Multiple vulnerabilities were reported in X.Org Server. CVE-2007-5958: xorg does not enforce restrictions when a user specifies a security policy, allowing for disclosure of the existence of a file (and an attempt to open it) CVE-2007-5760: Invalid array index vulnerability in the XFree86-Misc extension when processing PassMessage requests, leading to arbitrary code execution. CVE-2007-6427: Heap memory corruption vulnerability in various functions within the XInput extension. CVE-2007-6428: Failure to sanitize an index value, leading to arbitrary memory access in the ProcGetReservedColormapEntries() function in the TOG-CUP extension. CVE-2007-6429: Integer overflow in the ProcEVIGetVisualInfo() function in the EVI extension and in the VERIFY_SHMSIZE macro in the MIT-SHM extension leading to buffer overflows
Donnie, I'll be attaching patches to this bug in a moment. Please prepare updated ebuilds (at least for our stable 1.3) and attach them to this bug. Do not commit anything yet as these vulnerabilities are under embargo until Jan. 8 (delay was requested).
Created attachment 140148 [details, diff] 1.4-security-204362.patch Upstream proposed patch
Created attachment 140149 [details, diff] 1.3.0.0-security-204362.patch Backported version for 1.3.0.0 -- mostly declarations were changed, please check though.
Delay accepted by upstream.
I'll post ebuilds in the next couple of days. In case someone else wants to do it before I get to it, my plan is to add individual patches, one for each vuln, to the PATCHES variable of the ebuild. I'll make a 1.3.0.0-r3 and 1.4.0.90-r1. xorg-server-1.2 will not be supported anymore. Just FYI, I follow upstream xorg security bugs so I have most of the info.
Created attachment 140734 [details] Tarred up x11-base/xorg-server/ Unpack this in the base of your overlay.
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc x86" CC'ing current Liaisons: alpha : ferdy amd64 : welp hppa : jer ppc : dertobi123 ppc64 : corsair sparc : fmccor x86 : opfer
So that you know, I probably can't get to this before Monday because to test X things like this (the server) I need to be physically where the system I use for testing is. I doubt that will be possible before the 14th. fmccor for sparc.
(In reply to comment #8) > So that you know, I probably can't get to this before Monday Not a problem, we have a buffer till Thursday, 17th currently. Thanks for notifying.
Good to go on x86 (tested 1.3).
1.3 is OK for HPPA.
looks good on ppc64
x11-base/xorg-server-1.3.0.0-r3 good on sparc.
Adding Tobias (Blackb|rd) for alpha
Looks good on ppc
Tobias says it looks fine on alpha. I say it looks fine on ia64. 1.3, that is.
amd64 -- 1.3.0.0-r3 looks good here. We have all security-relevant stable keywords: "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Hi arches, (i'm back :) ) The confidential delay has expired. It's public from now. Donnie, or X11 maintainers, could you commit the stuff please, thanks. The GLSA is ready. You did good work, thanks.
(In reply to comment #18) > Donnie, or X11 maintainers, could you commit the stuff please, thanks. The GLSA > is ready. You did good work, thanks. Working on it. We missed a libXfont patch, so we'll need to re-add arches once I get that in. It will be a few hours.
libXfont 1.3.1-r1 is in the tree, targeted for stable. Please re-add arches to get it there.
Thx Donnie. Arches please test and mark stable. Target keywords are: libXfont-1.3.1-r1.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd" Adding CVE-2008-0006 for the libXfont issue.
x86 stable
x11-libs/libXfont-1.3.1-r1 USE="ipv6 -debug" 1. Emerges on AMD64. 2. No collisions etc. 3. Works. XOrg still works after upgrade. Portage 2.1.3.19 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r3 x86_64) ================================================================= System uname: 2.6.23-gentoo-r3 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz Timestamp of tree: Fri, 11 Jan 2008 22:46:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.4 [enabled] app-shells/bash: 3.2_p17-r1 dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r6 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.10-r5 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.23-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch" GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://trumpetti.atm.tut.fi/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ds.thn.htu.se/linux/gentoo" LC_ALL="en_DK.utf8" MAKEOPTS="-j6" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/php-testing /usr/portage/local/layman/mozilla /usr/portage/local/layman/kde /usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi aiglx alsa amd64 apache2 arts atk berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss encode evo fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2 gpm gstreamer gtk hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde kerberos live lm_sensors mad midi mikmod mjpeg mmx mozilla mp2 mp3 mpeg mplayer msn mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python qt qt3 qt3support qt4 quicktime readline reflection samba sdl session spell spl sse sse2 sse3 ssl svg tcpd test threads tiff truetype truetype-fonts type1-fonts unicode vorbis x264 xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
ppc64 done
libXfont-1.3.1-r1 stable on sparc, and we are done.
alpha/ia64 stable
ppc stable
Seems like the patch introduced a regression with xine-ui, vlc and others. Back to ebuild for now. http://gitweb.freedesktop.org/?p=xorg/xserver.git;a=commitdiff;h=e9fa7c1c88a8130a48f772c92b186b8b777986b5 Donnie please verify and update patches accordingly. Sorry for the extra work.
I just revbumped, maintaining the same keywords as in the original security-marked revisions since this is a small modification to that.
Thx for the quick fix Donnie. Back to stable marking.
And now even with arches CC'ed :)
Stable for HPPA.
*** Bug 206633 has been marked as a duplicate of this bug. ***
libXfont-1.3.1-r1.ebuild: amd64 stable Let's get the GLSA out.
GLSA 200801-09, thanks.
Failed to update libXfont for me, probably because it was typoed as libxfont. According to glsa-check --dump 200801-09: ... Affected package: x11-libs/libxfont Affected archs: All Vulnerable: <1.3.1-r1 Unaffected: >=1.3.1-r1 ...
(In reply to comment #36) > Failed to update libXfont for me, probably because it was typoed as libxfont. > According to glsa-check --dump 200801-09: Sorry, the error is fixed in CVS, please emerge --sync. I don't think this warrants an errata mail, as the "Resolution" section was correct and the affected/unaffected section is mostly used by automated tools, which will get the updated XML.