Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 596182 (CVE-2016-5407, CVE-2016-7942, CVE-2016-7943, CVE-2016-7944, CVE-2016-7945, CVE-2016-7946, CVE-2016-7947, CVE-2016-7948, CVE-2016-7949, CVE-2016-7950, CVE-2016-7953) - <x11-libs/{libX11-1.6.4,libXfixes-5.0.3,libXi-1.7.7,libXrandr-1.5.1,libXrender-0.9.10,libXtst-1.2.3,libXv-1.0.11,libXvMC-1.0.10}: Multiple vulnerabilities
Summary: <x11-libs/{libX11-1.6.4,libXfixes-5.0.3,libXi-1.7.7,libXrandr-1.5.1,libXrende...
Status: RESOLVED FIXED
Alias: CVE-2016-5407, CVE-2016-7942, CVE-2016-7943, CVE-2016-7944, CVE-2016-7945, CVE-2016-7946, CVE-2016-7947, CVE-2016-7948, CVE-2016-7949, CVE-2016-7950, CVE-2016-7953
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://lists.x.org/archives/xorg-ann...
Whiteboard: A3 [glsa cve]
Keywords:
: 596164 596574 (view as bug list)
Depends on: 579266
Blocks: 611056
  Show dependency tree
 
Reported: 2016-10-04 23:15 UTC by Manuel Rüger (RETIRED)
Modified: 2017-04-10 21:35 UTC (History)
2 users (show)

See Also:
Package list:
x11-libs/libX11-1.6.4 alpha amd64 arm arm64 hppa ia64 ppc ppc64 sparc x86 x11-libs/libXfixes-5.0.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 x11-libs/libXrender-0.9.10 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 x11-libs/libXi-1.7.8 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 x11-libs/libXrandr-1.5.1 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 x11-libs/libXv-1.0.11 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 x11-libs/libXtst-1.2.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 x11-libs/libXvMC-1.0.10 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Runtime testing required: ---
stable-bot: sanity-check+


Attachments
Stabilization list (libX11-1.6.4-sec.list,632 bytes, text/plain)
2016-10-05 11:14 UTC, Mart Raudsepp
no flags Details
Stabilization list (attachment.cgi?id=449222,632 bytes, text/plain)
2016-10-25 03:40 UTC, Matt Turner
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Manuel Rüger (RETIRED) gentoo-dev 2016-10-04 23:15:30 UTC
From $URL:

"X.Org security advisory: October 4, 2016

Protocol handling issues in X Window System client libraries
============================================================

Description

Tobias Stoeckmann from the OpenBSD project has discovered a number of
issues in the way various X client libraries handle the responses they
receive from servers, and has worked with X.Org's security team to
analyze, confirm, and fix these issues. These issue come in addition
to the ones discovered by Ilja van Sprundel in 2013.

Most of these issues stem from the client libraries trusting the
server to send correct protocol data, and not verifying that the
values will not overflow or cause other damage. Most of the time X
clients & servers are run by the same user, with the server more
privileged than the clients, so this is not a problem, but there are
scenarios in which a privileged client can be connected to an
unprivileged server, for instance, connecting a setuid X client (such
as a screen lock program) to a virtual X server (such as Xvfb or
Xephyr) which the user has modified to return invalid data,
potentially allowing the user to escalate their privileges.

The X.Org security team would like to take this opportunity to remind
X client authors that current best practices suggest separating code
that requires privileges from the GUI, to reduce the attack surface of
issues like this.


