GNU bug report logs - #74248
[PATCH 0/3] Update xorg-server and xwayland for CVE-2024-9632.

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 74248 in the body.
You can then email your comments to 74248 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Kaelyn Takata <kaelyn.alexi <at> protonmail.com>
To: guix-patches <at> gnu.org
Cc: Kaelyn Takata <kaelyn.alexi <at> protonmail.com>
Subject: [PATCH 0/3] Update xorg-server and xwayland for CVE-2024-9632.
Date: Thu, 07 Nov 2024 21:33:03 +0000

This patch series updates xorg-server and xorg-server-xwayland to their latest
versions to fix CVE-2024-9632, which Red Hat has rated "7.8 High" according to
https://nvd.nist.gov/vuln/detail/CVE-2024-9632.

The updated Xwayland depends on a newer version of presentproto than is
available in the current xorgproto package, so I added xorgproto-next to
satisfy Xwayland's dependency while avoiding triggering 10761 additional
package rebuilds.

Kaelyn Takata (3):
  gnu: xorg-server: Update to 21.1.14. [security fixes]
  gnu: Add xorgproto-next.
  gnu: xorg-server-xwayland: Update to 24.1.4 [security fixes].

 gnu/packages/xorg.scm | 35 ++++++++++++++++++++++++++++-------
 1 file changed, 28 insertions(+), 7 deletions(-)


base-commit: 2a6d96425eea57dc6dd48a2bec16743046e32e06
--
2.46.0

Message #8 received at 74248 <at> debbugs.gnu.org (full text, mbox):

From: Kaelyn Takata <kaelyn.alexi <at> protonmail.com>
To: 74248 <at> debbugs.gnu.org
Cc: Kaelyn Takata <kaelyn.alexi <at> protonmail.com>
Subject: [PATCH 1/3] gnu: xorg-server: Update to 21.1.14. [security fixes]
Date: Thu, 07 Nov 2024 21:41:27 +0000

This fixes CVE-2024-9632.

* gnu/packages/xorg.scm (xorg-server): Update to 21.1.14.

Change-Id: I35fdd57991eef89fe339a0f79d361e05985187ce
---
 gnu/packages/xorg.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 0de08a4ad1..1c5201a836 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -5017,7 +5017,7 @@ (define-public libxcvt
 (define-public xorg-server
   (package
     (name "xorg-server")
-    (version "21.1.12")
+    (version "21.1.14")
     (source
      (origin
        (method url-fetch)
@@ -5025,7 +5025,7 @@ (define-public xorg-server
                            "/xserver/xorg-server-" version ".tar.xz"))
        (sha256
         (base32
-         "03x954bygi6sdynk5yy3yvsfhg6i9gjhisn3x9jxvk5mw4mnw08y"))
+         "0dgfajrnkr8d61z1fjn249s3q1pm23v9w2f1aqb7sx64pp7048cg"))
        (patches
         (list
          ;; See:
-- 
2.46.0

Message #11 received at 74248 <at> debbugs.gnu.org (full text, mbox):

From: Kaelyn Takata <kaelyn.alexi <at> protonmail.com>
To: 74248 <at> debbugs.gnu.org
Cc: Kaelyn Takata <kaelyn.alexi <at> protonmail.com>
Subject: [PATCH 2/3] gnu: Add xorgproto-next.
Date: Thu, 07 Nov 2024 21:41:34 +0000

* gnu/packages/xorg.scm (xorgproto-next): New variable.

Change-Id: Ib546f911c717611a1dbe10ef6f02e47e00e88a51
---
 gnu/packages/xorg.scm | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 1c5201a836..97a2d8a78a 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -264,6 +264,28 @@ (define-public xorgproto
 the core protocol and (many) extensions for the X Window System.")
     (license license:x11)))
 
+(define-public xorgproto-next
+  (package
+    (name "xorgproto")
+    (version "2024.1")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://xorg/individual/proto"
+                                  "/xorgproto-" version ".tar.xz"))
+              (sha256
+               (base32
+                "0nfbbi4j130m2gxzp20hp642xizbbl68jpbzahiq8nw183yja8ip"))))
+    (build-system gnu-build-system)
+    (propagated-inputs
+     ;; To get util-macros in (almost?) all package inputs.
+     (list util-macros))
+    (home-page "https://cgit.freedesktop.org/xorg/proto/xorgproto")
+    (synopsis "Xorg protocol headers")
+    (description
+     "This package provides the headers and specification documents defining
+the core protocol and (many) extensions for the X Window System.")
+    (license license:x11)))
+
 (define-public bigreqsproto
   (package
     (name "bigreqsproto")
-- 
2.46.0

Message #14 received at 74248 <at> debbugs.gnu.org (full text, mbox):

From: Kaelyn Takata <kaelyn.alexi <at> protonmail.com>
To: 74248 <at> debbugs.gnu.org
Cc: Kaelyn Takata <kaelyn.alexi <at> protonmail.com>
Subject: [PATCH 3/3] gnu: xorg-server-xwayland: Update to 24.1.4 [security
 fixes].
Date: Thu, 07 Nov 2024 21:41:38 +0000

This fixes CVE-2024-9632.

