[bug#52562] [PATCH] gnu: xorg-server: Update to 21.1.2.

[bug#52562] [PATCH] gnu: xorg-server: Update to 21.1.2.

[Kaelyn Takata via Guix-patches via]

* gnu/packages/xorg.scm (xorg-server): Update to 21.1.2.
---
 gnu/packages/xorg.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 85a93dee30..204fd857c0 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -5234,7 +5234,7 @@ (define-public libxcvt
 (define-public xorg-server
   (package
     (name "xorg-server")
-    (version "21.1.1")
+    (version "21.1.2")
     (source
      (origin
        (method url-fetch)
@@ -5243,7 +5243,7 @@ (define-public xorg-server
                            "/xserver/xorg-server-" version ".tar.xz"))
        (sha256
         (base32
-         "0md7dqsc5qb30gym06c4zc2cjsdc5ps8nywk1bkcpix05kppybkq"))
+         "1c4dgvpv3kib8rhw37b00vc056nlb1z66c2lwzs4prz8kxmg82y2"))
        (patches
         (list
          ;; See:

base-commit: b329c2139b9f0818f27107bec5226cb98cfe1446
-- 
2.34.0

[bug#52562] [PATCH] gnu: xorg-server: Update to 21.1.2.

[Kaelyn via Guix-patches via]

Hi,

I would like to propose this update for the 1.4.0 branch as well, as xorg-server 21.1.2 fixes four recently reported security vulnerabilities that can lead to priviledge escalation: https://lists.x.org/archives/xorg/2021-December/060842.html

Cheers,
Kaelyn

[bug#52562] [PATCH] gnu: xorg-server: Update to 21.1.2.

[Leo Famulari]

On Thu, Dec 16, 2021 at 11:29:50PM +0000, Kaelyn Takata via Guix-patches via wrote:
> * gnu/packages/xorg.scm (xorg-server): Update to 21.1.2.

Thanks! I am reviewing this patch now. It's not quite as simple as it
seems because we must take care to avoid changing xorg-server-for-tests,
or almost every package will have to be rebuilt.

See section 8 here for more information about how many package rebuilds are okay
for the master branch:

https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html#Submitting-Patches

[bug#52562] [PATCH] gnu: xorg-server: Update to 21.1.2.

[Kaelyn via Guix-patches via]

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Saturday, December 18th, 2021 at 12:40 PM, Leo Famulari <leo@famulari.name> wrote:

> On Thu, Dec 16, 2021 at 11:29:50PM +0000, Kaelyn Takata via Guix-patches via wrote:
>
> > -   gnu/packages/xorg.scm (xorg-server): Update to 21.1.2.
>
> Thanks! I am reviewing this patch now. It's not quite as simple as it
>
> seems because we must take care to avoid changing xorg-server-for-tests,
>
> or almost every package will have to be rebuilt.
>
> See section 8 here for more information about how many package rebuilds are okay
>
> for the master branch:
>
> https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html#Submitting-Patches

No worries, and take your time! I just wanted to ping the patch so that the security fixes could land before the 1.4 release. :)

When I first sent it, on my machine "guix refresh --list-dependent xorg-serv" said it was 80-something packages that would be rebuilt (just checked again after typing that, and it says 82 packages would be built to ensure 137 dependet packages are rebuilt).

Thanks,
Kaelyn

[bug#52562] [PATCH] gnu: xorg-server: Update to 21.1.2.

[Leo Famulari]

On Sun, Dec 19, 2021 at 01:49:08AM +0000, Kaelyn wrote:
> No worries, and take your time! I just wanted to ping the patch so that the security fixes could land before the 1.4 release. :)

Sure, I intend to land the patch in the next day or so.

> When I first sent it, on my machine "guix refresh --list-dependent xorg-serv" said it was 80-something packages that would be rebuilt (just checked again after typing that, and it says 82 packages would be built to ensure 137 dependet packages are rebuilt).

