xorg-server might be vulnerable to CVE-2021-3472

  • Done
  • quality assurance status badge
Details
2 participants
  • Nicolò Balzarotti
  • Leo Famulari
Owner
unassigned
Submitted by
Nicolò Balzarotti
Severity
normal
Merged with
N
N
Nicolò Balzarotti wrote on 26 Apr 2021 19:25
(address . bug-guix@gnu.org)
878s55rm9c.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me
Hi, just found this [fn:1]:

A flaw was found in xorg-x11-server in versions before 1.20.11. An
integer underflow can occur in xserver which can lead to a local
privilege escalation.

The commit fixing the bug should be the one at [fn:2], and latest tagged
version (1.20.11) should be fixed.

On a side note, the redhat issue tracker says that [fn:3]:

Xorg server does not run with root privileges in Red Hat Enterprise
Linux 8, therefore this flaw has been rated as having moderate impact
for Red Hat Enterprise linux 8.

Is it possible for guix too not to run the server as root? I've no idea
myself

guix refresh -l xorg-server
Building the following 73 packages would ensure 121

I just rebuilt xorg-server itself with the attached patch, and building
other packages now but it might take some time on my server. I'll let
you know how it goes.

[fn:2]
From a1767951a7b4631c48916f1171f577839fff0df3 Mon Sep 17 00:00:00 2001
From: nixo <nicolo@nixo.xyz>
Date: Mon, 26 Apr 2021 19:22:04 +0200
Subject: [PATCH] gnu: xorg-server: Update to 1.20.11.

* gnu/packages/xorg.scm (xorg-server): Update to 1.20.11.
---
gnu/packages/xorg.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (32 lines)
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 97ff8ab92b..6b6fcbafa9 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -26,6 +26,7 @@
;;; Copyright © 2020, 2021 Michael Rohleder <mike@rohleder.de>
;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2020 Jean-Baptiste Note <jean-baptiste.note@m4x.org>
+;;; Copyright © 2021 Nicolò Balzarotti <nicolo@nixo.xyz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -5302,7 +5303,7 @@ over Xlib, including:
(define-public xorg-server
(package
(name "xorg-server")
- (version "1.20.10")
+ (version "1.20.11")
(source
(origin
(method url-fetch)
@@ -5310,7 +5311,7 @@ over Xlib, including:
"xorg-server-" version ".tar.bz2"))
(sha256
(base32
- "16bwrf0ag41l7jbrllbix8z6avc5yimga7ihvq4ch3a5hb020x4p"))
+ "0jacqgin8kcyy8fyv0lhgb4if8g9hp60rm3ih3s1mgps7xp7jk4i"))
(patches
(list
;; See:
--
2.31.1
N
N
Nicolò Balzarotti wrote on 26 Apr 2021 19:28
(no subject)
(address . control@debbugs.gnu.org)
875z09rm3r.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me
tags 48039 + security
quit
L
L
Leo Famulari wrote on 26 Apr 2021 19:35
Re: bug#48039: xorg-server might be vulnerable to CVE-2021-3472
(name . Nicolò Balzarotti)(address . anothersms@gmail.com)(address . 48039@debbugs.gnu.org)
YIb53KSJPfQf5mn6@jasmine.lan
On Mon, Apr 26, 2021 at 07:25:35PM +0200, Nicolò Balzarotti wrote:
Toggle quote (7 lines)
> From a1767951a7b4631c48916f1171f577839fff0df3 Mon Sep 17 00:00:00 2001
> From: nixo <nicolo@nixo.xyz>
> Date: Mon, 26 Apr 2021 19:22:04 +0200
> Subject: [PATCH] gnu: xorg-server: Update to 1.20.11.
>
> * gnu/packages/xorg.scm (xorg-server): Update to 1.20.11.


We should push a fix for this bug along with
https://bugs.gnu.org/48000, since the GStreamer plugins depend on
xorg-server. Otherwise we'll have to rebuild all effected packages
twice.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmCG+dwACgkQJkb6MLrK
fwhBphAA6dA4WeYrPw/z2sW846GVgwnTb/gtk5ESCl/7G5W+9sCXZJX406DUUWTT
+6YxrgMKeaUTiUwj/SY1kfG07osXu/TEOMnr3w1nNPxn1mpbfrgV1ExbrH7UyEkM
4AYwECTEBxAZCxRIJvehjkCpGqk5ah+O4sllU6tp94RaT2B5HhCsZvHz6i3Vcwf/
3ynCaZNlqWOijZ0cKpDaahgrTUKt7GwctOxGC9tQUudMofHFcb/9ZYMRCxq5ZQRq
XXIEuFZNaPLbyVL+ijc0R3/IS99l0qX1wnrbuGHEMVjRyEZ27Va5MRbCiDHK0Rni
6uUHrcoaigilfuADrPC05+KGXvoq5XWir9KsaGy3+TEn0RI+FyFasmMfGGSHrM7A
IYgU8P7VaW9a9GCo6v1KmFTleAKOpwuv+3k1zg5SPViQoBDeKBCXhTn2WV0+bDvt
o/R9fYIAelqWl37rB2R0m00AGgvvxOSdAFz3oDWzoyd+1k1cy+Y9ewlRFbK8Uf5g
mJPByrYD9fimTSfZtffOWn4G+2LPvmd9SRxvtKDC3PD+6y9URE/VHs2Eb/tpQzHb
GeSejaBLFVe45h2lQkva5MMGmAROOFYgicEPgLAyHfFsY++P55zkOijI2v724irc
Z4CArw+SC3evesp39PDhX4rpr0L1b1Fz5lPM+LIFoIQwQElYsqo=
=RrgV
-----END PGP SIGNATURE-----


