html
Whiteboard: A3 [glsa cve]
Package list:
x11-base/xorg-server-1.19.5
Runtime testing required: ---
Bug Depends on: 635974    
Bug Blocks: 493294, 611350    

Description D'juan McDonald (domhnall) 2017-10-10 06:10:00 UTC
See ${URL}:

CVE-2017-13721(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13721):
In X.Org Server (aka xserver and xorg-server) before 1.19.4, an attacker authenticated to an X server with the X shared memory extension enabled can cause aborts of the X server or replace shared memory segments of other X clients in the same session.

CVE-2017-13723(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13723):
In X.Org Server (aka xserver and xorg-server) before 1.19.4, a local attacker authenticated to the X server could overflow a global buffer, causing crashes of the X server or potentially other problems by injecting large or malformed XKB related atoms and accessing them via xkbcomp.

Upstream Details/Fix:
(https://lists.x.org/archives/xorg-announce/2017-October/002809.html)

@maintainer(s), after fix, please call for stabilization when ready, thank you!

Gentoo Security Padawan
Daj' Uan (jmbailey)
Comment 1 Mart Raudsepp gentoo-dev 2017-10-10 20:18:07 UTC
1.19.4 has been in tree for 5 days..
Comment 2 Mart Raudsepp gentoo-dev 2017-10-10 21:32:06 UTC
I can't personally call for stable though, before I've looked into bug 633530 (help welcome)
Comment 3 Mart Raudsepp gentoo-dev 2017-10-11 21:57:51 UTC
We should be able to proceed now.
Comment 4 Manuel Rüger (RETIRED) gentoo-dev 2017-10-12 19:26:46 UTC
Stable on amd64
Comment 5 Mart Raudsepp gentoo-dev 2017-10-12 20:12:46 UTC
Withdrawing stabilization, as there's a regression fix in just released xorg-server-1.19.5 and more security fixes. So we should target that instead and do it all at once, I think. Especially due to the regression in 1.19.4 (but I don't know its severity).

https://lists.x.org/archives/xorg-devel/2017-October/054871.html
Comment 6 Manuel Rüger (RETIRED) gentoo-dev 2017-10-13 12:32:32 UTC
Version bumped to 1.19.5
Comment 7 D'juan McDonald (domhnall) 2017-10-16 01:14:32 UTC
@arches, please test and mark for stable, thank you.

stabilization target =x11-base/xorg-server-1.19.4
Comment 8 Mart Raudsepp gentoo-dev 2017-10-16 01:26:56 UTC
see comment #5...
Comment 9 Mart Raudsepp gentoo-dev 2017-10-19 20:28:03 UTC
We have concluded together with Matt, that we can proceed with 1.19.5.
Bug 633530 seems to be an eudev issue now -- mixing of stable eudev with testing eudev, so not affecting full stable tree for security.
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2017-10-20 01:40:05 UTC
The first fixed version in tree was 1.19.4 as it's related to the reported CVE.  The stabilization target can be different, but the record should reflect the actual fixed ebuild.
Comment 11 Agostino Sarubbo gentoo-dev 2017-10-20 13:01:48 UTC
amd64 stable
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-22 14:13:14 UTC
ia64 stable
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-22 14:13:29 UTC
ppc/ppc64 stable (thanks to ernsteiswuerfel)
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-22 20:34:05 UTC
x86 stable
Comment 15 Tobias Klausmann (RETIRED) gentoo-dev 2017-10-22 21:50:03 UTC
Stable on alpha.
Comment 16 Markus Meier gentoo-dev 2017-10-24 17:38:10 UTC
arm stable
Comment 17 Mart Raudsepp gentoo-dev 2017-10-24 18:15:22 UTC
(In reply to Aaron Bauman from comment #10)
> The first fixed version in tree was 1.19.4 as it's related to the reported
> CVE.  The stabilization target can be different, but the record should
> reflect the actual fixed ebuild.

there should be a record for the CVEs 1.19.5 fixed, and I suggested it be here and suggested them to be added here.
Comment 18 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-24 19:29:29 UTC
hppa stable
Comment 19 Aaron Bauman (RETIRED) gentoo-dev 2017-10-25 00:35:40 UTC
@maintainers, please clean the vulnerable versions.


(In reply to Mart Raudsepp from comment #17)
> (In reply to Aaron Bauman from comment #10)
> > The first fixed version in tree was 1.19.4 as it's related to the reported
> > CVE.  The stabilization target can be different, but the record should
> > reflect the actual fixed ebuild.
> 
> there should be a record for the CVEs 1.19.5 fixed, and I suggested it be
> here and suggested them to be added here.

Sure.  Another bug can be opened to track if you want.
Comment 20 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-25 11:45:50 UTC
New GLSA request filed.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2017-10-29 19:44:58 UTC
This issue was resolved and addressed in
 GLSA 201710-30 at https://security.gentoo.org/glsa/201710-30
by GLSA coordinator Aaron Bauman (b-man).
Comment 22 Aaron Bauman (RETIRED) gentoo-dev 2017-10-29 19:45:46 UTC
re-opened for cleanup
Comment 23 Matt Turner gentoo-dev 2017-10-31 01:38:48 UTC
sparc stable (thanks to Rolf Eike Beer)
Comment 24 Matt Turner gentoo-dev 2017-10-31 18:16:02 UTC
Vulnerable versions removed in

commit 67af98328e08ad9e53a857d1b51c9ecea8716ead
Author: Matt Turner <mattst88@gentoo.org>
Date:   Mon Oct 30 18:44:14 2017 -0700

    x11-base/xorg-server: Drop vulnerable versions