From patchwork Thu Jan 25 22:21:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Korsgaard X-Patchwork-Id: 1891043 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TLb0R58ltz23fD for ; Fri, 26 Jan 2024 09:21:56 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 5C03C402A7; Thu, 25 Jan 2024 22:21:53 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 5C03C402A7 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gxg3NdKCEaJ4; Thu, 25 Jan 2024 22:21:52 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp2.osuosl.org (Postfix) with ESMTP id 3DDB64369E; Thu, 25 Jan 2024 22:21:51 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 3DDB64369E X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 0CCE11BF321 for ; Thu, 25 Jan 2024 22:21:50 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id D9ACE85553 for ; Thu, 25 Jan 2024 22:21:49 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org D9ACE85553 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PvapqcAPXoMR for ; Thu, 25 Jan 2024 22:21:46 +0000 (UTC) Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [IPv6:2001:4b98:dc4:8::222]) by smtp1.osuosl.org (Postfix) with ESMTPS id C7A2185544 for ; Thu, 25 Jan 2024 22:21:45 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org C7A2185544 Received: by mail.gandi.net (Postfix) with ESMTPSA id 7EBA940004; Thu, 25 Jan 2024 22:21:42 +0000 (UTC) Received: from peko by dell.be.48ers.dk with local (Exim 4.96) (envelope-from ) id 1rT86P-007Zmm-2u; Thu, 25 Jan 2024 23:21:41 +0100 From: Peter Korsgaard To: buildroot@buildroot.org Date: Thu, 25 Jan 2024 23:21:39 +0100 Message-Id: <20240125222140.1805844-1-peter@korsgaard.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-GND-Sasl: peter@korsgaard.com Subject: [Buildroot] [PATCH 1/2] package/xwayland: security bump to version 23.2.4 X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Raphael Pavlidis Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" Fixes the following security issues: 1) CVE-2023-6816 can be triggered by passing an invalid array index to DeviceFocusEvent or ProcXIQueryPointer. 2) CVE-2024-0229 can be triggered if a device has both a button and a key class and zero buttons. 3) CVE-2024-21885 can be triggered if a device with a given ID was removed and a new device with the same ID added both in the same operation. 4) CVE-2024-21886 can be triggered by disabling a master device with disabled slave devices. 5) CVE-2024-0409 can be triggered by enabling SELinux xserver_object_manager and running a client. 6) CVE-2024-0408 can be triggered by enabling SELinux xserver_object_manager and creating a GLX PBuffer. For details, see the advisory: https://lists.x.org/archives/xorg-announce/2024-January/003444.html Signed-off-by: Peter Korsgaard --- package/x11r7/xwayland/xwayland.hash | 6 +++--- package/x11r7/xwayland/xwayland.mk | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package/x11r7/xwayland/xwayland.hash b/package/x11r7/xwayland/xwayland.hash index 533ef9de86..5bb26bf17e 100644 --- a/package/x11r7/xwayland/xwayland.hash +++ b/package/x11r7/xwayland/xwayland.hash @@ -1,6 +1,6 @@ -# From https://lists.x.org/archives/xorg-announce/2023-December/003437.html -sha256 eb9d9aa7232c47412c8835ec15a97c575f03563726c787754ff0c019bd07e302 xwayland-23.2.3.tar.xz -sha512 37198aa2f06313a0cb2add51cc78f81b26a42f2c9d55a0d3eecf958777107ea5560961c128f2d0af055f7460ba10fadb1b9050251c2c50f2251b40ab517e79cd xwayland-23.2.3.tar.xz +# From https://lists.x.org/archives/xorg-announce/2024-January/003443.html +sha256 a99e159b6d0d33098b3b6ab22a88bfcece23c8b9d0ca72c535c55dcb0681b46b xwayland-23.2.4.tar.xz +sha512 ac3ff208cbef5bbe4637c335cfda226489c93b0a3768f2f4fb0201c588485ede38262fbce77ef1425b3d2a0be61b6580df53341c7b95e6072c8b6371ad29d187 xwayland-23.2.4.tar.xz # Locally calculated sha256 4cc0447a22635c7b2f1a93fec4aa94f1970fadeb72a063de006b51cf4963a06f COPYING diff --git a/package/x11r7/xwayland/xwayland.mk b/package/x11r7/xwayland/xwayland.mk index 8f4bcd8117..c66dd471ac 100644 --- a/package/x11r7/xwayland/xwayland.mk +++ b/package/x11r7/xwayland/xwayland.mk @@ -4,7 +4,7 @@ # ################################################################################ -XWAYLAND_VERSION = 23.2.3 +XWAYLAND_VERSION = 23.2.4 XWAYLAND_SOURCE = xwayland-$(XWAYLAND_VERSION).tar.xz XWAYLAND_SITE = https://xorg.freedesktop.org/archive/individual/xserver XWAYLAND_LICENSE = MIT From patchwork Thu Jan 25 22:21:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Korsgaard X-Patchwork-Id: 1891044 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=140.211.166.133; helo=smtp2.