Right, that's correct. But there is a also a package
'xorg-server-for-tests', which is used basically for package test
suites. The idea is that it's never used "for real" and so security
issues matter less. And we update that package less often.

You can check on that package like this:

                                Scheme syntax for working with "hidden" packages
-----                           ▼
$ guix refresh -l --expression='(@@ (gnu packages xorg) xorg-server-for-tests)'
Building the following 1419 packages would ensure 3063 dependent packages are rebuilt:
[...]
------

[bug#52562] [PATCH] gnu: xorg-server: Update to 21.1.2.

[Leo Famulari]

[-- Attachment #1.1: Type: text/plain, Size: 526 bytes --]

On Sat, Dec 18, 2021 at 11:56:53PM -0500, Leo Famulari wrote:
> Sure, I intend to land the patch in the next day or so.

Alright, with the attached patch, X works in my tests, and
xorg-server-for-tests is unchanged.

It would be great to get some more testing from other X users.

I tested with QEMU, using our VM image template:

`guix environment guix -- ./pre-inst-env guix system vm-image --image-size=20G -t qcow2 gnu/system/examples/vm-image.tmpl`

I can't test on bare metal due to <https://issues.guix.gnu.org/52051>.

[-- Attachment #1.2: 0001-gnu-xorg-server-Update-to-21.1.2.patch --]
[-- Type: text/plain, Size: 2431 bytes --]

From 2b597e7887be70a0faaa04b9dabd69030dca6614 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Sat, 18 Dec 2021 15:30:41 -0500
Subject: [PATCH] gnu: xorg-server: Update to 21.1.2.

* gnu/packages/xorg.scm (xorg-server): Update to 21.1.2.
(xorg-server-for-tests): Use version 21.1.1.
---
 gnu/packages/xorg.scm | 30 ++++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 9a854bcbf8..b09d95f770 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -5235,16 +5235,15 @@ (define-public libxcvt
 (define-public xorg-server
   (package
     (name "xorg-server")
-    (version "21.1.1")
+    (version "21.1.2")
     (source
      (origin
        (method url-fetch)
-
        (uri (string-append "https://xorg.freedesktop.org/archive/individual"
                            "/xserver/xorg-server-" version ".tar.xz"))
        (sha256
         (base32
-         "0md7dqsc5qb30gym06c4zc2cjsdc5ps8nywk1bkcpix05kppybkq"))
+         "1c4dgvpv3kib8rhw37b00vc056nlb1z66c2lwzs4prz8kxmg82y2"))
        (patches
         (list
          ;; See:
@@ -5361,7 +5360,30 @@ (define-public xorg-server
 (define-public xorg-server-for-tests
   (hidden-package
    (package
-     (inherit xorg-server))))
+     (inherit xorg-server)
+     (version "21.1.1")
+     (source
+      (origin
+        (method url-fetch)
+        (uri (string-append "https://xorg.freedesktop.org/archive/individual"
+                            "/xserver/xorg-server-" version ".tar.xz"))
+        (sha256
+         (base32
+          "0md7dqsc5qb30gym06c4zc2cjsdc5ps8nywk1bkcpix05kppybkq"))
+        (patches
+         (list
+          ;; See:
+          ;;   https://lists.fedoraproject.org/archives/list/devel@lists.
+          ;;      fedoraproject.org/message/JU655YB7AM4OOEQ4MOMCRHJTYJ76VFOK/
+          (origin
+            (method url-fetch)
+            (uri (string-append
+                  "http://pkgs.fedoraproject.org/cgit/rpms/xorg-x11-server.git"
+                  "/plain/06_use-intel-only-on-pre-gen4.diff"))
+            (sha256
+             (base32
+              "0mm70y058r8s9y9jiv7q2myv0ycnaw3iqzm7d274410s0ik38w7q"))
+            (file-name "xorg-server-use-intel-only-on-pre-gen4.diff")))))))))
 
 (define-public eglexternalplatform
   (package
-- 
2.34.0


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#52562] [PATCH] gnu: xorg-server: Update to 21.1.2.

