Summary: | <x11-base/xorg-server-21.1.6 <x11-base/xwayland-23.1.0: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A3 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 880793, 888677 | ||
Bug Blocks: |
Description
John Helmert III
2022-10-17 14:59:08 UTC
(In reply to John Helmert III from comment #0) > CVE-2022-3550 > (https://cgit.freedesktop.org/xorg/xserver/commit/ > ?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e): Was cherry-picked as cb4fd4d06ee8bd71b7176f58ecad70b69e3702d8 to the xwayland-22.1 branch. Not in any tag. I don't see it in the server-21.1-branch branch. > A vulnerability classified as critical was found in X.org Server. Affected > by this vulnerability is the function _GetCountedString of the file > xkb/xkb.c. The manipulation leads to buffer overflow. It is recommended to > apply a patch to fix this issue. The associated identifier of this > vulnerability is VDB-211051. > > CVE-2022-3551 > (https://cgit.freedesktop.org/xorg/xserver/commit/ > ?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2): Was cherry-picked as baad076c4df664092158d2822b244ef69ff8edaa to the xwayland-22.1 branch. Not in any tag. I don't see it in the server-21.1-branch branch. > A vulnerability, which was classified as problematic, has been found in > X.org Server. Affected by this issue is the function ProcXkbGetKbdByName of > the file xkb/xkb.c. The manipulation leads to memory leak. It is recommended > to apply a patch to fix this issue. The identifier of this vulnerability is > VDB-211052. > > CVE-2022-3553 > (https://cgit.freedesktop.org/xorg/xserver/commit/ > ?id=dfd057996b26420309c324ec844a5ba6dd07eda3): I don't see this commit cherry-picked to the xwayland-22.1 branch. Thanks! I keep forgetting to check xwayland too... Pathces for CVE-2022-355{0,1} are in xwayland-22.1.4. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9fe591d4f982e938ef2bd111487ded7560539325 commit 9fe591d4f982e938ef2bd111487ded7560539325 Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2022-10-25 13:42:49 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2022-10-25 13:45:58 +0000 x11-base/xwayland: Version bump to 22.1.4 Bug: https://bugs.gentoo.org/877459 Signed-off-by: Matt Turner <mattst88@gentoo.org> x11-base/xwayland/Manifest | 1 + x11-base/xwayland/xwayland-22.1.4.ebuild | 100 +++++++++++++++++++++++++++++++ 2 files changed, 101 insertions(+) Doesn't look like all of the fixes have made it into releases, right? (In reply to John Helmert III from comment #5) > Doesn't look like all of the fixes have made it into releases, right? Right. FWIW, the CVEs were requested and assigned without X.Org knowing, and I think we're not really confident that they're actually issues. Maybe the Quartz one, but... it's Quartz. From the xorg-security list (7 days ago):
> Mitre responded today:
>
> VulDB has determined that they accidentally assigned a Record for
> CVE-2022-3554 and CVE-2022-3555. They have already rejected both IDs.
> We consider this matter closed, but please let us know if you have
> any follow up questions, comments, or concerns for us.
>
> And these now show they were rejected last week:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3554
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3555
>
> but the three reported against Xorg & Xquartz are still live, so it looks
> like they only rejected the ones we pushed back on:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3553
(In reply to Matt Turner from comment #7) > From the xorg-security list (7 days ago): > > > Mitre responded today: > > > > VulDB has determined that they accidentally assigned a Record for > > CVE-2022-3554 and CVE-2022-3555. They have already rejected both IDs. > > We consider this matter closed, but please let us know if you have > > any follow up questions, comments, or concerns for us. > > > > And these now show they were rejected last week: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3554 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3555 > > > > but the three reported against Xorg & Xquartz are still live, so it looks > > like they only rejected the ones we pushed back on: > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3553 Great! We'll ignore the invalid CVEs, CVE-2022-{3554,3555} The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b176c5411f6f5fbb856fa51cc17b92af61504c04 commit b176c5411f6f5fbb856fa51cc17b92af61504c04 Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2022-12-04 01:23:14 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2022-12-04 02:36:05 +0000 x11-base/xwayland: Drop old versions Bug: https://bugs.gentoo.org/877459 Signed-off-by: Matt Turner <mattst88@gentoo.org> x11-base/xwayland/Manifest | 2 - x11-base/xwayland/xwayland-22.1.3.ebuild | 100 ------------------------------- x11-base/xwayland/xwayland-22.1.4.ebuild | 100 ------------------------------- 3 files changed, 202 deletions(-) xwayland-22.1.7 and xorg-server-21.1.6 were just released, the latter says it fixes CVE-2022-3550 and CVE-2022-3551. Indeed, patches for these are in xwayland-22.1.4 and xorg-server-21.1.6. I see the patch for CVE-2022-3553 in xorg-server-21.1.4, but not in xwayland. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=587798c8f9ee0744ec2f08569411d4a6be6beaf0 commit 587798c8f9ee0744ec2f08569411d4a6be6beaf0 Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2022-12-20 18:45:33 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2022-12-20 18:58:34 +0000 x11-base/xwayland: Version bump to 22.1.7 Bug: https://bugs.gentoo.org/877459 Signed-off-by: Matt Turner <mattst88@gentoo.org> x11-base/xwayland/Manifest | 1 + x11-base/xwayland/xwayland-22.1.7.ebuild | 100 +++++++++++++++++++++++++++++++ 2 files changed, 101 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8268a113aaddf90933c676cf0fe88e49e5b26302 commit 8268a113aaddf90933c676cf0fe88e49e5b26302 Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2023-01-03 15:31:50 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2023-01-03 15:55:30 +0000 x11-base/xwayland: Drop old versions Bug: https://bugs.gentoo.org/877459 Bug: https://bugs.gentoo.org/885825 Signed-off-by: Matt Turner <mattst88@gentoo.org> x11-base/xwayland/Manifest | 2 - x11-base/xwayland/xwayland-22.1.5.ebuild | 100 ------------------------------- x11-base/xwayland/xwayland-22.1.6.ebuild | 100 ------------------------------- 3 files changed, 202 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2770505a4547a8f25b82b690236f655dc3a2eee0 commit 2770505a4547a8f25b82b690236f655dc3a2eee0 Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2023-01-03 15:31:47 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2023-01-03 15:55:29 +0000 x11-base/xorg-server: Drop old versions Bug: https://bugs.gentoo.org/877459 Bug: https://bugs.gentoo.org/885825 Signed-off-by: Matt Turner <mattst88@gentoo.org> x11-base/xorg-server/Manifest | 2 - x11-base/xorg-server/xorg-server-21.1.4-r1.ebuild | 195 ---------------------- x11-base/xorg-server/xorg-server-21.1.4.ebuild | 190 --------------------- x11-base/xorg-server/xorg-server-21.1.5.ebuild | 195 ---------------------- 4 files changed, 582 deletions(-) The xquartz patch eventually made it into xwayland-23.1.0. GLSA request filed The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=f91a69c129c65b48c349fa74cf96eb46e176c139 commit f91a69c129c65b48c349fa74cf96eb46e176c139 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-30 02:54:51 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-05-30 02:56:36 +0000 [ GLSA 202305-30 ] X.Org X server, XWayland: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/829208 Bug: https://bugs.gentoo.org/877459 Bug: https://bugs.gentoo.org/885825 Bug: https://bugs.gentoo.org/893438 Bug: https://bugs.gentoo.org/903547 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202305-30.xml | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) GLSA released, all done! |