Affected libraries and CVE Ids

libX11 - insufficient validation of data from the X server
	 can cause out of boundary memory read (XGetImage())
	 or write (XListFonts()).
	 Affected versions libX11 <= 1.6.3

libXfixes - insufficient validation of data from the X server
	can cause an integer overflow on 32 bit architectures.
	Affected versions : libXfixes <= 5.0.2

libXi - insufficient validation of data from the X server
	can cause out of boundary memory access or
	endless loops (Denial of Service).
	Affected versions libXi <= 1.7.6

libXrandr - insufficient validation of data from the X server
	can cause out of boundary memory writes.
	Affected versions: libXrandr <= 1.5.0

libXrender - insufficient validation of data from the X server
	can cause out of boundary memory writes.
	Affected version: libXrender <= 0.9.9

XRecord - insufficient validation of data from the X server
        can cause out of boundary memory access or
	endless loops (Denial of Service).
	 Affected version libXtst <= 1.2.2

libXv - insufficient validation of data from the X server
        can cause out of boundary memory and memory corruption.
	CVE-2016-5407
	affected versions libXv <= 1.0.10

libXvMC - insufficient validation of data from the X server
	can cause a one byte buffer read underrun.
	Affected versions: libXvMC <= 1.0.9


Fixes

Fixes are available in the following git commits.

lib/libX11
8ea762f Validation of server responses in XGetImage()
8c29f16 The validation of server responses avoids out of boundary accesses.

libXfixes
61c1039 Integer overflow on illegal server response

libXi
19a9cd6 Properly validate server responses.

libXrandr
a0df3e1 Avoid out of boundary accesses on illegal responses

libXrender
9362c7d Validate lengths while parsing server data.
8fad00b Avoid OOB write in XRenderQueryFilters

lib/libXtst
9556ad6 Out of boundary access and endless loop in libXtst

libXv
87b3c94 Protocol handling issues in libXv

libXvMC
2cd95e7 Avoid buffer underflow on empty strings.


They will also be available in these modules releases from X.Org:

 * libX11 1.6.4
 * libXfixes 5.0.3
 * libXi 1.7.7
 * libXrandr 1.5.1
 * libXrender 0.9.10
 * libXtst 1.2.3
 * libXv 1.0.11
 * libXvMC 1.0.10

Thanks

X.Org thanks Tobias Stoeckmann for reporting these issues to our
security team and assisting them in understanding them and evaluating
our fixes."
Comment 1 Manuel Rüger (RETIRED) gentoo-dev 2016-10-04 23:15:56 UTC
All versions with fixes have been added to the tree.
Comment 2 Coacher 2016-10-05 04:11:31 UTC
*** Bug 596164 has been marked as a duplicate of this bug. ***
Comment 3 Mart Raudsepp gentoo-dev 2016-10-05 11:14:01 UTC
Created attachment 449222 [details]
Stabilization list
Comment 4 Mart Raudsepp gentoo-dev 2016-10-05 11:19:29 UTC
Arches, your turn. Most of these only contain security and safe janitorial fixes, except for libX11, which has some other small changed as well, but should be good.

ia64, ppc, ppc64, sparc - as you still haven't completed bug 579266, it might be a dependency of this security stabilization. At least a newer libxcb is necessary (which bug 559062 even older stabilization would bump to a high enough version too though). But probably best to just go for latest stabilization requested versions in one go by now.
Comment 5 Jeroen Roovers gentoo-dev 2016-10-06 05:26:01 UTC
Stable for HPPA PPC64.
Comment 6 Agostino Sarubbo gentoo-dev 2016-10-07 09:00:06 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-10-07 09:02:05 UTC
x86 stable
Comment 8 Mart Raudsepp gentoo-dev 2016-10-08 20:45:34 UTC
*** Bug 596574 has been marked as a duplicate of this bug. ***
Comment 9 Mark Knecht 2016-10-11 13:12:24 UTC
For awhile a number of these had digest mismatch issues which were all cleaned up a couple of days ago except for this one:

>>> Fetching (13 of 118) x11-libs/libXtst-1.2.3::gentoo

!!! Digest verification failed:
!!! /usr/portage/x11-libs/libXtst/libXtst-1.2.3.ebuild
!!! Reason: Filesize does not match recorded size
!!! Got: 831
!!! Expected: 832

