GNU bug report logs

#48039 xorg-server might be vulnerable to CVE-2021-3472

PackageSource(s)Maintainer(s)
guix-patches PTS Buildd Popcon
Full log

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 26 Apr 2021 17:25:56 +0000
From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 26 13:25:55 2021
Received: from localhost ([127.0.0.1]:47052 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lb4zX-0000cj-15
	for submit@debbugs.gnu.org; Mon, 26 Apr 2021 13:25:55 -0400
Received: from lists.gnu.org ([209.51.188.17]:51614)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <anothersms@gmail.com>) id 1lb4zU-0000cZ-W0
 for submit@debbugs.gnu.org; Mon, 26 Apr 2021 13:25:49 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:56080)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <anothersms@gmail.com>)
 id 1lb4zQ-0000cn-81
 for bug-guix@gnu.org; Mon, 26 Apr 2021 13:25:44 -0400
Received: from mail-ej1-x634.google.com ([2a00:1450:4864:20::634]:46884)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <anothersms@gmail.com>)
 id 1lb4zM-0006hU-EY
 for bug-guix@gnu.org; Mon, 26 Apr 2021 13:25:44 -0400
Received: by mail-ej1-x634.google.com with SMTP id u21so85647109ejo.13
 for <bug-guix@gnu.org>; Mon, 26 Apr 2021 10:25:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:subject:date:message-id:mime-version;
 bh=S56BbzcMk5KszSAEFoxFjg3QGCZFvkq3ecixCKCr1y8=;
 b=Z2BXaGItboK8TmTp0nzg6EC1xt2IaaDCozxY4Ep828tWSgzBpoWAsqRm9bbUWLTsDS
 zWlZBXdvG+UflvByWrTI1pFjjxEVEmAT4TM2aVAtJvhBo/REpGBkHC04ejZT0K/M4Xuc
 GvV23p5Dn4voMCG1Rlvcoq6CHsRtOqoH60XAQ5C6pSkvPmggHtVHmFfvy7/GcYt/W5IJ
 Ka4mSuzyOIOQRFYBl3AsAEE2ij5+u3MJzL7xGJVVfMPhsQoonoVQIXWobVlYsXkqL4+a
 Z3NZeca/nyXyKaTZ5wQQ8gLlG/qAcKjET+qAifa2gh3bvbmQp2nANsL6RgCcxPX9H3yl
 0Egw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:subject:date:message-id:mime-version;
 bh=S56BbzcMk5KszSAEFoxFjg3QGCZFvkq3ecixCKCr1y8=;
 b=VpvgYtZbBVRYn0PHQeK9YgKDqjqvuoVsuzqaeRz5oFpKn+z7j7hS3Eo8rqS7M4l3Kh
 8GJYsnlRnaYJlOa8oMECpoXp0xCe+m3KceLuJ/3GNnyA0MkO+fqyRvIVtiT+ivyXf3Hr
 8GGtcv4NzCHtd2gi4bIq21SYur0jTCV6TH+xkmI/j+MgHklHmzy9qW7XDrUSUtvHHM3w
 FsRyJs69HpyY107/CGpjzP68ED/LhdUbKQ6X7eNgOH+i3vAqpKKt+NHgvFs5MHKYeOAv
 +N0RulVaxv7vaAm1JFwEwRMI9/BvlLY/BDurk4T0VW8LoeoFRunlG4F264cl6kTo/BOG
 Unvg==
X-Gm-Message-State: AOAM531xSssWtLKyglh/FJjIkatyP6QOBJZUtDlyytKIa/+3asKUWsKk
 kj4Lj9DMipuwPN+qv4U6V2Pda9XXD3A=
X-Google-Smtp-Source: ABdhPJx8e2En9OwEnn/OqFlJ5TN7mXyUOk9f42i+pDJKUDwZV7YLqRfGSvbEGcFK9IHqSj9HTHlEgw==
X-Received: by 2002:a17:906:e28c:: with SMTP id
 gg12mr2641785ejb.483.1619457938131; 
 Mon, 26 Apr 2021 10:25:38 -0700 (PDT)
Received: from guixSD (host-79-17-142-89.retail.telecomitalia.it.
 [79.17.142.89])
 by smtp.gmail.com with ESMTPSA id e5sm11904984ejq.85.2021.04.26.10.25.37
 for <bug-guix@gnu.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 26 Apr 2021 10:25:37 -0700 (PDT)
From: Nicolò Balzarotti <anothersms@gmail.com>
To: bug-guix@gnu.org
Subject: xorg-server might be vulnerable to CVE-2021-3472
Date: Mon, 26 Apr 2021 19:25:35 +0200
Message-ID: <878s55rm9c.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Received-SPF: pass client-ip=2a00:1450:4864:20::634;
 envelope-from=anothersms@gmail.com; helo=mail-ej1-x634.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.7 (/)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.3 (/)

[Message part 1 (text/plain, inline)]
Hi, just found this [fn:1]:

A flaw was found in xorg-x11-server in versions before 1.20.11. An
integer underflow can occur in xserver which can lead to a local
privilege escalation.

The commit fixing the bug should be the one at [fn:2], and latest tagged
version (1.20.11) should be fixed.

On a side note, the redhat issue tracker says that [fn:3]:

Xorg server does not run with root privileges in Red Hat Enterprise
Linux 8, therefore this flaw has been rated as having moderate impact
for Red Hat Enterprise linux 8.

Is it possible for guix too not to run the server as root?  I've no idea
myself

guix refresh -l xorg-server
Building the following 73 packages would ensure 121

I just rebuilt xorg-server itself with the attached patch, and building
other packages now but it might take some time on my server.  I'll let
you know how it goes.

[fn:1] https://nvd.nist.gov/vuln/detail/CVE-2021-3472
[fn:2]
https://gitlab.freedesktop.org/xorg/xserver/-/commit/7aaf54a1884f71dc363f0b884e57bcb67407a6cd
[fn:3] https://bugzilla.redhat.com/show_bug.cgi?id=1944167


[0001-gnu-xorg-server-Update-to-1.20.11.patch (text/x-patch, attachment)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Tue Mar 11 07:01:45 2025; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.