[PATCH] gnu: xorg-server: Update to 21.1.2.

DoneSubmitted by Kaelyn Takata.
Details
3 participants
  • Josselin Poiret
  • Kaelyn Takata
  • Leo Famulari
Owner
unassigned
Severity
normal
K
K
Kaelyn Takata wrote on 17 Dec 2021 00:29
(address . guix-patches@gnu.org)(name . Kaelyn Takata)(address . kaelyn.alexi@protonmail.com)
20211216232942.31686-1-kaelyn.alexi@protonmail.com
* gnu/packages/xorg.scm (xorg-server): Update to 21.1.2.
---
gnu/packages/xorg.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (26 lines)
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 85a93dee30..204fd857c0 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -5234,7 +5234,7 @@ (define-public libxcvt
 (define-public xorg-server
   (package
     (name "xorg-server")
-    (version "21.1.1")
+    (version "21.1.2")
     (source
      (origin
        (method url-fetch)
@@ -5243,7 +5243,7 @@ (define-public xorg-server
                            "/xserver/xorg-server-" version ".tar.xz"))
        (sha256
         (base32
-         "0md7dqsc5qb30gym06c4zc2cjsdc5ps8nywk1bkcpix05kppybkq"))
+         "1c4dgvpv3kib8rhw37b00vc056nlb1z66c2lwzs4prz8kxmg82y2"))
        (patches
         (list
          ;; See:

base-commit: b329c2139b9f0818f27107bec5226cb98cfe1446
-- 
2.34.0
K
K
Kaelyn wrote on 18 Dec 2021 16:23
(name . 52562@debbugs.gnu.org)(address . 52562@debbugs.gnu.org)
1TLx-BB6bhdDHzb94K1wEwUZ3u_Jx7vsum6ZYXR2sX1QGz_VbPV8zwa3iY0RVtW334pSUabJUEbcPbOCUi6CMKzzquTQJ5oybQxyHeD5GZ0=@protonmail.com
Hi,

I would like to propose this update for the 1.4.0 branch as well, as xorg-server 21.1.2 fixes four recently reported security vulnerabilities that can lead to priviledge escalation: https://lists.x.org/archives/xorg/2021-December/060842.html

Cheers,
Kaelyn
L
L
Leo Famulari wrote on 18 Dec 2021 21:40
(name . Kaelyn Takata via Guix-patches via)(address . guix-patches@gnu.org)
Yb5HIcyvDP0bvbfb@jasmine.lan
On Thu, Dec 16, 2021 at 11:29:50PM +0000, Kaelyn Takata via Guix-patches via wrote:
Toggle quote (2 lines)
> * gnu/packages/xorg.scm (xorg-server): Update to 21.1.2.

Thanks! I am reviewing this patch now. It's not quite as simple as it
seems because we must take care to avoid changing xorg-server-for-tests,
or almost every package will have to be rebuilt.

See section 8 here for more information about how many package rebuilds are okay
for the master branch:

K
K
Kaelyn wrote on 19 Dec 2021 02:49
(name . Leo Famulari)(address . leo@famulari.name)
X2K7fDPef43waXVWdE4c5FYoFwOdlU-yqTmE_odSCpsI797b3Ac5AkuS6n6yk97nWYlw2VFxgiUWmZfRDMLhlQucqSH1wiUCtsWgJ-X7zuU=@protonmail.com
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Saturday, December 18th, 2021 at 12:40 PM, Leo Famulari <leo@famulari.name> wrote:

Toggle quote (16 lines)
> On Thu, Dec 16, 2021 at 11:29:50PM +0000, Kaelyn Takata via Guix-patches via wrote:
>
> > - gnu/packages/xorg.scm (xorg-server): Update to 21.1.2.
>
> Thanks! I am reviewing this patch now. It's not quite as simple as it
>
> seems because we must take care to avoid changing xorg-server-for-tests,
>
> or almost every package will have to be rebuilt.
>
> See section 8 here for more information about how many package rebuilds are okay
>
> for the master branch:
>
> https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html#Submitting-Patches

No worries, and take your time! I just wanted to ping the patch so that the security fixes could land before the 1.4 release. :)

When I first sent it, on my machine "guix refresh --list-dependent xorg-serv" said it was 80-something packages that would be rebuilt (just checked again after typing that, and it says 82 packages would be built to ensure 137 dependet packages are rebuilt).