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TLb0g5x3Zz23fD for ; Fri, 26 Jan 2024 09:22:11 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id E10AB4369E; Thu, 25 Jan 2024 22:22:08 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org E10AB4369E X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fblcRc7l_yeC; Thu, 25 Jan 2024 22:22:07 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp2.osuosl.org (Postfix) with ESMTP id C3BC5436CD; Thu, 25 Jan 2024 22:22:06 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org C3BC5436CD X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 4E2CD1BF321 for ; Thu, 25 Jan 2024 22:21:50 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 271C64637A for ; Thu, 25 Jan 2024 22:21:50 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 271C64637A X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2j13VISSHXZJ for ; Thu, 25 Jan 2024 22:21:46 +0000 (UTC) Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [IPv6:2001:4b98:dc4:8::229]) by smtp4.osuosl.org (Postfix) with ESMTPS id 03FBB42D9F for ; Thu, 25 Jan 2024 22:21:45 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 03FBB42D9F Received: by mail.gandi.net (Postfix) with ESMTPSA id E9F7CFF802; Thu, 25 Jan 2024 22:21:42 +0000 (UTC) Received: from peko by dell.be.48ers.dk with local (Exim 4.96) (envelope-from ) id 1rT86Q-007Zms-1B; Thu, 25 Jan 2024 23:21:42 +0100 From: Peter Korsgaard To: buildroot@buildroot.org Date: Thu, 25 Jan 2024 23:21:40 +0100 Message-Id: <20240125222140.1805844-2-peter@korsgaard.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240125222140.1805844-1-peter@korsgaard.com> References: <20240125222140.1805844-1-peter@korsgaard.com> MIME-Version: 1.0 X-GND-Sasl: peter@korsgaard.com Subject: [Buildroot] [PATCH 2/2] package/xserver_xorg-server: security bump to version 21.1.11 X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" Fixes the following security issues: 1) CVE-2023-6816 can be triggered by passing an invalid array index to DeviceFocusEvent or ProcXIQueryPointer. 2) CVE-2024-0229 can be triggered if a device has both a button and a key class and zero buttons. 3) CVE-2024-21885 can be triggered if a device with a given ID was removed and a new device with the same ID added both in the same operation. 4) CVE-2024-21886 can be triggered by disabling a master device with disabled slave devices. 5) CVE-2024-0409 can be triggered by enabling SELinux xserver_object_manager and running a client. 6) CVE-2024-0408 can be triggered by enabling SELinux xserver_object_manager and creating a GLX PBuffer. For details, see the advisory: https://lists.x.org/archives/xorg-announce/2024-January/003444.html Switch to .tar.gz as the announcement mail only contained hashes for that: https://lists.x.org/archives/xorg-announce/2024-January/003442.html Signed-off-by: Peter Korsgaard --- package/x11r7/xserver_xorg-server/xserver_xorg-server.hash | 6 +++--- package/x11r7/xserver_xorg-server/xserver_xorg-server.mk | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package/x11r7/xserver_xorg-server/xserver_xorg-server.hash b/package/x11r7/xserver_xorg-server/xserver_xorg-server.hash index de93b11927..be636936e2 100644 --- a/package/x11r7/xserver_xorg-server/xserver_xorg-server.hash +++ b/package/x11r7/xserver_xorg-server/xserver_xorg-server.hash @@ -1,5 +1,5 @@ -# From https://lists.x.org/archives/xorg-announce/2023-December/003436.html -sha256 ceb0b3a2efc57ac3ccf388d3dc88b97615068639fb284d469689ae3d105611d0 xorg-server-21.1.10.tar.xz -sha512 8135d9b7c0c71f427ba0a3b80741fee4f6ae195779399b73261a00858882f3516e367a08e2da1403734b04eacabae9aa231e5375eff23b57a3ff764e9caf8926 xorg-server-21.1.10.tar.xz +# From https://lists.x.org/archives/xorg-announce/2024-January/003442.html +sha256 1aa0ee1adad0b2db7f291f3823a4ab240c7f4aea710e89f5ef4aa232b6833403 xorg-server-21.1.11.tar.gz +sha512 e41bf71955691e66084a67fc20643632087f0326d5eddc31e6edd118d05005b8ab536738c181f4c352f331ec8fc8f23ae1b45f237592fa5d7eddbffe43638b08 xorg-server-21.1.11.tar.gz # Locally calculated sha256 4cc0447a22635c7b2f1a93fec4aa94f1970fadeb72a063de006b51cf4963a06f COPYING diff --git a/package/x11r7/xserver_xorg-server/xserver_xorg-server.mk b/package/x11r7/xserver_xorg-server/xserver_xorg-server.mk index 4ac4283e4b..4a05582583 100644 --- a/package/x11r7/xserver_xorg-server/xserver_xorg-server.mk +++ b/package/x11r7/xserver_xorg-server/xserver_xorg-server.mk @@ -4,8 +4,8 @@ # ################################################################################ -XSERVER_XORG_SERVER_VERSION = 21.1.10 -XSERVER_XORG_SERVER_SOURCE = xorg-server-$(XSERVER_XORG_SERVER_VERSION).tar.xz +XSERVER_XORG_SERVER_VERSION = 21.1.11 +XSERVER_XORG_SERVER_SOURCE = xorg-server-$(XSERVER_XORG_SERVER_VERSION).tar.gz XSERVER_XORG_SERVER_SITE = https://xorg.freedesktop.org/archive/individual/xserver XSERVER_XORG_SERVER_LICENSE = MIT XSERVER_XORG_SERVER_LICENSE_FILES = COPYING