xorg-server-21.1.4 have 5 CVE issues The above mentioned packages with wayland drivers should be the fixes. PLease update like yesterday as there are security issues!
Created attachment 239575 [details] solution being offered I just replaced 21.1.4 with 21.1.6 attaching what that distinfo should look like. Also have a xorg-server-21.1.6.tar.xz ready to go
Created attachment 239596 [details] Reformatted previous attachment as a patch 1. I have attached your change reformatted as a patch. 2. However, where is this xorg-server-21.1.6.tar.xz? https://xorg.freedesktop.org/releases/individual/xserver/xorg-server-21.1.6.tar.xz exists, but is 4977496 bytes long instead of 4904196. Same for the versions at various other mirrors. 3. Therefore, I haven't been able to compile and test.
Created attachment 239603 [details] Reformatted previous attachment as a patch I redid the patch based on what appears to be the canonical version of xorg-server-21.1.6.tar.xz. Was it correct to unset PORTREVISION? The result builds successfully and seems to be running okay.
Excellent. Will this be committed?
xorg-servers update you should always be careful. Has this been tested carefully? Since the update contains CVEs, can a vuxml entry be added as a patch? Greetings Jochen (part of the port-secteam)
I think there's already a vuxml entry, isn't there? I wouldn't have heard of the current vulnerabilities otherwise. But I don't claim to have given the new version an exhaustive test, and it does need a proper test before being committed. All I verified was that it builds and runs.
(In reply to Jochen Neumeister from comment #5) > Since the update contains CVEs, can a vuxml entry be added as a patch? https://vuxml.freebsd.org/freebsd/9fa7b139-c1e9-409e-bed0-006aadcf5845.html Example attack vectors: - "ssh -X" to an untrusted host (maybe running Linux) - Run an untrusted GUI application inside jail (maybe via linuxulator) - [indirect] Open an untrusted page in a vulnerable web browser (e.g., webkit2-gtk3, qt5-webengine) Severity on FreeBSD: - "Xorg" runs under root (via setuid bit) unlike Linux/OpenBSD - No sandboxing in "Xorg" unlike OpenBSD or any web browser unlike Windows/macOS/Linux/OpenBSD - GNOME and KDE cannot use Wayland as a workaround (until xorg-server is updated) - "pkg audit" doesn't query CVE database (for more indirect attack vectors) Disclaimer: I'm not familar with security analysis, not part of x11@ team and don't use xorg-server.
(In reply to Jan Beich from comment #7) Meanwhile on X.org: xorg-server 21.1.7 This release contains the fix for CVE-2023-0494 in today's security https://lists.x.org/archives/xorg/2023-February/061256.html https://gitlab.freedesktop.org/xorg/xserver/-/commit/0ba6d8c37071131a49790243cdac55392ecf71ec Sorry if this is not appropriate in this thread.
This is a perfectly good place to raise the issue. But I'm not sure how we can encourage the X11 team to raise the priority of this update.
(In reply to George Mitchell from comment #9) Priority and severity are already at their highest (for this Bugzilla).
(In reply to Graham Perrin from comment #10) Thanks for the info.
Created attachment 240131 [details] [patch] update to 21.1.7 Here's the update to 21.1.7 Run tested on 12-stable/amd64 (nvidia). Built successfully with tigervnc-server (which uses the xorg-server source tree). Will run test 12-stable/i386 soon.
(In reply to John Hein from comment #12) Working on 12.x/i386 as well.
Created attachment 240460 [details] Screenshot: X.Org 1.21.1.7 on 14.0-CURRENT, version 1400081 Testing (screenshot attached). References for a possible commit: [ANNOUNCE] xorg-server 21.1.5 <https://lists.x.org/archives/xorg-announce/2022-December/003303.html> [ANNOUNCE] xorg-server 21.1.6 <https://lists.x.org/archives/xorg-announce/2022-December/003310.html> [ANNOUNCE] xorg-server 21.1.7 <https://lists.x.org/archives/xorg-announce/2023-February/003321.html>
any progress on that issue?
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=f3039fe1340adfccc18903816ed05dca734855c2 commit f3039fe1340adfccc18903816ed05dca734855c2 Author: Dimitry Andric <dim@FreeBSD.org> AuthorDate: 2023-03-26 12:37:42 +0000 Commit: Dimitry Andric <dim@FreeBSD.org> CommitDate: 2023-03-27 18:25:23 +0000 x11-servers/xorg-server: update to 21.1.7 PR: 268963 Approved by: maintainer timeout (2 months) MFH: 2023Q1 Security: 6cc63bf5-a727-4155-8ec4-68b626475e68 x11-servers/xorg-server/Makefile | 4 ++-- x11-servers/xorg-server/distinfo | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-)