N
N
Nicolò Balzarotti wrote on 26 Apr 2021 20:27
(name . Leo Famulari)(address . leo@famulari.name)(address . 48039@debbugs.gnu.org)
8735vcsxxt.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me
Leo Famulari <leo@famulari.name> writes:

Toggle quote (5 lines)
> On Mon, Apr 26, 2021 at 07:25:35PM +0200, Nicolò Balzarotti wrote:
>> * gnu/packages/xorg.scm (xorg-server): Update to 1.20.11.
>
> Did you see <https://bugs.gnu.org/48001>?
>
Ops, sorry for the duplicate, I somehow missed it, I'm closing this

Thanks!
N
N
Nicolò Balzarotti wrote on 26 Apr 2021 20:28
(no subject)
(address . 48039-close@debbugs.gnu.org)
87zgxkrjc0.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me

L
L
Leo Famulari wrote on 26 Apr 2021 21:29
(name . GNU bug tracker automated control server)(address . control@debbugs.gnu.org)
YIcUm//YHswe/bKP@jasmine.lan
reassign 48039 guix-patches
merge 48001 48039
L
L
Leo Famulari wrote on 26 Apr 2021 21:33
Re: bug#48039: xorg-server might be vulnerable to CVE-2021-3472
(name . Nicolò Balzarotti)(address . anothersms@gmail.com)(address . 48039@debbugs.gnu.org)
YIcVjQ/oLozIA8Ki@jasmine.lan
On Mon, Apr 26, 2021 at 08:27:58PM +0200, Nicol� Balzarotti wrote:
Toggle quote (9 lines)
> Leo Famulari <leo@famulari.name> writes:
>
> > On Mon, Apr 26, 2021 at 07:25:35PM +0200, Nicol� Balzarotti wrote:
> >> * gnu/packages/xorg.scm (xorg-server): Update to 1.20.11.
> >
> > Did you see <https://bugs.gnu.org/48001>?
> >
> Ops, sorry for the duplicate, I somehow missed it, I'm closing this

I didn't mean for you to close your message.

We took different approaches to fixing the bug: I applied a patch, and
you updated the package.

The big difference is that your patch doesn't avoid changing the
xorg-server-for-tests package, so it can't be applied to master.

I'm merging the two tickets. I think that updating the package is a
better choice that simply patching it. I'll probably join our two
patches together and push that.
L
L
Leo Famulari wrote on 27 Apr 2021 08:02
(name . Nicolò Balzarotti)(address . anothersms@gmail.com)(address . 48039-done@debbugs.gnu.org)
YIepBamiF2f838F2@jasmine.lan
On Mon, Apr 26, 2021 at 03:33:33PM -0400, Leo Famulari wrote:
Toggle quote (4 lines)
> I'm merging the two tickets. I think that updating the package is a
> better choice that simply patching it. I'll probably join our two
> patches together and push that.

Done as 6afe1543271637e3fd1eac82f5ec7af6975a47a5. Thanks for looking out
for these bugs!
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmCHqQUACgkQJkb6MLrK
fwiVbBAAmXoEpLiR3rZs+6k5kJx67p5WFYU3iLxdHRwd7kPcQwtGxO7fJzRh5x38
maGEwsiA0fRvaqtEPURQJTR5CneBrIOvwhqffdJDmLQo+4d+3SXqiekXE1ZaksJe
/xHve5xbd6Jh5o4dC3i+nnT0jYhlI2PiSflxIBazID/0jOKs4YQPTcDs9m6K0VMy
mrm/1jPtg3ROO1V5xdpOsaau96iUsCdWmrhETLPclpb+TJnoi3S25To+ij8xFPe5
jaQhAdHIwTzYmAShY+Th+KHA7rumpLFKVFh7ZEJVwkr1LW3r++Nr1nd6vnMFgV36
9PgZFCtCT46qxdKR7IQFQNDWdovhgemWtKzvMsBM9+VAJasbjpl8i1e66X0xua5D
SMbAKAhP2mbDGYfAUNat6dtMSmmEcN2May7Ndc/lGkUDcqPYyEoiC3IMQ7V5TH7z
UTe9FV1cSb5n/E4G7KOk8k8Aj8rxR89TZv9dmtfXxK/BIpdKi9k35ZFmxHuFrF3I
6cIXrU2gUPS0bzkhYNDQixB4M1MKz4umUFmrjijM8rGgCZaIr1aD2QKO+iSaqGJG
7GIiZ2GKvayp2MPjJ5B9c08Xs6uxTB9oG2hMw+OObqSoh6S+3zOs02ch5GD06TmK
J1nziLksaSPjDK8gH7mS7eHjHkLXiviUjQ4wSJwTw8ZWjv4x93k=
=ViAC
-----END PGP SIGNATURE-----


Closed
N
N
Nicolò Balzarotti wrote on 27 Apr 2021 09:18
(name . Leo Famulari)(address . leo@famulari.name)(address . 48039-done@debbugs.gnu.org)
87v988qjot.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me
Leo Famulari <leo@famulari.name> writes:

Toggle quote (7 lines)
> On Mon, Apr 26, 2021 at 03:33:33PM -0400, Leo Famulari wrote:
>> I'm merging the two tickets. I think that updating the package is a
>> better choice that simply patching it. I'll probably join our two
>> patches together and push that.
>
> Done as 6afe1543271637e3fd1eac82f5ec7af6975a47a5. Thanks for looking out
> for these bugs!
Thank you!
Closed
?