CVE-2022-3550 (https://cgit.freedesktop.org/xorg/xserver/commit/?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e): A vulnerability classified as critical was found in X.org Server. Affected by this vulnerability is the function _GetCountedString of the file xkb/xkb.c. The manipulation leads to buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211051. CVE-2022-3551 (https://cgit.freedesktop.org/xorg/xserver/commit/?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2): A vulnerability, which was classified as problematic, has been found in X.org Server. Affected by this issue is the function ProcXkbGetKbdByName of the file xkb/xkb.c. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211052. CVE-2022-3553 (https://cgit.freedesktop.org/xorg/xserver/commit/?id=dfd057996b26420309c324ec844a5ba6dd07eda3): A vulnerability, which was classified as problematic, was found in X.org Server. This affects an unknown part of the file hw/xquartz/X11Controller.m of the component xquartz. The manipulation leads to denial of service. It is recommended to apply a patch to fix this issue. The identifier VDB-211053 was assigned to this vulnerability. Seems like these aren't in a tag yet.
(In reply to John Helmert III from comment #0) > CVE-2022-3550 > (https://cgit.freedesktop.org/xorg/xserver/commit/ > ?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e): Was cherry-picked as cb4fd4d06ee8bd71b7176f58ecad70b69e3702d8 to the xwayland-22.1 branch. Not in any tag. I don't see it in the server-21.1-branch branch. > A vulnerability classified as critical was found in X.org Server. Affected > by this vulnerability is the function _GetCountedString of the file > xkb/xkb.c. The manipulation leads to buffer overflow. It is recommended to > apply a patch to fix this issue. The associated identifier of this > vulnerability is VDB-211051. > > CVE-2022-3551 > (https://cgit.freedesktop.org/xorg/xserver/commit/ > ?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2): Was cherry-picked as baad076c4df664092158d2822b244ef69ff8edaa to the xwayland-22.1 branch. Not in any tag. I don't see it in the server-21.1-branch branch. > A vulnerability, which was classified as problematic, has been found in > X.org Server. Affected by this issue is the function ProcXkbGetKbdByName of > the file xkb/xkb.c. The manipulation leads to memory leak. It is recommended > to apply a patch to fix this issue. The identifier of this vulnerability is > VDB-211052. > > CVE-2022-3553 > (https://cgit.freedesktop.org/xorg/xserver/commit/ > ?id=dfd057996b26420309c324ec844a5ba6dd07eda3): I don't see this commit cherry-picked to the xwayland-22.1 branch.
Thanks! I keep forgetting to check xwayland too...
Pathces for CVE-2022-355{0,1} are in xwayland-22.1.4.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9fe591d4f982e938ef2bd111487ded7560539325 commit 9fe591d4f982e938ef2bd111487ded7560539325 Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2022-10-25 13:42:49 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2022-10-25 13:45:58 +0000 x11-base/xwayland: Version bump to 22.1.4 Bug: https://bugs.gentoo.org/877459 Signed-off-by: Matt Turner <mattst88@gentoo.org> x11-base/xwayland/Manifest | 1 + x11-base/xwayland/xwayland-22.1.4.ebuild | 100 +++++++++++++++++++++++++++++++ 2 files changed, 101 insertions(+)
Doesn't look like all of the fixes have made it into releases, right?
(In reply to John Helmert III from comment #5) > Doesn't look like all of the fixes have made it into releases, right? Right. FWIW, the CVEs were requested and assigned without X.Org knowing, and I think we're not really confident that they're actually issues. Maybe the Quartz one, but... it's Quartz.