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 435 bytes --]

On Sun, Dec 19, 2021 at 03:30:59PM -0500, Leo Famulari wrote:
> It would be great to get some more testing from other X users.

In case anybody is wondering about the security issues, the commit
message has been amended like this in my tree:

------
gnu: xorg-server: Update to 21.1.2 [fixes CVE-2021-{4008,4009,4010,4011}].

* gnu/packages/xorg.scm (xorg-server): Update to 21.1.2.
(xorg-server-for-tests): Use version 21.1.1.
------

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#52562] [PATCH] gnu: xorg-server: Update to 21.1.2.

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 507 bytes --]

On Tue, Dec 21, 2021 at 12:36:39PM -0500, Leo Famulari wrote:
> On Sun, Dec 19, 2021 at 03:30:59PM -0500, Leo Famulari wrote:
> > It would be great to get some more testing from other X users.
> 
> In case anybody is wondering about the security issues, the commit
> message has been amended like this in my tree:

And, we may have a solution for the login timeout that has been
preventing testing for many of us. A patch for #52051 has been proposed:

https://issues.guix.gnu.org/issue/52051#29

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#52562] [PATCH] gnu: xorg-server: Update to 21.1.2.

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 683 bytes --]

On Tue, Dec 21, 2021 at 12:47:38PM -0500, Leo Famulari wrote:
> On Tue, Dec 21, 2021 at 12:36:39PM -0500, Leo Famulari wrote:
> > On Sun, Dec 19, 2021 at 03:30:59PM -0500, Leo Famulari wrote:
> > > It would be great to get some more testing from other X users.
> > 
> > In case anybody is wondering about the security issues, the commit
> > message has been amended like this in my tree:
> 
> And, we may have a solution for the login timeout that has been
> preventing testing for many of us. A patch for #52051 has been proposed:
> 
> https://issues.guix.gnu.org/issue/52051#29

Alright, with the fix for #52051, I successfully used xorg-server 21.1.2
on my laptop.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#52562] [PATCH] gnu: xorg-server: Update to 21.1.2.

[Josselin Poiret via Guix-patches via]

Hello,

Leo Famulari <leo@famulari.name> writes:
> In case anybody is wondering about the security issues, the commit
> message has been amended like this in my tree:
>
> ------
> gnu: xorg-server: Update to 21.1.2 [fixes CVE-2021-{4008,4009,4010,4011}].
>
> * gnu/packages/xorg.scm (xorg-server): Update to 21.1.2.
> (xorg-server-for-tests): Use version 21.1.1.
> ------

Just pitching in to say that those CVE numbers should be fully typed
instead of using shell expansion-style, so that one can run `git log
--grep=CVE-2021-4008`.  Note that these can be in the commit message
body.

-- 
Josselin Poiret

[bug#52562] [PATCH] gnu: xorg-server: Update to 21.1.2.

[Leo Famulari]

On Wed, Dec 22, 2021 at 02:56:19PM +0100, Josselin Poiret wrote:
> Just pitching in to say that those CVE numbers should be fully typed
> instead of using shell expansion-style, so that one can run `git log
> --grep=CVE-2021-4008`.  Note that these can be in the commit message
> body.

Okay. Can you help test the patch itself?

bug#52562: [PATCH] gnu: xorg-server: Update to 21.1.2.

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 327 bytes --]

On Tue, Dec 21, 2021 at 12:36:39PM -0500, Leo Famulari wrote:
> ------
> gnu: xorg-server: Update to 21.1.2 [fixes CVE-2021-{4008,4009,4010,4011}].
> 
> * gnu/packages/xorg.scm (xorg-server): Update to 21.1.2.
> (xorg-server-for-tests): Use version 21.1.1.
> ------

Pushed as 0751451ae3a77977916b67577837349219d482ec

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]