all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* bug#48039: xorg-server might be vulnerable to CVE-2021-3472
@ 2021-04-26 17:25 Nicolò Balzarotti
  2021-04-26 17:35 ` Leo Famulari
  0 siblings, 1 reply; 7+ messages in thread
From: Nicolò Balzarotti @ 2021-04-26 17:25 UTC (permalink / raw)
  To: 48039

[-- Attachment #1: Type: text/plain, Size: 1067 bytes --]

Hi, just found this [fn:1]:

A flaw was found in xorg-x11-server in versions before 1.20.11. An
integer underflow can occur in xserver which can lead to a local
privilege escalation.

The commit fixing the bug should be the one at [fn:2], and latest tagged
version (1.20.11) should be fixed.

On a side note, the redhat issue tracker says that [fn:3]:

Xorg server does not run with root privileges in Red Hat Enterprise
Linux 8, therefore this flaw has been rated as having moderate impact
for Red Hat Enterprise linux 8.

Is it possible for guix too not to run the server as root?  I've no idea
myself

guix refresh -l xorg-server
Building the following 73 packages would ensure 121

I just rebuilt xorg-server itself with the attached patch, and building
other packages now but it might take some time on my server.  I'll let
you know how it goes.

[fn:1] https://nvd.nist.gov/vuln/detail/CVE-2021-3472
[fn:2]
https://gitlab.freedesktop.org/xorg/xserver/-/commit/7aaf54a1884f71dc363f0b884e57bcb67407a6cd
[fn:3] https://bugzilla.redhat.com/show_bug.cgi?id=1944167


[-- Attachment #2: 0001-gnu-xorg-server-Update-to-1.20.11.patch --]
[-- Type: text/x-patch, Size: 1420 bytes --]

From a1767951a7b4631c48916f1171f577839fff0df3 Mon Sep 17 00:00:00 2001
From: nixo <nicolo@nixo.xyz>
Date: Mon, 26 Apr 2021 19:22:04 +0200
Subject: [PATCH] gnu: xorg-server: Update to 1.20.11.

* gnu/packages/xorg.scm (xorg-server): Update to 1.20.11.
---
 gnu/packages/xorg.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 97ff8ab92b..6b6fcbafa9 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -26,6 +26,7 @@
 ;;; Copyright © 2020, 2021 Michael Rohleder <mike@rohleder.de>
 ;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;; Copyright © 2020 Jean-Baptiste Note <jean-baptiste.note@m4x.org>
+;;; Copyright © 2021 Nicolò Balzarotti <nicolo@nixo.xyz>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -5302,7 +5303,7 @@ over Xlib, including:
 (define-public xorg-server
   (package
     (name "xorg-server")
-    (version "1.20.10")
+    (version "1.20.11")
     (source
       (origin
         (method url-fetch)
@@ -5310,7 +5311,7 @@ over Xlib, including:
                             "xorg-server-" version ".tar.bz2"))
         (sha256
          (base32
-          "16bwrf0ag41l7jbrllbix8z6avc5yimga7ihvq4ch3a5hb020x4p"))
+          "0jacqgin8kcyy8fyv0lhgb4if8g9hp60rm3ih3s1mgps7xp7jk4i"))
         (patches
          (list
           ;; See:
-- 
2.31.1


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* bug#48039: xorg-server might be vulnerable to CVE-2021-3472
  2021-04-26 17:25 bug#48039: xorg-server might be vulnerable to CVE-2021-3472 Nicolò Balzarotti
@ 2021-04-26 17:35 ` Leo Famulari
  2021-04-26 18:27   ` Nicolò Balzarotti
  2021-04-26 18:28   ` bug#48039: (no subject) Nicolò Balzarotti
  0 siblings, 2 replies; 7+ messages in thread
From: Leo Famulari @ 2021-04-26 17:35 UTC (permalink / raw)
  To: Nicolò Balzarotti; +Cc: 48039

[-- Attachment #1: Type: text/plain, Size: 575 bytes --]

On Mon, Apr 26, 2021 at 07:25:35PM +0200, Nicolò Balzarotti wrote:
> From a1767951a7b4631c48916f1171f577839fff0df3 Mon Sep 17 00:00:00 2001
> From: nixo <nicolo@nixo.xyz>
> Date: Mon, 26 Apr 2021 19:22:04 +0200
> Subject: [PATCH] gnu: xorg-server: Update to 1.20.11.
> 
> * gnu/packages/xorg.scm (xorg-server): Update to 1.20.11.

Did you see <https://bugs.gnu.org/48001>?

