See ${URL}: CVE-2017-13721(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13721): In X.Org Server (aka xserver and xorg-server) before 1.19.4, an attacker authenticated to an X server with the X shared memory extension enabled can cause aborts of the X server or replace shared memory segments of other X clients in the same session. CVE-2017-13723(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13723): In X.Org Server (aka xserver and xorg-server) before 1.19.4, a local attacker authenticated to the X server could overflow a global buffer, causing crashes of the X server or potentially other problems by injecting large or malformed XKB related atoms and accessing them via xkbcomp. Upstream Details/Fix: (https://lists.x.org/archives/xorg-announce/2017-October/002809.html) @maintainer(s), after fix, please call for stabilization when ready, thank you! Gentoo Security Padawan Daj' Uan (jmbailey)
1.19.4 has been in tree for 5 days..
I can't personally call for stable though, before I've looked into bug 633530 (help welcome)
We should be able to proceed now.
Stable on amd64
Withdrawing stabilization, as there's a regression fix in just released xorg-server-1.19.5 and more security fixes. So we should target that instead and do it all at once, I think. Especially due to the regression in 1.19.4 (but I don't know its severity). https://lists.x.org/archives/xorg-devel/2017-October/054871.html
Version bumped to 1.19.5
@arches, please test and mark for stable, thank you. stabilization target =x11-base/xorg-server-1.19.4
see comment #5...
We have concluded together with Matt, that we can proceed with 1.19.5. Bug 633530 seems to be an eudev issue now -- mixing of stable eudev with testing eudev, so not affecting full stable tree for security.
The first fixed version in tree was 1.19.4 as it's related to the reported CVE. The stabilization target can be different, but the record should reflect the actual fixed ebuild.
amd64 stable
ia64 stable
ppc/ppc64 stable (thanks to ernsteiswuerfel)
x86 stable
Stable on alpha.
arm stable
(In reply to Aaron Bauman from comment #10) > The first fixed version in tree was 1.19.4 as it's related to the reported > CVE. The stabilization target can be different, but the record should > reflect the actual fixed ebuild. there should be a record for the CVEs 1.19.5 fixed, and I suggested it be here and suggested them to be added here.
hppa stable
@maintainers, please clean the vulnerable versions. (In reply to Mart Raudsepp from comment #17) > (In reply to Aaron Bauman from comment #10) > > The first fixed version in tree was 1.19.4 as it's related to the reported > > CVE. The stabilization target can be different, but the record should > > reflect the actual fixed ebuild. > > there should be a record for the CVEs 1.19.5 fixed, and I suggested it be > here and suggested them to be added here. Sure. Another bug can be opened to track if you want.
New GLSA request filed.
This issue was resolved and addressed in GLSA 201710-30 at https://security.gentoo.org/glsa/201710-30 by GLSA coordinator Aaron Bauman (b-man).
re-opened for cleanup
sparc stable (thanks to Rolf Eike Beer)
Vulnerable versions removed in commit 67af98328e08ad9e53a857d1b51c9ecea8716ead Author: Matt Turner <mattst88@gentoo.org> Date: Mon Oct 30 18:44:14 2017 -0700 x11-base/xorg-server: Drop vulnerable versions