Two patches was issued by X.org that are fixing - CVE-2006-6101 CVE-2006-6102 CVE-2006-6103, - CVE-2006-2006-3739 and CVE 2006-3740. Current xorg-server-6.9.0_5 misses them. Fix: The patch that incorporates original vendor patches and bumps the portrevision is attached. Original patch x11r6.9.0-dbe-render.diff was modified: made proper patchfile locations by adding 'programs/Xserver/' to patch file locations. The code was untouched. How-To-Repeat: Go to http://xorg.freedesktop.org/releases/X11R6.9.0/patches/index.html and read entries about aforementioned vulnerabilities.
Responsible Changed From-To: freebsd-ports-bugs->freebsd-x11 Over to maintainer
lesi 2007-01-27 20:22:20 UTC FreeBSD ports repository Modified files: x11-servers/xorg-server Makefile distinfo Log: Add vendor patch preventing overwiting of data on the stack or other parts of server by dbe and render extensions. PR: ports/107733 Security: CVE-2006-6101 CVE-2006-6102 CVE-2006-6103 Revision Changes Path 1.41 +6 -1 ports/x11-servers/xorg-server/Makefile 1.6 +3 -0 ports/x11-servers/xorg-server/distinfo _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
lesi 2007-01-27 20:24:58 UTC FreeBSD ports repository Modified files: x11/xorg-libraries Makefile distinfo Log: Add vendor patch preventing arbitrary code execution or denial of service by adding malicious font to X server font path. PR: ports/107733 Security: CVE-2006-3739, CVE 2006-3740 Revision Changes Path 1.16 +5 -0 ports/x11/xorg-libraries/Makefile 1.6 +3 -0 ports/x11/xorg-libraries/distinfo _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Rather than putting patches in files, vendor patches are used directly. Note that CVE-2006-3739 and CVE-2006-3740 apply to libraries rather than server. Thanks!