Thanks,
Kaelyn
L
L
Leo Famulari wrote on 19 Dec 2021 05:56
(name . Kaelyn)(address . kaelyn.alexi@protonmail.com)
Yb67lQnYTJGwpz7i@jasmine.lan
On Sun, Dec 19, 2021 at 01:49:08AM +0000, Kaelyn wrote:
Toggle quote (2 lines)
> No worries, and take your time! I just wanted to ping the patch so that the security fixes could land before the 1.4 release. :)

Sure, I intend to land the patch in the next day or so.

Toggle quote (2 lines)
> When I first sent it, on my machine "guix refresh --list-dependent xorg-serv" said it was 80-something packages that would be rebuilt (just checked again after typing that, and it says 82 packages would be built to ensure 137 dependet packages are rebuilt).

Right, that's correct. But there is a also a package
'xorg-server-for-tests', which is used basically for package test
suites. The idea is that it's never used "for real" and so security
issues matter less. And we update that package less often.

You can check on that package like this:

Scheme syntax for working with "hidden" packages
----- ▼
$ guix refresh -l --expression='(@@ (gnu packages xorg) xorg-server-for-tests)'
Building the following 1419 packages would ensure 3063 dependent packages are rebuilt:
[...]
------
L
L
Leo Famulari wrote on 19 Dec 2021 21:30
(name . Kaelyn)(address . kaelyn.alexi@protonmail.com)
Yb+Wgyi8foI1xAIT@jasmine.lan
On Sat, Dec 18, 2021 at 11:56:53PM -0500, Leo Famulari wrote:
Toggle quote (2 lines)
> Sure, I intend to land the patch in the next day or so.

Alright, with the attached patch, X works in my tests, and
xorg-server-for-tests is unchanged.

It would be great to get some more testing from other X users.

I tested with QEMU, using our VM image template:

`guix environment guix -- ./pre-inst-env guix system vm-image --image-size=20G -t qcow2 gnu/system/examples/vm-image.tmpl`

I can't test on bare metal due to https://issues.guix.gnu.org/52051.
From 2b597e7887be70a0faaa04b9dabd69030dca6614 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Sat, 18 Dec 2021 15:30:41 -0500
Subject: [PATCH] gnu: xorg-server: Update to 21.1.2.

* gnu/packages/xorg.scm (xorg-server): Update to 21.1.2.
(xorg-server-for-tests): Use version 21.1.1.
---
gnu/packages/xorg.scm | 30 ++++++++++++++++++++++++++----
1 file changed, 26 insertions(+), 4 deletions(-)

Toggle diff (57 lines)
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 9a854bcbf8..b09d95f770 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -5235,16 +5235,15 @@ (define-public libxcvt
 (define-public xorg-server
   (package
     (name "xorg-server")
-    (version "21.1.1")
+    (version "21.1.2")
     (source
      (origin
        (method url-fetch)
-
        (uri (string-append "https://xorg.freedesktop.org/archive/individual"
                            "/xserver/xorg-server-" version ".tar.xz"))
        (sha256
         (base32
-         "0md7dqsc5qb30gym06c4zc2cjsdc5ps8nywk1bkcpix05kppybkq"))
+         "1c4dgvpv3kib8rhw37b00vc056nlb1z66c2lwzs4prz8kxmg82y2"))
        (patches
         (list
          ;; See:
@@ -5361,7 +5360,30 @@ (define-public xorg-server
 (define-public xorg-server-for-tests
   (hidden-package
    (package
-     (inherit xorg-server))))
+     (inherit xorg-server)
+     (version "21.1.1")
+     (source
+      (origin
+        (method url-fetch)
+        (uri (string-append "https://xorg.freedesktop.org/archive/individual"
+                            "/xserver/xorg-server-" version ".tar.xz"))
+        (sha256
+         (base32
+          "0md7dqsc5qb30gym06c4zc2cjsdc5ps8nywk1bkcpix05kppybkq"))
+        (patches
+         (list
+          ;; See:
+          ;;   https://lists.fedoraproject.org/archives/list/devel@lists.
+          ;;      fedoraproject.org/message/JU655YB7AM4OOEQ4MOMCRHJTYJ76VFOK/
+          (origin
+            (method url-fetch)
+            (uri (string-append
+                  "http://pkgs.fedoraproject.org/cgit/rpms/xorg-x11-server.git"
+                  "/plain/06_use-intel-only-on-pre-gen4.diff"))
+            (sha256
+             (base32
+              "0mm70y058r8s9y9jiv7q2myv0ycnaw3iqzm7d274410s0ik38w7q"))
+            (file-name "xorg-server-use-intel-only-on-pre-gen4.diff")))))))))
 