>>> Failed to emerge x11-libs/libXtst-1.2.3


Portage 2.3.0 (python 2.7.10-final-0, default/linux/amd64/13.0/desktop/plasma, gcc-4.9.3, glibc-2.22-r4, 4.4.6-gentoo x86_64)
=================================================================
System uname: Linux-4.4.6-gentoo-x86_64-Intel-R-_Core-TM-_i7_CPU_X_980_@_3.33GHz-with-gentoo-2.2
KiB Mem:    24685404 total,  11648972 free
KiB Swap:   12582904 total,  12582904 free
Timestamp of repository gentoo: Tue, 11 Oct 2016 12:15:01 +0000
sh bash 4.3_p46-r1
ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1
app-shells/bash:          4.3_p46-r1::gentoo
dev-java/java-config:     2.2.0-r3::gentoo
dev-lang/perl:            5.22.2::gentoo
dev-lang/python:          2.7.10-r1::gentoo, 3.4.3-r1::gentoo
dev-util/cmake:           3.5.2-r1::gentoo
dev-util/pkgconfig:       0.28-r2::gentoo
sys-apps/baselayout:      2.2::gentoo
sys-apps/openrc:          0.21.7::gentoo
sys-apps/sandbox:         2.10-r1::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69::gentoo
sys-devel/automake:       1.11.6-r1::gentoo, 1.14.1::gentoo, 1.15::gentoo
sys-devel/binutils:       2.25.1-r1::gentoo
sys-devel/gcc:            4.9.3::gentoo
sys-devel/gcc-config:     1.7.3::gentoo
sys-devel/libtool:        2.4.6::gentoo
sys-devel/make:           4.1-r1::gentoo
sys-kernel/linux-headers: 4.3::gentoo (virtual/os-headers)
sys-libs/glibc:           2.22-r4::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.namerica.gentoo.org/gentoo-portage
    priority: -1000

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA dlj-1.1 PUEL AdobeFlash-10.3 skype-eula google-chrome skype-4.0.0.7-copyright google-talkplugin Google-TOS"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=native -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -march=native -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--with-bdeps=y --jobs=5"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs buildpkg config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync webrsync-gpg xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://gentoo.osuosl.org/ "
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j13 -l8"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac acl acpi alsa amd64 berkdb branding bzip2 cairo cdda cdr cleartype cli consolekit corefonts cracklib crypt cxx dbus declarative dri dts dvd dvdr emboss encode exif fam firefox flac fortran gdbm gif glamor gpm gstreamer gtk iconv java jpeg jpeg2k kde kipi lcms ldap libav libnotify mad mmx mmxext mng modules mp3 mp4 mpeg multilib ncurses nls nptl ogg opengl openmp pam pango pcre pdf phonon plasma png policykit ppds qml qt3support qt4 qt5 readline sdl seccomp session spell sse sse2 ssl ssse3 startup-notification svg tcpd threads tiff truetype type1 udev udisks unicode upower usb vdpau vorbis widgets wxwidgets x264 xattr xcb xcomposite xinerama xml xscreensaver xv xvid xvmc zlib" ABI_X86="64 32" ALSA_CARDS="hda-intel" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev" KERNEL="linux" L10N="en-US" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby20 ruby21" USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

