xorg-server might be vulnerable to CVE-2021-3472

Done

Details

2 participants

Nicolò Balzarotti
Leo Famulari

Owner: unassigned

Submitted by: Nicolò Balzarotti

Severity: normal

Merged with

48001

Nicolò Balzarotti wrote on 26 Apr 2021 19:25

Recipients:(address . bug-guix@gnu.org)

Message-ID:878s55rm9c.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me

Hi, just found this [fn:1]:

A flaw was found in xorg-x11-server in versions before 1.20.11. An

integer underflow can occur in xserver which can lead to a local

privilege escalation.

The commit fixing the bug should be the one at [fn:2], and latest tagged

version (1.20.11) should be fixed.

On a side note, the redhat issue tracker says that [fn:3]:

Xorg server does not run with root privileges in Red Hat Enterprise

Linux 8, therefore this flaw has been rated as having moderate impact

for Red Hat Enterprise linux 8.

Is it possible for guix too not to run the server as root? I've no idea

myself

guix refresh -l xorg-server

Building the following 73 packages would ensure 121

I just rebuilt xorg-server itself with the attached patch, and building

other packages now but it might take some time on my server. I'll let

you know how it goes.

[fn:1] https://nvd.nist.gov/vuln/detail/CVE-2021-3472

[fn:2]

https://gitlab.freedesktop.org/xorg/xserver/-/commit/7aaf54a1884f71dc363f0b884e57bcb67407a6cd

[fn:3] https://bugzilla.redhat.com/show_bug.cgi?id=1944167

From a1767951a7b4631c48916f1171f577839fff0df3 Mon Sep 17 00:00:00 2001

* gnu/packages/xorg.scm (xorg-server): Update to 1.20.11.

---

gnu/packages/xorg.scm | 5 +++--

1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (32 lines)diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 97ff8ab92b..6b6fcbafa9 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -26,6 +26,7 @@
 ;;; Copyright © 2020, 2021 Michael Rohleder <mike@rohleder.de>
 ;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;; Copyright © 2020 Jean-Baptiste Note <jean-baptiste.note@m4x.org>
+;;; Copyright © 2021 Nicolò Balzarotti <nicolo@nixo.xyz>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -5302,7 +5303,7 @@ over Xlib, including:
 (define-public xorg-server
   (package
     (name "xorg-server")
-    (version "1.20.10")
+    (version "1.20.11")
     (source
       (origin
         (method url-fetch)
@@ -5310,7 +5311,7 @@ over Xlib, including:
                             "xorg-server-" version ".tar.bz2"))
         (sha256
          (base32
-          "16bwrf0ag41l7jbrllbix8z6avc5yimga7ihvq4ch3a5hb020x4p"))
+          "0jacqgin8kcyy8fyv0lhgb4if8g9hp60rm3ih3s1mgps7xp7jk4i"))
         (patches
          (list
           ;; See:
-- 
2.31.1

Nicolò Balzarotti wrote on 26 Apr 2021 19:28

(no subject)

Recipients:(address . control@debbugs.gnu.org)

Message-ID:875z09rm3r.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me

tags 48039 + security

quit

Leo Famulari wrote on 26 Apr 2021 19:35

Re: bug#48039: xorg-server might be vulnerable to CVE-2021-3472

Recipients:(name . Nicolò Balzarotti)(address . anothersms@gmail.com)(address . 48039@debbugs.gnu.org)

Message-ID:YIb53KSJPfQf5mn6@jasmine.lan

On Mon, Apr 26, 2021 at 07:25:35PM +0200, Nicolò Balzarotti wrote:

Toggle quote (7 lines)

> From a1767951a7b4631c48916f1171f577839fff0df3 Mon Sep 17 00:00:00 2001

> From: nixo <nicolo@nixo.xyz>

> Date: Mon, 26 Apr 2021 19:22:04 +0200

> Subject: [PATCH] gnu: xorg-server: Update to 1.20.11.

> * gnu/packages/xorg.scm (xorg-server): Update to 1.20.11.

Did you see https://bugs.gnu.org/48001?