 (define-public eglexternalplatform
   (package
-- 
2.34.0
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmG/loMACgkQJkb6MLrK
fwiK6hAAiXd8in3n5FkmgjeFup9U2iPOeFuN7bP2ycna1C5y0xJegyY9EcBFfMN2
ixWMvSr1UW8LbUnALiq1WfZHC6A7xPYjZPYFkYLTmyayVLz2eWPJ7ges3I+xCBfP
U0YDvgaL/0N8TuBFg5VixfeJ+akH12AEhcWywUAwkuSKXa4XYWVSlfRVhxGTsc0P
ItOsMA2jf/pan+rwDhG/W7+3lm6bE8JcnSZMEP1TGAPJ7XTsiQkbQMlizOZOKlom
+OnfnrE+h3MlRmmKPalD70WT/C3EDZ1iksEtzba8KLOjt2LjNdjSblwUHRmA040o
Nykin99CYmEHVXV32iewOhN6+BWTOmRtHy5/WBQgwYa74KXEzsddfCKMhgSZujD7
MQ+3w6WxTOGMGrcLjuDJVWeB7Ar4VqlHEZmb5TIiK/g5cKrDshZWcr3HX52a6mDT
zKLJ9z30fMeqfX9n13nYX8hvgOK6Lv0A9Lpxmp1TqsVLkvcKRh8lDJmtba9f2ZNs
QTs2/SV7/0pQghYkTGYJ6/6ilyI1udgpRM4+aJLbtw/R9kAMgCqxyIrX6j4ZPoU3
uzq0zO1rlsWozSm4a5XKw3TOhVNrU3NFIx6SjA6ozTMm7oJoA7VWi3KpK7GzVdwW
u2cg9NA5mABJnrrgM8dUux2vCjYJwJwXRR8o4M4gNsveC4Xzbe0=
=Z1+S
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 21 Dec 2021 18:36
(name . Kaelyn)(address . kaelyn.alexi@protonmail.com)
YcIQp5rRrA0MBM04@jasmine.lan
On Sun, Dec 19, 2021 at 03:30:59PM -0500, Leo Famulari wrote:
Toggle quote (2 lines)
> It would be great to get some more testing from other X users.

In case anybody is wondering about the security issues, the commit
message has been amended like this in my tree:

------
gnu: xorg-server: Update to 21.1.2 [fixes CVE-2021-{4008,4009,4010,4011}].

* gnu/packages/xorg.scm (xorg-server): Update to 21.1.2.
(xorg-server-for-tests): Use version 21.1.1.
------
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmHCEKcACgkQJkb6MLrK
fwjzhg/+Jw6JNM7l4CNqLxoAYeGoCH5Du6qDVm02foZnaBhJPOStfQ8bVE8qxmkr
/rg2vwr8JfOEXJf0iclGBS83DTv+wT/0e9RJ3xArMnAQ1uOKaRFM073RnKkQt2ye
NpfSmJ9szA5BBH768rj+v8+pJ0fzcBDy+nnCrA6Wi8p2IFLaAGJENzrF2/brsdeD
FN01ptRfveIiNYWVUrsHVgt/qgscCx2idEP3PkpG0LxIkeboZjSD8JM5Kg4bfY8E
v3/JMVhTitY8giRCQm5++hz5b4kl34Xy3XlZVgtKhh0a7kijNjxPZnmFnu85TPLp
pZWkPT+rIL2gfpjDVB3zj2i4VNTVJjVSt9WUtPNTlx25tDkUTFJlWY6abrnv3EMy
O4FjyowfpTByjmPeG5Dempay4rqdzIzfhCwNXz6my/JyARhuriLwSxfwaTp9zPCY
ydw28xay0aBw+hD1j4Wu2qhIeAzLRW556ekkKW01nXI4kZGLKZ1y6AN6d7WpelU+
rnei7Knkc0Nv+YRJKfz9d5GwdcXlz7fl4vowOTfdlI5rKYOm4ifK5ZmPun5VnHTv
H9TAPIvNgFgWKLu3uW6L+adgpd1jKUZr387vgi9rRY4pDj4Tbed8RyoE54P3W2NW
Klk+RAVl+0pzA6tK5hmCeGBLGhO1W3YMYZ//Acugf/yp/LgB4Qs=
=Dksv
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 21 Dec 2021 18:47
(name . Kaelyn)(address . kaelyn.alexi@protonmail.com)
YcITOmsz3q3Jsc5G@jasmine.lan
On Tue, Dec 21, 2021 at 12:36:39PM -0500, Leo Famulari wrote:
Toggle quote (6 lines)
> On Sun, Dec 19, 2021 at 03:30:59PM -0500, Leo Famulari wrote:
> > It would be great to get some more testing from other X users.
>
> In case anybody is wondering about the security issues, the commit
> message has been amended like this in my tree:

And, we may have a solution for the login timeout that has been
preventing testing for many of us. A patch for #52051 has been proposed:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmHCEzoACgkQJkb6MLrK
fwiEWg/+IVKcYBYrlxVuBW4CMU1amBMrjOlGkEXwn31Tm+QipUqyyUqG28VMuRBk
trIHgdJh4IjL4DlxLJoSXSp25PTfZHiIjRLIgLSVjU6kkdrRe+HVSbJ0gktOpWVz
E5V+9L3HfnmPTscxA0GubfAknOaBbNG1N5g+bS3Q0TFNR8AzNMSJFTvqolaasWya
a6q/c/mFW76kafnDn2jzQix6eNTE9bLc8R+eghOeW9WVBcXQ286zBUTH3Rtg0p7l
49udlHeuN5BOJRyJk6qqmego27v5kFhuuOji7ok6LE+XRIFbsKeCTAn2QIRTGukA
hGbsAEUyxyoxZWol0jb+eMxbFBE0zTYZieQ+OuQFXXbN0t6+jOp3a0PnEas3+E6y
/9JO9IriVIJWFrDclm0zRhEYLM0FcD/2MEaEwDEwub9S3m2oOskkE3g7IkQJVW+O
v3FLnY+5tfBsj/Bv6frbgH0oQNVHeXp7doNhF4+u3SNImHm4tWfdcNuMbkEfTc+T
GdWRVlvsH3KgGlkJAxtFNbM4AhO8ky5g3G7hdwN7UIGDO70+yqfTe+C9+pqdN0Gg
mb93fb1aVEJYFw7EsQGXZVEqxNFeOOHQzRk9NAw81i5Ewxz7Jnsdi3zSrpLlJmCj
Q21uhKaQ6WEQI4Fcfp4/X/vOajigeXpn324L9xF//PH/nDyan18=
=LcxN
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 21 Dec 2021 20:09
(name . Kaelyn)(address . kaelyn.alexi@protonmail.com)
YcImT1VJWtHYvHUC@jasmine.lan
On Tue, Dec 21, 2021 at 12:47:38PM -0500, Leo Famulari wrote:
Toggle quote (12 lines)
> On Tue, Dec 21, 2021 at 12:36:39PM -0500, Leo Famulari wrote:
> > On Sun, Dec 19, 2021 at 03:30:59PM -0500, Leo Famulari wrote:
> > > It would be great to get some more testing from other X users.
> >
> > In case anybody is wondering about the security issues, the commit
> > message has been amended like this in my tree:
>
> And, we may have a solution for the login timeout that has been
> preventing testing for many of us. A patch for #52051 has been proposed:
>
> https://issues.guix.gnu.org/issue/52051#29

Alright, with the fix for #52051, I successfully used xorg-server 21.1.2
on my laptop.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmHCJk8ACgkQJkb6MLrK
fwi5tBAAxsa11ZglsPvrfrvCUA4cxchPV4Y4tCvCJWsLiQVFIOtmOdOzmpbDnCYE
5d9GFlRX9i7wPyNMPSn+7TqNrunBaxMEdLFXaRg6P1I09CEE3WkquwyzqWkdTksm
S88MHw0E9jazSU/+YFy92QBGnLbmMAB6XhEZTXXS/Cq/F2ogVPG5stmJ5DWtUGL7
jDF8vtS9L/qwaMZA1/W2rI0bpziRUWPFWVEXUGbtcr5iCQkod0ni2ZWEWNjdiGXq
LpLMufxBZ/v5GM/tdQdfwoMyYIUwDfiaV96ubNh1nsFrV6HjPhiX1z/GoSu91Wuy
PTgJ+xgykwNpmtX5EHYVTIXPXzDnac7JvrexY9MHcwUAiPlZmHbw7Q/pmY7K+C9O
0v0NlfZoh6MVz0DVqDZF+t0nNed6KbBZ8GlvRay+5vutyAlI7uGA5YCxsXJxFU2C
SeIiRZZRMqhDjbsAGzmTHpWbr1pZE2Klj8s9i91mUuOnnH0TBU+M9nNug5BL/M8I
x4HVS+3O8ZjpEsHdAkBAiHyKsw8WckvtdvAWo0DvHvmJxfluc/ubKrIysKCLKxvW
JMIVOF+wO/nrO+uo6eEh6nZvijWnE+45qQJwELjKCbk5lI/OQ47HN9djp1Le9RH5
j0zyCUQw++jDhtHQNbP1BGoFfOIm/lA+HOea0BpiTuWipk+Aje0=
=fLNC
-----END PGP SIGNATURE-----