c2RAID6 ~ #
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-10-11 13:20:11 UTC
(In reply to Mark Knecht from comment #9)
> For awhile a number of these had digest mismatch issues which were all
> cleaned up a couple of days ago except for this one:
> 
> >>> Fetching (13 of 118) x11-libs/libXtst-1.2.3::gentoo
> 
> !!! Digest verification failed:
> !!! /usr/portage/x11-libs/libXtst/libXtst-1.2.3.ebuild
> !!! Reason: Filesize does not match recorded size
> !!! Got: 831
> !!! Expected: 832
> 
> >>> Failed to emerge x11-libs/libXtst-1.2.3
> 
> 
> Portage 2.3.0 (python 2.7.10-final-0,
> default/linux/amd64/13.0/desktop/plasma, gcc-4.9.3, glibc-2.22-r4,
> 4.4.6-gentoo x86_64)
> =================================================================
> System uname:
> Linux-4.4.6-gentoo-x86_64-Intel-R-_Core-TM-_i7_CPU_X_980_@_3.33GHz-with-
> gentoo-2.2
> KiB Mem:    24685404 total,  11648972 free
> KiB Swap:   12582904 total,  12582904 free
> Timestamp of repository gentoo: Tue, 11 Oct 2016 12:15:01 +0000
> sh bash 4.3_p46-r1
> ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1
> app-shells/bash:          4.3_p46-r1::gentoo
> dev-java/java-config:     2.2.0-r3::gentoo
> dev-lang/perl:            5.22.2::gentoo
> dev-lang/python:          2.7.10-r1::gentoo, 3.4.3-r1::gentoo
> dev-util/cmake:           3.5.2-r1::gentoo
> dev-util/pkgconfig:       0.28-r2::gentoo
> sys-apps/baselayout:      2.2::gentoo
> sys-apps/openrc:          0.21.7::gentoo
> sys-apps/sandbox:         2.10-r1::gentoo
> sys-devel/autoconf:       2.13::gentoo, 2.69::gentoo
> sys-devel/automake:       1.11.6-r1::gentoo, 1.14.1::gentoo, 1.15::gentoo
> sys-devel/binutils:       2.25.1-r1::gentoo
> sys-devel/gcc:            4.9.3::gentoo
> sys-devel/gcc-config:     1.7.3::gentoo
> sys-devel/libtool:        2.4.6::gentoo
> sys-devel/make:           4.1-r1::gentoo
> sys-kernel/linux-headers: 4.3::gentoo (virtual/os-headers)
> sys-libs/glibc:           2.22-r4::gentoo
> Repositories:
> 
> gentoo
>     location: /usr/portage
>     sync-type: rsync
>     sync-uri: rsync://rsync.namerica.gentoo.org/gentoo-portage
>     priority: -1000
> 
> ACCEPT_KEYWORDS="amd64"
> ACCEPT_LICENSE="* -@EULA dlj-1.1 PUEL AdobeFlash-10.3 skype-eula
> google-chrome skype-4.0.0.7-copyright google-talkplugin Google-TOS"
> CBUILD="x86_64-pc-linux-gnu"
> CFLAGS="-O2 -march=native -pipe"
> CHOST="x86_64-pc-linux-gnu"
> CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt"
> CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d
> /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild
> /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d
> /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
> CXXFLAGS="-O2 -march=native -pipe"
> DISTDIR="/usr/portage/distfiles"
> EMERGE_DEFAULT_OPTS="--with-bdeps=y --jobs=5"
> FCFLAGS="-O2 -pipe"
> FEATURES="assume-digests binpkg-logs buildpkg config-protect-if-modified
> distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch
> preserve-libs protect-owned sandbox sfperms strict unknown-features-warn
> unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync
> webrsync-gpg xattr"
> FFLAGS="-O2 -pipe"
> GENTOO_MIRRORS="http://gentoo.osuosl.org/ "
> LDFLAGS="-Wl,-O1 -Wl,--as-needed"
> MAKEOPTS="-j13 -l8"
> PKGDIR="/usr/portage/packages"
> PORTAGE_CONFIGROOT="/"
> PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times
> --omit-dir-times --compress --force --whole-file --delete --stats
> --human-readable --timeout=180 --exclude=/distfiles --exclude=/local
> --exclude=/packages --exclude=/.git"
> PORTAGE_TMPDIR="/var/tmp"
> USE="X a52 aac acl acpi alsa amd64 berkdb branding bzip2 cairo cdda cdr
> cleartype cli consolekit corefonts cracklib crypt cxx dbus declarative dri
> dts dvd dvdr emboss encode exif fam firefox flac fortran gdbm gif glamor gpm
> gstreamer gtk iconv java jpeg jpeg2k kde kipi lcms ldap libav libnotify mad
> mmx mmxext mng modules mp3 mp4 mpeg multilib ncurses nls nptl ogg opengl
> openmp pam pango pcre pdf phonon plasma png policykit ppds qml qt3support
> qt4 qt5 readline sdl seccomp session spell sse sse2 ssl ssse3
> startup-notification svg tcpd threads tiff truetype type1 udev udisks
> unicode upower usb vdpau vorbis widgets wxwidgets x264 xattr xcb xcomposite
> xinerama xml xscreensaver xv xvid xvmc zlib" ABI_X86="64 32"
> ALSA_CARDS="hda-intel" APACHE2_MODULES="authn_core authz_core socache_shmcb
> unixd actions alias auth_basic authn_alias authn_anon authn_dbm
> authn_default authn_file authz_dbm authz_default authz_groupfile authz_host
> authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate
> dir disk_cache env expires ext_filter file_cache filter headers include info
> log_config logio mem_cache mime mime_magic negotiation rewrite setenvif
> speling status unique_id userdir usertrack vhost_alias"
> CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon
> braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load
> memory rrdtool swap syslog" CPU_FLAGS_X86="aes mmx mmxext popcnt sse sse2
> sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm
> earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip
> navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2
> timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev" KERNEL="linux"
> L10N="en-US" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001
> mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console
> presenter-minimizer" LINGUAS="en" OFFICE_IMPLEMENTATION="libreoffice"
> PHP_TARGETS="php5-6" PYTHON_SINGLE_TARGET="python2_7"
> PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby20 ruby21"
> USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan
> length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq
> steal rawnat logmark ipmark dhcpmac delude chaos account"
> Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LANG, LC_ALL,
> PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS,
> PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
> 
> c2RAID6 ~ #

