Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 877459 (CVE-2022-3550, CVE-2022-3551, CVE-2022-3553) - <x11-base/xorg-server-21.1.6 <x11-base/xwayland-23.1.0: multiple vulnerabilities
Summary: <x11-base/xorg-server-21.1.6 <x11-base/xwayland-23.1.0: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-3550, CVE-2022-3551, CVE-2022-3553
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+]
Keywords:
Depends on: 880793 888677
Blocks:
  Show dependency tree
 
Reported: 2022-10-17 14:59 UTC by John Helmert III
Modified: 2023-05-30 02:59 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-17 14:59:08 UTC
CVE-2022-3550 (https://cgit.freedesktop.org/xorg/xserver/commit/?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e):

A vulnerability classified as critical was found in X.org Server. Affected by this vulnerability is the function _GetCountedString of the file xkb/xkb.c. The manipulation leads to buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211051.

CVE-2022-3551 (https://cgit.freedesktop.org/xorg/xserver/commit/?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2):

A vulnerability, which was classified as problematic, has been found in X.org Server. Affected by this issue is the function ProcXkbGetKbdByName of the file xkb/xkb.c. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211052.

CVE-2022-3553 (https://cgit.freedesktop.org/xorg/xserver/commit/?id=dfd057996b26420309c324ec844a5ba6dd07eda3):

A vulnerability, which was classified as problematic, was found in X.org Server. This affects an unknown part of the file hw/xquartz/X11Controller.m of the component xquartz. The manipulation leads to denial of service. It is recommended to apply a patch to fix this issue. The identifier VDB-211053 was assigned to this vulnerability.

Seems like these aren't in a tag yet.
Comment 1 Matt Turner gentoo-dev 2022-10-18 05:00:10 UTC
(In reply to John Helmert III from comment #0)
> CVE-2022-3550
> (https://cgit.freedesktop.org/xorg/xserver/commit/
> ?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e):

Was cherry-picked as cb4fd4d06ee8bd71b7176f58ecad70b69e3702d8 to the xwayland-22.1 branch. Not in any tag. I don't see it in the server-21.1-branch branch.

> A vulnerability classified as critical was found in X.org Server. Affected
> by this vulnerability is the function _GetCountedString of the file
> xkb/xkb.c. The manipulation leads to buffer overflow. It is recommended to
> apply a patch to fix this issue. The associated identifier of this
> vulnerability is VDB-211051.
> 
> CVE-2022-3551
> (https://cgit.freedesktop.org/xorg/xserver/commit/
> ?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2):

Was cherry-picked as baad076c4df664092158d2822b244ef69ff8edaa to the xwayland-22.1 branch. Not in any tag. I don't see it in the server-21.1-branch branch.

> A vulnerability, which was classified as problematic, has been found in
> X.org Server. Affected by this issue is the function ProcXkbGetKbdByName of
> the file xkb/xkb.c. The manipulation leads to memory leak. It is recommended
> to apply a patch to fix this issue. The identifier of this vulnerability is
> VDB-211052.
> 
> CVE-2022-3553
> (https://cgit.freedesktop.org/xorg/xserver/commit/
> ?id=dfd057996b26420309c324ec844a5ba6dd07eda3):

I don't see this commit cherry-picked to the xwayland-22.1 branch.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-18 21:46:57 UTC
Thanks! I keep forgetting to check xwayland too...
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 05:44:04 UTC
Pathces for CVE-2022-355{0,1} are in xwayland-22.1.4.
Comment 4 Larry the Git Cow gentoo-dev 2022-10-25 13:46:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9fe591d4f982e938ef2bd111487ded7560539325

commit 9fe591d4f982e938ef2bd111487ded7560539325
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2022-10-25 13:42:49 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2022-10-25 13:45:58 +0000

    x11-base/xwayland: Version bump to 22.1.4
    
    Bug: https://bugs.gentoo.org/877459
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xwayland/Manifest               |   1 +
 x11-base/xwayland/xwayland-22.1.4.ebuild | 100 +++++++++++++++++++++++++++++++
 2 files changed, 101 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-11 00:21:11 UTC
Doesn't look like all of the fixes have made it into releases, right?
Comment 6 Matt Turner gentoo-dev 2022-11-11 04:03:08 UTC
(In reply to John Helmert III from comment #5)
> Doesn't look like all of the fixes have made it into releases, right?

Right.