J
J
Josselin Poiret wrote on 22 Dec 2021 14:56
(address . 52562@debbugs.gnu.org)
875yrgg2v0.fsf@jpoiret.xyz
Hello,

Leo Famulari <leo@famulari.name> writes:
Toggle quote (10 lines)
> In case anybody is wondering about the security issues, the commit
> message has been amended like this in my tree:
>
> ------
> gnu: xorg-server: Update to 21.1.2 [fixes CVE-2021-{4008,4009,4010,4011}].
>
> * gnu/packages/xorg.scm (xorg-server): Update to 21.1.2.
> (xorg-server-for-tests): Use version 21.1.1.
> ------

Just pitching in to say that those CVE numbers should be fully typed
instead of using shell expansion-style, so that one can run `git log
--grep=CVE-2021-4008`. Note that these can be in the commit message
body.

--
Josselin Poiret
L
L
Leo Famulari wrote on 22 Dec 2021 18:19
(name . Josselin Poiret)(address . dev@jpoiret.xyz)
YcNeKc8ARgKGZDoX@jasmine.lan
On Wed, Dec 22, 2021 at 02:56:19PM +0100, Josselin Poiret wrote:
Toggle quote (5 lines)
> Just pitching in to say that those CVE numbers should be fully typed
> instead of using shell expansion-style, so that one can run `git log
> --grep=CVE-2021-4008`. Note that these can be in the commit message
> body.

Okay. Can you help test the patch itself?
L
L
Leo Famulari wrote on 23 Dec 2021 00:38
(name . Kaelyn)(address . kaelyn.alexi@protonmail.com)
YcO3DU/okbXS5fyI@jasmine.lan
On Tue, Dec 21, 2021 at 12:36:39PM -0500, Leo Famulari wrote:
Toggle quote (7 lines)
> ------
> gnu: xorg-server: Update to 21.1.2 [fixes CVE-2021-{4008,4009,4010,4011}].
>
> * gnu/packages/xorg.scm (xorg-server): Update to 21.1.2.
> (xorg-server-for-tests): Use version 21.1.1.
> ------

Pushed as 0751451ae3a77977916b67577837349219d482ec
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmHDtw0ACgkQJkb6MLrK
fwgdFBAAw6dCaMZVxeyutNbIvFD76eSHRj+i1hEGdy0hphyLE7rVcAi/6ablwlDA
Rdri3D18wPSWLAT6r6i5YSq8pdpTMl/DVYstCLa1tq+OVnA4u/eYbFrYyTnwFJpY
2dJP/P8aZkz4RNtH3INaJuTzUq8VYJMJJqBfnvuAjflTLelOglo1qevlSkgfUL/v
n19afUc0JhsBCzyMaJcXjVioA2jfoNZHFgT/AtzHmL6Zp7gdflwD3tmNbqcYDcwd
KSw1t7fzhReEkUoGr3X8odN5jX2Pq6A+CBXO4iazOCKitK8HETV+62ceDrx+cvjc
Gq/HEe97u3XM3LhAH20QhOlIrnFTDYF0a5NJvbRQ1Bt+CSjO7BM9yKrfSvmOBh9r
l86aPjJObl+cPDPddtTc66i7+tk45Wyf9yhKJhAfIMbYeel4OY/GkgAYZsqZNPrV
XTZwOyQNBYbg7SkF/qfSltM5CezdePQSuErSoIeEOiaM/1J4joF4VfRa2PnL7aDA
QUlENGnBimW0LvoKIiiCqQx2WsuQzWDLd5im9ODQbDC3HWhvTyRLdYcXp0Bn+t1V
jX5BwZhaUEZVn9/KBnNnBXE+f+brrYmF3Ohk8q3LdXW10ObQKU7YCYG7or5wfRag
u+SX8VTq51i8CzHL9R6IHATfyepahyLdtBOKhZ9My3uGXzhglEE=
=vRuq
-----END PGP SIGNATURE-----


?
Your comment

This issue is archived.

To comment on this conversation send email to 52562@debbugs.gnu.org