Seems fixed here.  When was your last sync? Please check again and if the problem persists open a new bug.  This is a stabilization bug.
Comment 11 Tobias Klausmann gentoo-dev 2016-10-11 14:18:30 UTC
Stable on alpha
Comment 12 Markus Meier gentoo-dev 2016-10-18 20:02:05 UTC
arm stable
Comment 13 Matt Turner gentoo-dev 2016-10-25 03:40:13 UTC
Created attachment 451372 [details]
Stabilization list

Updated stabilization list to s/libXi-1.7.7/libXi-1.7.8/ since the latter fixes a crash introduced in the former. The changes are minor, so I've retained the stable keywords added in this bug.
Comment 14 Michael Weber (RETIRED) gentoo-dev 2017-02-13 16:02:25 UTC
ppc stable.
Comment 15 Michael Weber (RETIRED) gentoo-dev 2017-03-01 00:28:28 UTC
arm64 stable.
Comment 16 Agostino Sarubbo gentoo-dev 2017-03-04 14:02:35 UTC
sparc stable
Comment 17 Yury German Gentoo Infrastructure gentoo-dev Security 2017-03-07 23:15:25 UTC
ia64 please complete stabilization.

New GLSA Request filed.
Comment 18 Matt Turner gentoo-dev 2017-03-07 23:25:26 UTC
Note that you can do the newer versions of libX11 and libXi from the blocking bug 611056 instead.
Comment 19 Agostino Sarubbo gentoo-dev 2017-03-11 17:12:39 UTC
ia64 stable.

Maintainer(s), please cleanup.
Comment 20 Matt Turner gentoo-dev 2017-03-11 21:19:01 UTC
Vulnerable versions cleaned.
Comment 21 Yury German Gentoo Infrastructure gentoo-dev Security 2017-03-24 05:33:30 UTC
Arches and Maintainer(s), Thank you for your work.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2017-04-10 21:35:27 UTC
This issue was resolved and addressed in
 GLSA 201704-03 at https://security.gentoo.org/glsa/201704-03
by GLSA coordinator Kristian Fiskerstrand (K_F).