From the xorg-security list (7 days ago): > Mitre responded today: > > VulDB has determined that they accidentally assigned a Record for > CVE-2022-3554 and CVE-2022-3555. They have already rejected both IDs. > We consider this matter closed, but please let us know if you have > any follow up questions, comments, or concerns for us. > > And these now show they were rejected last week: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3554 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3555 > > but the three reported against Xorg & Xquartz are still live, so it looks > like they only rejected the ones we pushed back on: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3553
(In reply to Matt Turner from comment #7) > From the xorg-security list (7 days ago): > > > Mitre responded today: > > > > VulDB has determined that they accidentally assigned a Record for > > CVE-2022-3554 and CVE-2022-3555. They have already rejected both IDs. > > We consider this matter closed, but please let us know if you have > > any follow up questions, comments, or concerns for us. > > > > And these now show they were rejected last week: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3554 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3555 > > > > but the three reported against Xorg & Xquartz are still live, so it looks > > like they only rejected the ones we pushed back on: > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3553 Great! We'll ignore the invalid CVEs, CVE-2022-{3554,3555}
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b176c5411f6f5fbb856fa51cc17b92af61504c04 commit b176c5411f6f5fbb856fa51cc17b92af61504c04 Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2022-12-04 01:23:14 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2022-12-04 02:36:05 +0000 x11-base/xwayland: Drop old versions Bug: https://bugs.gentoo.org/877459 Signed-off-by: Matt Turner <mattst88@gentoo.org> x11-base/xwayland/Manifest | 2 - x11-base/xwayland/xwayland-22.1.3.ebuild | 100 ------------------------------- x11-base/xwayland/xwayland-22.1.4.ebuild | 100 ------------------------------- 3 files changed, 202 deletions(-)
xwayland-22.1.7 and xorg-server-21.1.6 were just released, the latter says it fixes CVE-2022-3550 and CVE-2022-3551. Indeed, patches for these are in xwayland-22.1.4 and xorg-server-21.1.6. I see the patch for CVE-2022-3553 in xorg-server-21.1.4, but not in xwayland.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=587798c8f9ee0744ec2f08569411d4a6be6beaf0 commit 587798c8f9ee0744ec2f08569411d4a6be6beaf0 Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2022-12-20 18:45:33 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2022-12-20 18:58:34 +0000 x11-base/xwayland: Version bump to 22.1.7 Bug: https://bugs.gentoo.org/877459 Signed-off-by: Matt Turner <mattst88@gentoo.org> x11-base/xwayland/Manifest | 1 + x11-base/xwayland/xwayland-22.1.7.ebuild | 100 +++++++++++++++++++++++++++++++ 2 files changed, 101 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8268a113aaddf90933c676cf0fe88e49e5b26302 commit 8268a113aaddf90933c676cf0fe88e49e5b26302 Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2023-01-03 15:31:50 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2023-01-03 15:55:30 +0000 x11-base/xwayland: Drop old versions Bug: https://bugs.gentoo.org/877459 Bug: https://bugs.gentoo.org/885825 Signed-off-by: Matt Turner <mattst88@gentoo.org> x11-base/xwayland/Manifest | 2 - x11-base/xwayland/xwayland-22.1.5.ebuild | 100 ------------------------------- x11-base/xwayland/xwayland-22.1.6.ebuild | 100 ------------------------------- 3 files changed, 202 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2770505a4547a8f25b82b690236f655dc3a2eee0 commit 2770505a4547a8f25b82b690236f655dc3a2eee0 Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2023-01-03 15:31:47 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2023-01-03 15:55:29 +0000 x11-base/xorg-server: Drop old versions Bug: https://bugs.gentoo.org/877459 Bug: https://bugs.gentoo.org/885825 Signed-off-by: Matt Turner <mattst88@gentoo.org> x11-base/xorg-server/Manifest | 2 - x11-base/xorg-server/xorg-server-21.1.4-r1.ebuild | 195 ---------------------- x11-base/xorg-server/xorg-server-21.1.4.ebuild | 190 --------------------- x11-base/xorg-server/xorg-server-21.1.5.ebuild | 195 ---------------------- 4 files changed, 582 deletions(-)
The xquartz patch eventually made it into xwayland-23.1.0.
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=f91a69c129c65b48c349fa74cf96eb46e176c139 commit f91a69c129c65b48c349fa74cf96eb46e176c139 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-30 02:54:51 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-05-30 02:56:36 +0000 [ GLSA 202305-30 ] X.Org X server, XWayland: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/829208 Bug: https://bugs.gentoo.org/877459 Bug: https://bugs.gentoo.org/885825 Bug: https://bugs.gentoo.org/893438 Bug: https://bugs.gentoo.org/903547 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202305-30.xml | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+)
GLSA released, all done!
