Message ID | 20240125222140.1805844-2-peter@korsgaard.com |
---|---|
State | Accepted |
Headers | show |
Series | [1/2] package/xwayland: security bump to version 23.2.4 | expand |
On 25/01/2024 23.21, Peter Korsgaard wrote: > Fixes the following security issues: > > 1) CVE-2023-6816 can be triggered by passing an invalid array index to > DeviceFocusEvent or ProcXIQueryPointer. > > 2) CVE-2024-0229 can be triggered if a device has both a button and a > key class and zero buttons. > > 3) CVE-2024-21885 can be triggered if a device with a given ID was > removed and a new device with the same ID added both in the same > operation. > > 4) CVE-2024-21886 can be triggered by disabling a master device with > disabled slave devices. > > 5) CVE-2024-0409 can be triggered by enabling SELinux > xserver_object_manager and running a client. > > 6) CVE-2024-0408 can be triggered by enabling SELinux > xserver_object_manager and creating a GLX PBuffer. > > For details, see the advisory: > https://lists.x.org/archives/xorg-announce/2024-January/003444.html > > Switch to .tar.gz as the announcement mail only contained hashes for that: > https://lists.x.org/archives/xorg-announce/2024-January/003442.html > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed, thanks.
On 25/01/2024 23.21, Peter Korsgaard wrote: > Fixes the following security issues: > > 1) CVE-2023-6816 can be triggered by passing an invalid array index to > DeviceFocusEvent or ProcXIQueryPointer. > > 2) CVE-2024-0229 can be triggered if a device has both a button and a > key class and zero buttons. > > 3) CVE-2024-21885 can be triggered if a device with a given ID was > removed and a new device with the same ID added both in the same > operation. > > 4) CVE-2024-21886 can be triggered by disabling a master device with > disabled slave devices. > > 5) CVE-2024-0409 can be triggered by enabling SELinux > xserver_object_manager and running a client. > > 6) CVE-2024-0408 can be triggered by enabling SELinux > xserver_object_manager and creating a GLX PBuffer. > > For details, see the advisory: > https://lists.x.org/archives/xorg-announce/2024-January/003444.html > > Switch to .tar.gz as the announcement mail only contained hashes for that: > https://lists.x.org/archives/xorg-announce/2024-January/003442.html > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2023.02.x and 2023.11.x, thanks.
diff --git a/package/x11r7/xserver_xorg-server/xserver_xorg-server.hash b/package/x11r7/xserver_xorg-server/xserver_xorg-server.hash index de93b11927..be636936e2 100644 --- a/package/x11r7/xserver_xorg-server/xserver_xorg-server.hash +++ b/package/x11r7/xserver_xorg-server/xserver_xorg-server.hash @@ -1,5 +1,5 @@ -# From https://lists.x.org/archives/xorg-announce/2023-December/003436.html -sha256 ceb0b3a2efc57ac3ccf388d3dc88b97615068639fb284d469689ae3d105611d0 xorg-server-21.1.10.tar.xz -sha512 8135d9b7c0c71f427ba0a3b80741fee4f6ae195779399b73261a00858882f3516e367a08e2da1403734b04eacabae9aa231e5375eff23b57a3ff764e9caf8926 xorg-server-21.1.10.tar.xz +# From https://lists.x.org/archives/xorg-announce/2024-January/003442.html +sha256 1aa0ee1adad0b2db7f291f3823a4ab240c7f4aea710e89f5ef4aa232b6833403 xorg-server-21.1.11.tar.gz +sha512 e41bf71955691e66084a67fc20643632087f0326d5eddc31e6edd118d05005b8ab536738c181f4c352f331ec8fc8f23ae1b45f237592fa5d7eddbffe43638b08 xorg-server-21.1.11.tar.gz # Locally calculated sha256 4cc0447a22635c7b2f1a93fec4aa94f1970fadeb72a063de006b51cf4963a06f COPYING diff --git a/package/x11r7/xserver_xorg-server/xserver_xorg-server.mk b/package/x11r7/xserver_xorg-server/xserver_xorg-server.mk index 4ac4283e4b..4a05582583 100644 --- a/package/x11r7/xserver_xorg-server/xserver_xorg-server.mk +++ b/package/x11r7/xserver_xorg-server/xserver_xorg-server.mk @@ -4,8 +4,8 @@ # ################################################################################ -XSERVER_XORG_SERVER_VERSION = 21.1.10 -XSERVER_XORG_SERVER_SOURCE = xorg-server-$(XSERVER_XORG_SERVER_VERSION).tar.xz +XSERVER_XORG_SERVER_VERSION = 21.1.11 +XSERVER_XORG_SERVER_SOURCE = xorg-server-$(XSERVER_XORG_SERVER_VERSION).tar.gz XSERVER_XORG_SERVER_SITE = https://xorg.freedesktop.org/archive/individual/xserver XSERVER_XORG_SERVER_LICENSE = MIT XSERVER_XORG_SERVER_LICENSE_FILES = COPYING
Fixes the following security issues: 1) CVE-2023-6816 can be triggered by passing an invalid array index to DeviceFocusEvent or ProcXIQueryPointer. 2) CVE-2024-0229 can be triggered if a device has both a button and a key class and zero buttons. 3) CVE-2024-21885 can be triggered if a device with a given ID was removed and a new device with the same ID added both in the same operation. 4) CVE-2024-21886 can be triggered by disabling a master device with disabled slave devices. 5) CVE-2024-0409 can be triggered by enabling SELinux xserver_object_manager and running a client. 6) CVE-2024-0408 can be triggered by enabling SELinux xserver_object_manager and creating a GLX PBuffer. For details, see the advisory: https://lists.x.org/archives/xorg-announce/2024-January/003444.html Switch to .tar.gz as the announcement mail only contained hashes for that: https://lists.x.org/archives/xorg-announce/2024-January/003442.html Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/x11r7/xserver_xorg-server/xserver_xorg-server.hash | 6 +++--- package/x11r7/xserver_xorg-server/xserver_xorg-server.mk | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-)