GNU bug report logs - #48039
xorg-server might be vulnerable to CVE-2021-3472

Previous Next

Package: guix-patches;

Reported by: Nicolò Balzarotti <anothersms <at> gmail.com>

Date: Mon, 26 Apr 2021 17:26:01 UTC

Severity: normal

Tags: patch, security

Merged with 48001

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Nicolò Balzarotti <anothersms <at> gmail.com>
Subject: bug#48039: closed (Re: bug#48039: xorg-server might be vulnerable
 to CVE-2021-3472)
Date: Tue, 27 Apr 2021 06:04:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#48039: xorg-server might be vulnerable to CVE-2021-3472

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 48039 <at> debbugs.gnu.org.

-- 
48039: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=48039
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Leo Famulari <leo <at> famulari.name>
To: Nicolò Balzarotti <anothersms <at> gmail.com>
Cc: 48039-done <at> debbugs.gnu.org
Subject: Re: bug#48039: xorg-server might be vulnerable to CVE-2021-3472
Date: Tue, 27 Apr 2021 02:02:45 -0400

[Message part 3 (text/plain, inline)]
On Mon, Apr 26, 2021 at 03:33:33PM -0400, Leo Famulari wrote:
> I'm merging the two tickets. I think that updating the package is a
> better choice that simply patching it. I'll probably join our two
> patches together and push that.

Done as 6afe1543271637e3fd1eac82f5ec7af6975a47a5. Thanks for looking out
for these bugs!

[signature.asc (application/pgp-signature, inline)]
[Message part 5 (message/rfc822, inline)]
From: Nicolò Balzarotti <anothersms <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: xorg-server might be vulnerable to CVE-2021-3472
Date: Mon, 26 Apr 2021 19:25:35 +0200

[Message part 6 (text/plain, inline)]
Hi, just found this [fn:1]:

A flaw was found in xorg-x11-server in versions before 1.20.11. An
integer underflow can occur in xserver which can lead to a local
privilege escalation.

The commit fixing the bug should be the one at [fn:2], and latest tagged
version (1.20.11) should be fixed.

On a side note, the redhat issue tracker says that [fn:3]:

Xorg server does not run with root privileges in Red Hat Enterprise
Linux 8, therefore this flaw has been rated as having moderate impact
for Red Hat Enterprise linux 8.

Is it possible for guix too not to run the server as root?  I've no idea
myself

guix refresh -l xorg-server
Building the following 73 packages would ensure 121

I just rebuilt xorg-server itself with the attached patch, and building
other packages now but it might take some time on my server.  I'll let
you know how it goes.

[fn:1] https://nvd.nist.gov/vuln/detail/CVE-2021-3472
[fn:2]
https://gitlab.freedesktop.org/xorg/xserver/-/commit/7aaf54a1884f71dc363f0b884e57bcb67407a6cd
[fn:3] https://bugzilla.redhat.com/show_bug.cgi?id=1944167


[0001-gnu-xorg-server-Update-to-1.20.11.patch (text/x-patch, attachment)]
This bug report was last modified 4 years and 27 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.