We should push a fix for this bug along with
https://bugs.gnu.org/48000, since the GStreamer plugins depend on
xorg-server. Otherwise we'll have to rebuild all effected packages
twice.

Nicolò Balzarotti wrote on 26 Apr 2021 20:27

Recipients:(name . Leo Famulari)(address . leo@famulari.name)(address . 48039@debbugs.gnu.org)

Message-ID:8735vcsxxt.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me

Leo Famulari <leo@famulari.name> writes:

Toggle quote (5 lines)> On Mon, Apr 26, 2021 at 07:25:35PM +0200, Nicolò Balzarotti wrote:
>> * gnu/packages/xorg.scm (xorg-server): Update to 1.20.11.
>
> Did you see <https://bugs.gnu.org/48001>?
>

Ops, sorry for the duplicate, I somehow missed it, I'm closing this

Thanks!

Nicolò Balzarotti wrote on 26 Apr 2021 20:28

(no subject)

Recipients:(address . 48039-close@debbugs.gnu.org)

Message-ID:87zgxkrjc0.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me

Leo Famulari wrote on 26 Apr 2021 21:29

Recipients:(name . GNU bug tracker automated control server)(address . control@debbugs.gnu.org)

Message-ID:YIcUm//YHswe/bKP@jasmine.lan

reassign 48039 guix-patches

merge 48001 48039

Leo Famulari wrote on 26 Apr 2021 21:33

Re: bug#48039: xorg-server might be vulnerable to CVE-2021-3472

Recipients:(name . Nicolò Balzarotti)(address . anothersms@gmail.com)(address . 48039@debbugs.gnu.org)

Message-ID:YIcVjQ/oLozIA8Ki@jasmine.lan

On Mon, Apr 26, 2021 at 08:27:58PM +0200, Nicolï¿½ Balzarotti wrote:

Toggle quote (9 lines)

> Leo Famulari <leo@famulari.name> writes:

> > On Mon, Apr 26, 2021 at 07:25:35PM +0200, Nicolï¿½ Balzarotti wrote:

> >> * gnu/packages/xorg.scm (xorg-server): Update to 1.20.11.

> >

> > Did you see <https://bugs.gnu.org/48001>?

> >

> Ops, sorry for the duplicate, I somehow missed it, I'm closing this

I didn't mean for you to close your message.

We took different approaches to fixing the bug: I applied a patch, and

you updated the package.

The big difference is that your patch doesn't avoid changing the

xorg-server-for-tests package, so it can't be applied to master.

I'm merging the two tickets. I think that updating the package is a

better choice that simply patching it. I'll probably join our two

patches together and push that.

Leo Famulari wrote on 27 Apr 2021 08:02

Recipients:(name . Nicolò Balzarotti)(address . anothersms@gmail.com)(address . 48039-done@debbugs.gnu.org)

Message-ID:YIepBamiF2f838F2@jasmine.lan

On Mon, Apr 26, 2021 at 03:33:33PM -0400, Leo Famulari wrote:

Toggle quote (4 lines)

> I'm merging the two tickets. I think that updating the package is a

> better choice that simply patching it. I'll probably join our two

> patches together and push that.

Done as 6afe1543271637e3fd1eac82f5ec7af6975a47a5. Thanks for looking out

for these bugs!

Closed

Nicolò Balzarotti wrote on 27 Apr 2021 09:18

Recipients:(name . Leo Famulari)(address . leo@famulari.name)(address . 48039-done@debbugs.gnu.org)

Message-ID:87v988qjot.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me

Leo Famulari <leo@famulari.name> writes:

Toggle quote (7 lines)> On Mon, Apr 26, 2021 at 03:33:33PM -0400, Leo Famulari wrote:
>> I'm merging the two tickets. I think that updating the package is a
>> better choice that simply patching it. I'll probably join our two
>> patches together and push that.
>
> Done as 6afe1543271637e3fd1eac82f5ec7af6975a47a5. Thanks for looking out
> for these bugs!

Thank you!

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 48039@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 48039

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date