FWIW, the CVEs were requested and assigned without X.Org knowing, and I think we're not really confident that they're actually issues. Maybe the Quartz one, but... it's Quartz.
Comment 7 Matt Turner gentoo-dev 2022-11-16 02:12:04 UTC
From the xorg-security list (7 days ago):

>  Mitre responded today:
> 
>     VulDB has determined that they accidentally assigned a Record for
>     CVE-2022-3554 and CVE-2022-3555. They have already rejected both IDs.
>     We consider this matter closed, but please let us know if you have
>     any follow up questions, comments, or concerns for us.
> 
> And these now show they were rejected last week:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3554
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3555
> 
> but the three reported against Xorg & Xquartz are still live, so it looks
> like they only rejected the ones we pushed back on:
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3553
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-16 15:29:24 UTC
(In reply to Matt Turner from comment #7)
> From the xorg-security list (7 days ago):
> 
> >  Mitre responded today:
> > 
> >     VulDB has determined that they accidentally assigned a Record for
> >     CVE-2022-3554 and CVE-2022-3555. They have already rejected both IDs.
> >     We consider this matter closed, but please let us know if you have
> >     any follow up questions, comments, or concerns for us.
> > 
> > And these now show they were rejected last week:
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3554
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3555
> > 
> > but the three reported against Xorg & Xquartz are still live, so it looks
> > like they only rejected the ones we pushed back on:
> > 
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3553

Great! We'll ignore the invalid CVEs, CVE-2022-{3554,3555}
Comment 9 Larry the Git Cow gentoo-dev 2022-12-04 02:41:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b176c5411f6f5fbb856fa51cc17b92af61504c04

commit b176c5411f6f5fbb856fa51cc17b92af61504c04
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2022-12-04 01:23:14 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2022-12-04 02:36:05 +0000

    x11-base/xwayland: Drop old versions
    
    Bug: https://bugs.gentoo.org/877459
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xwayland/Manifest               |   2 -
 x11-base/xwayland/xwayland-22.1.3.ebuild | 100 -------------------------------
 x11-base/xwayland/xwayland-22.1.4.ebuild | 100 -------------------------------
 3 files changed, 202 deletions(-)
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-20 16:53:09 UTC
xwayland-22.1.7 and xorg-server-21.1.6 were just released, the latter says it fixes CVE-2022-3550 and CVE-2022-3551. Indeed, patches for these are in xwayland-22.1.4 and xorg-server-21.1.6. I see the patch for CVE-2022-3553 in xorg-server-21.1.4, but not in xwayland.
Comment 11 Larry the Git Cow gentoo-dev 2022-12-20 18:58:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=587798c8f9ee0744ec2f08569411d4a6be6beaf0

commit 587798c8f9ee0744ec2f08569411d4a6be6beaf0
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2022-12-20 18:45:33 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2022-12-20 18:58:34 +0000

    x11-base/xwayland: Version bump to 22.1.7
    
    Bug: https://bugs.gentoo.org/877459
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xwayland/Manifest               |   1 +
 x11-base/xwayland/xwayland-22.1.7.ebuild | 100 +++++++++++++++++++++++++++++++
 2 files changed, 101 insertions(+)
Comment 12 Larry the Git Cow gentoo-dev 2023-01-03 15:55:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8268a113aaddf90933c676cf0fe88e49e5b26302

commit 8268a113aaddf90933c676cf0fe88e49e5b26302
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2023-01-03 15:31:50 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2023-01-03 15:55:30 +0000

    x11-base/xwayland: Drop old versions
    
    Bug: https://bugs.gentoo.org/877459
    Bug: https://bugs.gentoo.org/885825
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xwayland/Manifest               |   2 -
 x11-base/xwayland/xwayland-22.1.5.ebuild | 100 -------------------------------
 x11-base/xwayland/xwayland-22.1.6.ebuild | 100 -------------------------------
 3 files changed, 202 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2770505a4547a8f25b82b690236f655dc3a2eee0

commit 2770505a4547a8f25b82b690236f655dc3a2eee0
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2023-01-03 15:31:47 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2023-01-03 15:55:29 +0000

    x11-base/xorg-server: Drop old versions
    
    Bug: https://bugs.gentoo.org/877459
    Bug: https://bugs.gentoo.org/885825
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xorg-server/Manifest                     |   2 -
 x11-base/xorg-server/xorg-server-21.1.4-r1.ebuild | 195 ----------------------
 x11-base/xorg-server/xorg-server-21.1.4.ebuild    | 190 ---------------------
 x11-base/xorg-server/xorg-server-21.1.5.ebuild    | 195 ----------------------
 4 files changed, 582 deletions(-)
Comment 13 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-29 23:24:21 UTC
The xquartz patch eventually made it into xwayland-23.1.0.
Comment 14 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-29 23:28:00 UTC
GLSA request filed
Comment 15 Larry the Git Cow gentoo-dev 2023-05-30 02:56:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f91a69c129c65b48c349fa74cf96eb46e176c139

commit f91a69c129c65b48c349fa74cf96eb46e176c139
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-30 02:54:51 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-30 02:56:36 +0000

    [ GLSA 202305-30 ] X.Org X server, XWayland: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/829208
    Bug: https://bugs.gentoo.org/877459
    Bug: https://bugs.gentoo.org/885825
    Bug: https://bugs.gentoo.org/893438
    Bug: https://bugs.gentoo.org/903547
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-30.xml | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)
Comment 16 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-30 02:59:46 UTC
GLSA released, all done!