GNU bug report logs -
#48039
xorg-server might be vulnerable to CVE-2021-3472
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 48039 in the body.
You can then email your comments to 48039 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#48039; Package
guix.
(Mon, 26 Apr 2021 17:26:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Nicolò Balzarotti <anothersms <at> gmail.com>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Mon, 26 Apr 2021 17:26:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi, just found this [fn:1]:
A flaw was found in xorg-x11-server in versions before 1.20.11. An
integer underflow can occur in xserver which can lead to a local
privilege escalation.
The commit fixing the bug should be the one at [fn:2], and latest tagged
version (1.20.11) should be fixed.
On a side note, the redhat issue tracker says that [fn:3]:
Xorg server does not run with root privileges in Red Hat Enterprise
Linux 8, therefore this flaw has been rated as having moderate impact
for Red Hat Enterprise linux 8.
Is it possible for guix too not to run the server as root? I've no idea
myself
guix refresh -l xorg-server
Building the following 73 packages would ensure 121
I just rebuilt xorg-server itself with the attached patch, and building
other packages now but it might take some time on my server. I'll let
you know how it goes.
[fn:1] https://nvd.nist.gov/vuln/detail/CVE-2021-3472
[fn:2]
https://gitlab.freedesktop.org/xorg/xserver/-/commit/7aaf54a1884f71dc363f0b884e57bcb67407a6cd
[fn:3] https://bugzilla.redhat.com/show_bug.cgi?id=1944167
[0001-gnu-xorg-server-Update-to-1.20.11.patch (text/x-patch, attachment)]
Added tag(s) security.
Request was from
Nicolò Balzarotti <anothersms <at> gmail.com>
to
control <at> debbugs.gnu.org.
(Mon, 26 Apr 2021 17:30:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#48039; Package
guix.
(Mon, 26 Apr 2021 17:36:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 48039 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Mon, Apr 26, 2021 at 07:25:35PM +0200, Nicolò Balzarotti wrote:
> From a1767951a7b4631c48916f1171f577839fff0df3 Mon Sep 17 00:00:00 2001
> From: nixo <nicolo <at> nixo.xyz>
> Date: Mon, 26 Apr 2021 19:22:04 +0200
> Subject: [PATCH] gnu: xorg-server: Update to 1.20.11.
>
> * gnu/packages/xorg.scm (xorg-server): Update to 1.20.11.
Did you see <https://bugs.gnu.org/48001>?
We should push a fix for this bug along with
<https://bugs.gnu.org/48000>, since the GStreamer plugins depend on
xorg-server. Otherwise we'll have to rebuild all effected packages
twice.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#48039; Package
guix.
(Mon, 26 Apr 2021 18:29:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 48039 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> writes:
> On Mon, Apr 26, 2021 at 07:25:35PM +0200, Nicolò Balzarotti wrote:
>> * gnu/packages/xorg.scm (xorg-server): Update to 1.20.11.
>
> Did you see <https://bugs.gnu.org/48001>?
>
Ops, sorry for the duplicate, I somehow missed it, I'm closing this
Thanks!
Reply sent
to
Nicolò Balzarotti <anothersms <at> gmail.com>:
You have taken responsibility.
(Mon, 26 Apr 2021 18:29:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Nicolò Balzarotti <anothersms <at> gmail.com>:
bug acknowledged by developer.
(Mon, 26 Apr 2021 18:29:03 GMT)
Full text and
rfc822 format available.
Message #18 received at 48039-close <at> debbugs.gnu.org (full text, mbox):
Did not alter fixed versions and reopened.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 26 Apr 2021 19:11:02 GMT)
Full text and
rfc822 format available.
bug reassigned from package 'guix' to 'guix-patches'.
Request was from
Leo Famulari <leo <at> famulari.name>
to
control <at> debbugs.gnu.org.
(Mon, 26 Apr 2021 19:30:02 GMT)
Full text and
rfc822 format available.
Merged 48001 48039.
Request was from
Leo Famulari <leo <at> famulari.name>
to
control <at> debbugs.gnu.org.
(Mon, 26 Apr 2021 19:30:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#48039; Package
guix-patches.
(Mon, 26 Apr 2021 19:34:02 GMT)
Full text and
rfc822 format available.
Message #27 received at 48039 <at> debbugs.gnu.org (full text, mbox):
On Mon, Apr 26, 2021 at 08:27:58PM +0200, Nicolò Balzarotti wrote:
> Leo Famulari <leo <at> famulari.name> writes:
>
> > On Mon, Apr 26, 2021 at 07:25:35PM +0200, Nicolò Balzarotti wrote:
> >> * gnu/packages/xorg.scm (xorg-server): Update to 1.20.11.
> >
> > Did you see <https://bugs.gnu.org/48001>?
> >
> Ops, sorry for the duplicate, I somehow missed it, I'm closing this
I didn't mean for you to close your message.
We took different approaches to fixing the bug: I applied a patch, and
you updated the package.
The big difference is that your patch doesn't avoid changing the
xorg-server-for-tests package, so it can't be applied to master.
I'm merging the two tickets. I think that updating the package is a
better choice that simply patching it. I'll probably join our two
patches together and push that.
Reply sent
to
Leo Famulari <leo <at> famulari.name>:
You have taken responsibility.
(Tue, 27 Apr 2021 06:04:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Nicolò Balzarotti <anothersms <at> gmail.com>:
bug acknowledged by developer.
(Tue, 27 Apr 2021 06:04:02 GMT)
Full text and
rfc822 format available.
Message #32 received at 48039-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Mon, Apr 26, 2021 at 03:33:33PM -0400, Leo Famulari wrote:
> I'm merging the two tickets. I think that updating the package is a
> better choice that simply patching it. I'll probably join our two
> patches together and push that.
Done as 6afe1543271637e3fd1eac82f5ec7af6975a47a5. Thanks for looking out
for these bugs!
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Leo Famulari <leo <at> famulari.name>:
You have taken responsibility.
(Tue, 27 Apr 2021 06:04:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Tue, 27 Apr 2021 06:04:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#48039; Package
guix-patches.
(Tue, 27 Apr 2021 07:19:01 GMT)
Full text and
rfc822 format available.
Message #40 received at 48039-done <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> writes:
> On Mon, Apr 26, 2021 at 03:33:33PM -0400, Leo Famulari wrote:
>> I'm merging the two tickets. I think that updating the package is a
>> better choice that simply patching it. I'll probably join our two
>> patches together and push that.
>
> Done as 6afe1543271637e3fd1eac82f5ec7af6975a47a5. Thanks for looking out
> for these bugs!
Thank you!
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 25 May 2021 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 328 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.