We should push a fix for this bug along with
<https://bugs.gnu.org/48000>, since the GStreamer plugins depend on
xorg-server. Otherwise we'll have to rebuild all effected packages
twice.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* bug#48039: xorg-server might be vulnerable to CVE-2021-3472
  2021-04-26 17:35 ` Leo Famulari
@ 2021-04-26 18:27   ` Nicolò Balzarotti
  2021-04-26 19:33     ` [bug#48039] " Leo Famulari
  2021-04-26 18:28   ` bug#48039: (no subject) Nicolò Balzarotti
  1 sibling, 1 reply; 7+ messages in thread
From: Nicolò Balzarotti @ 2021-04-26 18:27 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 48039

Leo Famulari <leo@famulari.name> writes:

> On Mon, Apr 26, 2021 at 07:25:35PM +0200, Nicolò Balzarotti wrote:
>> * gnu/packages/xorg.scm (xorg-server): Update to 1.20.11.
>
> Did you see <https://bugs.gnu.org/48001>?
>
Ops, sorry for the duplicate, I somehow missed it, I'm closing this

Thanks!




^ permalink raw reply	[flat|nested] 7+ messages in thread

* bug#48039: (no subject)
  2021-04-26 17:35 ` Leo Famulari
  2021-04-26 18:27   ` Nicolò Balzarotti
@ 2021-04-26 18:28   ` Nicolò Balzarotti
  1 sibling, 0 replies; 7+ messages in thread
From: Nicolò Balzarotti @ 2021-04-26 18:28 UTC (permalink / raw)
  To: 48039-close





^ permalink raw reply	[flat|nested] 7+ messages in thread

* [bug#48039] xorg-server might be vulnerable to CVE-2021-3472
  2021-04-26 18:27   ` Nicolò Balzarotti
@ 2021-04-26 19:33     ` Leo Famulari
  2021-04-27  6:02       ` bug#48039: " Leo Famulari
  0 siblings, 1 reply; 7+ messages in thread
From: Leo Famulari @ 2021-04-26 19:33 UTC (permalink / raw)
  To: Nicolò Balzarotti; +Cc: 48039

On Mon, Apr 26, 2021 at 08:27:58PM +0200, Nicolò Balzarotti wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> > On Mon, Apr 26, 2021 at 07:25:35PM +0200, Nicolò Balzarotti wrote:
> >> * gnu/packages/xorg.scm (xorg-server): Update to 1.20.11.
> >
> > Did you see <https://bugs.gnu.org/48001>?
> >
> Ops, sorry for the duplicate, I somehow missed it, I'm closing this

I didn't mean for you to close your message.

We took different approaches to fixing the bug: I applied a patch, and
you updated the package.

The big difference is that your patch doesn't avoid changing the
xorg-server-for-tests package, so it can't be applied to master.

I'm merging the two tickets. I think that updating the package is a
better choice that simply patching it. I'll probably join our two
patches together and push that.




^ permalink raw reply	[flat|nested] 7+ messages in thread

* bug#48039: xorg-server might be vulnerable to CVE-2021-3472
  2021-04-26 19:33     ` [bug#48039] " Leo Famulari
@ 2021-04-27  6:02       ` Leo Famulari
  2021-04-27  7:18         ` [bug#48039] " Nicolò Balzarotti
  0 siblings, 1 reply; 7+ messages in thread
From: Leo Famulari @ 2021-04-27  6:02 UTC (permalink / raw)
  To: Nicolò Balzarotti; +Cc: 48039-done

[-- Attachment #1: Type: text/plain, Size: 324 bytes --]

On Mon, Apr 26, 2021 at 03:33:33PM -0400, Leo Famulari wrote:
> I'm merging the two tickets. I think that updating the package is a
> better choice that simply patching it. I'll probably join our two
> patches together and push that.

Done as 6afe1543271637e3fd1eac82f5ec7af6975a47a5. Thanks for looking out
for these bugs!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [bug#48039] xorg-server might be vulnerable to CVE-2021-3472
  2021-04-27  6:02       ` bug#48039: " Leo Famulari
@ 2021-04-27  7:18         ` Nicolò Balzarotti
  0 siblings, 0 replies; 7+ messages in thread
From: Nicolò Balzarotti @ 2021-04-27  7:18 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 48039-done

Leo Famulari <leo@famulari.name> writes:

> On Mon, Apr 26, 2021 at 03:33:33PM -0400, Leo Famulari wrote:
>> I'm merging the two tickets. I think that updating the package is a
>> better choice that simply patching it. I'll probably join our two
>> patches together and push that.
>
> Done as 6afe1543271637e3fd1eac82f5ec7af6975a47a5. Thanks for looking out
> for these bugs!
Thank you!




^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2021-04-27  7:19 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-04-26 17:25 bug#48039: xorg-server might be vulnerable to CVE-2021-3472 Nicolò Balzarotti
2021-04-26 17:35 ` Leo Famulari
2021-04-26 18:27   ` Nicolò Balzarotti
2021-04-26 19:33     ` [bug#48039] " Leo Famulari
2021-04-27  6:02       ` bug#48039: " Leo Famulari
2021-04-27  7:18         ` [bug#48039] " Nicolò Balzarotti
2021-04-26 18:28   ` bug#48039: (no subject) Nicolò Balzarotti

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.