GNU bug report logs -
#48001
[PATCH] gnu: xorg-server: CVE-2021-3472.
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Sat, 24 Apr 2021 19:40:02 UTC
Severity: normal
Tags: patch, security
Merged with 48039
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 48001 in the body.
You can then email your comments to 48001 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#48001; Package
guix-patches.
(Sat, 24 Apr 2021 19:40:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sat, 24 Apr 2021 19:40:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/patches/xorg-server-CVE-2021-3472.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/xorg.scm (xorg-server)[source]: Use it.
---
gnu/local.mk | 1 +
.../patches/xorg-server-CVE-2021-3472.patch | 44 +++++++++++++++++++
gnu/packages/xorg.scm | 5 ++-
3 files changed, 48 insertions(+), 2 deletions(-)
create mode 100644 gnu/packages/patches/xorg-server-CVE-2021-3472.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 50b11a8ca2..3d076de924 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1815,6 +1815,7 @@ dist_patch_DATA = \
%D%/packages/patches/xfce4-panel-plugins.patch \
%D%/packages/patches/xfce4-settings-defaults.patch \
%D%/packages/patches/xmonad-dynamic-linking.patch \
+ %D%/packages/patches/xorg-server-CVE-2021-3472.patch \
%D%/packages/patches/xplanet-1.3.1-cxx11-eof.patch \
%D%/packages/patches/xplanet-1.3.1-libdisplay_DisplayOutput.cpp.patch \
%D%/packages/patches/xplanet-1.3.1-libimage_gif.c.patch \
diff --git a/gnu/packages/patches/xorg-server-CVE-2021-3472.patch b/gnu/packages/patches/xorg-server-CVE-2021-3472.patch
new file mode 100644
index 0000000000..523a5b1dbf
--- /dev/null
+++ b/gnu/packages/patches/xorg-server-CVE-2021-3472.patch
@@ -0,0 +1,44 @@
+Fix CVE-2021-3472:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3472
+https://seclists.org/oss-sec/2021/q2/20
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/xorg/xserver/-/commit/7aaf54a1884f71dc363f0b884e57bcb67407a6cd
+
+From 7aaf54a1884f71dc363f0b884e57bcb67407a6cd Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu <at> herrb.eu>
+Date: Sun, 21 Mar 2021 18:38:57 +0100
+Subject: [PATCH] Fix XChangeFeedbackControl() request underflow
+
+CVE-2021-3472 / ZDI-CAN-1259
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu <at> herrb.eu>
+---
+ Xi/chgfctl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
+index 1de4da9ef..7a597e43d 100644
+--- a/Xi/chgfctl.c
++++ b/Xi/chgfctl.c
+@@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr client)
+ break;
+ case StringFeedbackClass:
+ {
+- xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
++ xStringFeedbackCtl *f;
+
++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq,
++ sizeof(xStringFeedbackCtl));
++ f = ((xStringFeedbackCtl *) &stuff[1]);
+ if (client->swapped) {
+ if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
+ return BadLength;
+--
+2.31.1
+
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 97ff8ab92b..df0055c704 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -5312,7 +5312,7 @@ over Xlib, including:
(base32
"16bwrf0ag41l7jbrllbix8z6avc5yimga7ihvq4ch3a5hb020x4p"))
(patches
- (list
+ (cons
;; See:
;; https://lists.fedoraproject.org/archives/list/devel <at> lists.
;; fedoraproject.org/message/JU655YB7AM4OOEQ4MOMCRHJTYJ76VFOK/
@@ -5324,7 +5324,8 @@ over Xlib, including:
(sha256
(base32
"0mm70y058r8s9y9jiv7q2myv0ycnaw3iqzm7d274410s0ik38w7q"))
- (file-name "xorg-server-use-intel-only-on-pre-gen4.diff"))))))
+ (file-name "xorg-server-use-intel-only-on-pre-gen4.diff"))
+ (search-patches "xorg-server-CVE-2021-3472.patch")))))
(build-system gnu-build-system)
(propagated-inputs
`(("libpciaccess" ,libpciaccess)
--
2.31.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#48001; Package
guix-patches.
(Sat, 24 Apr 2021 21:37:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 48001 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
The first revision of this patch does not take care to avoid changing
the derivation of xorg-server-for-tests, so it would cause way too many
packages to be rebuilt.
Here is a revised patch that ensures the derivation remains the same.
For example:
------
$ guix build -e '(@@ (gnu packages xorg) xorg-server-for-tests)' --no-grafts -d
/gnu/store/nhs1c9q04g6k4prxxv4kb9q5lg1p872q-xorg-server-1.20.10.drv
$ ./pre-inst-env guix build -e '(@@ (gnu packages xorg) xorg-server-for-tests)' --no-grafts -d
/gnu/store/nhs1c9q04g6k4prxxv4kb9q5lg1p872q-xorg-server-1.20.10.drv
------
[0001-gnu-xorg-server-CVE-2021-3472.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Merged 48001 48039.
Request was from
Leo Famulari <leo <at> famulari.name>
to
control <at> debbugs.gnu.org.
(Mon, 26 Apr 2021 19:30:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 25 May 2021 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 329 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.