Created attachment 225131 [details] Patch for libX11 Update libX11 to 1.7.1 Upstream references this a bugfix release and also references CVE-2021-31535 but there's no info over at https://nvd.nist.gov/vuln/detail/CVE-2021-31535 Upstream's information: https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02ae650f00c4a53deb625211a0527126c605 Compile tested on 13.0-STABLE #0 stable/13-n245283-70a2e9a3d44 (arm64) (make, make check-plist) Poudriere testport OK 12.2-RELEASE (amd64) Poudriere testport OK 11.4-RELEASE (amd64)
Security Advisory: https://lists.x.org/archives/xorg-devel/2021-May/058713.html
I apologize, it should say Compile tested on 13.0-STABLE #0 stable/13-n245227-5ec4eb443e8 (amd64) (make, make check-plist) instead of the arm64 stuff Thanks for finding that Jung-uk Kim!
I'll take it.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=275cdd9b5f5b66999dc8bcafa610eaa85b5b7b55 commit 275cdd9b5f5b66999dc8bcafa610eaa85b5b7b55 Author: Daniel Engberg <daniel.engberg.lists@pyret.net> AuthorDate: 2021-05-20 17:44:43 +0000 Commit: Jung-uk Kim <jkim@FreeBSD.org> CommitDate: 2021-05-20 17:51:12 +0000 x11/libX11: Update to 1.7.1. https://lists.x.org/archives/xorg-announce/2021-May/003088.html https://lists.x.org/archives/xorg-announce/2021-May/003089.html PR: 256034 Security: CVE-2021-31535 x11/libX11/Makefile | 2 +- x11/libX11/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
Committed, thanks!
Did you write a voXML entry for this, I can't find any. Since it is a security issue, it needs a VuXML entry as well.
Was it merged back to the quarterly branch? There is no mention of that in the commit message.
(In reply to Niclas Zeising from comment #7) > Was it merged back to the quarterly branch? There is no mention of that in > the commit message. I wanted to but 2021Q2 wasn't updated to 1.7.0 in the first place. https://cgit.freebsd.org/ports/tree/x11/libX11/Makefile?h=2021Q2
(In reply to Niclas Zeising from comment #6) > Did you write a voXML entry for this, I can't find any. > Since it is a security issue, it needs a VuXML entry as well. Actually, I was waiting for someone to MFH this commit. https://cgit.freebsd.org/ports/commit/?id=ee545c31194e74fd0f6c484723b965e4bcaa0446
(In reply to Jung-uk Kim from comment #9) Feel free to merge that commit as well then, if it is needed to get the security fix in to the quarterly branch. A VuXML entry should be created either way, otherwise people don't know that libX11 is vulnerable. This can be done even if the fix isn't in the quarterly branch yet.
A commit in branch 2021Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=c0f9304ef928105ed2616c2bda5f9a48f6dae053 commit c0f9304ef928105ed2616c2bda5f9a48f6dae053 Author: Daniel Engberg <daniel.engberg.lists@pyret.net> AuthorDate: 2021-05-20 17:44:43 +0000 Commit: Jung-uk Kim <jkim@FreeBSD.org> CommitDate: 2021-06-01 14:39:34 +0000 x11/libX11: Update to 1.7.1. https://lists.x.org/archives/xorg-announce/2021-May/003088.html https://lists.x.org/archives/xorg-announce/2021-May/003089.html PR: 256034 Security: CVE-2021-31535 (cherry picked from commit 275cdd9b5f5b66999dc8bcafa610eaa85b5b7b55) x11/libX11/Makefile | 2 +- x11/libX11/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=51990d40050a8fb47d2296d87f205423613f0707 commit 51990d40050a8fb47d2296d87f205423613f0707 Author: Jung-uk Kim <jkim@FreeBSD.org> AuthorDate: 2021-06-01 15:08:03 +0000 Commit: Jung-uk Kim <jkim@FreeBSD.org> CommitDate: 2021-06-01 15:13:05 +0000 security/vuxml: Document vulnerability in x11/libX11 PR: 256034 Security: CVE-2021-31535 security/vuxml/vuln.xml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+)