* gnu/packages/xorg.scm (xorg-server-xwayland): Update to 24.1.4.
[inputs]: Replace xorgproto with xorgproto-next.
[arguments]<#:configure-flags>: Remove unsupported flag.

Change-Id: Ie8542fdbbf9a49a79df2b4cd7b9a919b2f547f5f
---
 gnu/packages/xorg.scm | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 97a2d8a78a..4e833abb44 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -5295,7 +5295,7 @@ (define-public egl-wayland
 (define-public xorg-server-xwayland
   (package
     (name "xorg-server-xwayland")
-    (version "23.2.5")
+    (version "24.1.4")
     (source
      (origin
        (method url-fetch)
@@ -5303,7 +5303,7 @@ (define-public xorg-server-xwayland
                            "/xserver/xwayland-" version ".tar.xz"))
        (sha256
         (base32
-         "145xykwmyqkaa8zrbn5fnvnff67iral9mc5raamglnbsd3r7zv1k"))))
+         "1x1lmw1br3dxxfppfny1vkmk2l2vk5248i3k05smb7w1mgdphsnr"))))
     (inputs (list font-dejavu
                   dbus
                   egl-wayland
@@ -5321,7 +5321,7 @@ (define-public xorg-server-xwayland
                   wayland-protocols
                   xkbcomp
                   xkeyboard-config
-                  xorgproto
+                  xorgproto-next
                   xtrans))
     (native-inputs (cons pkg-config
                          (if (%current-target-system)
@@ -5333,8 +5333,7 @@ (define-public xorg-server-xwayland
     (build-system meson-build-system)
     (arguments
      `(#:configure-flags
-       (list "-Dxwayland_eglstream=true"
-             (string-append "-Dxkb_dir="
+       (list (string-append "-Dxkb_dir="
                             (assoc-ref %build-inputs "xkeyboard-config")
                             "/share/X11/xkb")
              (string-append "-Dxkb_bin_dir="
-- 
2.46.0

Message #17 received at 74248 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: 74248 <at> debbugs.gnu.org
Cc: Steve George <steve <at> futurile.net>
Subject: Comment
Date: Wed, 27 Nov 2024 23:30:11 +0100

Hello,

I just checked how many packages depend on xorg-server (650) and
xorgproto (40). So I think there is no need for xorgproto-next, you could
simply update xorgproto directly.

Andreas

Message #22 received at 74248-done <at> debbugs.gnu.org (full text, mbox):

From: John Kehayias <john.kehayias <at> protonmail.com>
To: Kaelyn Takata <kaelyn.alexi <at> protonmail.com>
Cc: 74248-done <at> debbugs.gnu.org, Andreas Enge <andreas <at> enge.fr>,
 Steve George <steve <at> futurile.net>
Subject: Re: [bug#74248] [PATCH 0/3] Update xorg-server and xwayland for
 CVE-2024-9632.
Date: Thu, 28 Nov 2024 05:31:03 +0000

Hi Kaelyn,

(Andreas: your message did not go to the original author; CC'ing you and
Steve who you CC'ed in your message. If using debbugs through Emacs, for
instance, make sure you do a "wide-reply" or else the author isn't
included. I really wish a bug number email was an alias for a list.)

On Thu, Nov 07, 2024 at 09:33 PM, Kaelyn Takata wrote:

> This patch series updates xorg-server and xorg-server-xwayland to their latest
> versions to fix CVE-2024-9632, which Red Hat has rated "7.8 High" according to
> https://nvd.nist.gov/vuln/detail/CVE-2024-9632.
>
> The updated Xwayland depends on a newer version of presentproto than is
> available in the current xorgproto package, so I added xorgproto-next to
> satisfy Xwayland's dependency while avoiding triggering 10761 additional
> package rebuilds.
>

Thanks for the patches, sorry I missed this earlier.

> Kaelyn Takata (3):
>   gnu: xorg-server: Update to 21.1.14. [security fixes]

I've applied this now as dd4b96e72c8fda4b025a75b47212e06e381e9ea1 (with
a minor change to move a period.)

>   gnu: Add xorgproto-next.
>   gnu: xorg-server-xwayland: Update to 24.1.4 [security fixes].
>

These two look like they were done similarly by Danny in
e6d1f571957e5668b844939070174aedf0bec673. CC'ing just to close the loop
here.

>  gnu/packages/xorg.scm | 35 ++++++++++++++++++++++++++++-------
>  1 file changed, 28 insertions(+), 7 deletions(-)
>
>
> base-commit: 2a6d96425eea57dc6dd48a2bec16743046e32e06
> --
> 2.46.0

Thanks!
John

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.