Created attachment 245436 [details] patch for x11/libX11 X11 has published a security bulletin [1] that exposes the following CVEs in our x11/libX11 version 1.8.6: CVE-2023-43785: out-of-bounds memory access in _XkbReadKeySyms() CVE-2023-43786: stack exhaustion from infinite recursion in PutSubImage() CVE-2023-43787: Integer overflow in XCreateImage() leading to a heap overflow See changelog for a full list of changes in the release [2]. The attached patch bumps the Makefile, distinfo and updates the pkg-plist according to man pages reorganization. See also related report #274265 regarding x11/libXpm. 1. https://lists.x.org/archives/xorg/2023-October/061506.html 2. https://gitlab.freedesktop.org/xorg/lib/libx11/-/compare/libX11-1.8.6...libX11-1.8.7
There is some weird unicode glyph in your patch. Also it will require a patch for vuxml too.
Created attachment 245437 [details] updated patch for x11/libX11 Doh, looks like I created the patch using textproc/colordiff. Attaching an ASCII version.
Created attachment 245438 [details] patch for security/vuxml/vuln/2023.xml Adding shared vuxml patch for both x11/libX11 and x11/libXpm aka #274265 reports.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=e693977e5dae90afd3b822a8a8682bae1e7e1ee1 commit e693977e5dae90afd3b822a8a8682bae1e7e1ee1 Author: Piotr Smyrak <piotr@smyrak.com> AuthorDate: 2023-10-12 14:43:14 +0000 Commit: Emmanuel Vadot <manu@FreeBSD.org> CommitDate: 2023-10-12 14:48:21 +0000 x11/libX11: Update to 1.8.7 PR: 274266 x11/libX11/Makefile | 3 +-- x11/libX11/distinfo | 6 +++--- x11/libX11/pkg-plist | 18 +++--------------- 3 files changed, 7 insertions(+), 20 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=93b4cdd20b09fa83cd4b43a2d100950a251b6527 commit 93b4cdd20b09fa83cd4b43a2d100950a251b6527 Author: Emmanuel Vadot <manu@FreeBSD.org> AuthorDate: 2023-10-12 14:40:40 +0000 Commit: Emmanuel Vadot <manu@FreeBSD.org> CommitDate: 2023-10-12 14:48:21 +0000 security/vuxml: Document libXpm recent CVEs PR: 274266 security/vuxml/vuln/2023.xml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=e7ca9d32f979c2c954aacb095891544ae4e6c327 commit e7ca9d32f979c2c954aacb095891544ae4e6c327 Author: Emmanuel Vadot <manu@FreeBSD.org> AuthorDate: 2023-10-12 14:38:44 +0000 Commit: Emmanuel Vadot <manu@FreeBSD.org> CommitDate: 2023-10-12 14:48:20 +0000 security/vuxml: Document libX11 recent CVEs PR: 274266 security/vuxml/vuln/2023.xml | 56 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+)
A commit in branch 2023Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=728ad6cdfacc9fe54c4ce0517eab36e170d1ebea commit 728ad6cdfacc9fe54c4ce0517eab36e170d1ebea Author: Piotr Smyrak <piotr@smyrak.com> AuthorDate: 2023-10-12 14:43:14 +0000 Commit: Emmanuel Vadot <manu@FreeBSD.org> CommitDate: 2023-10-12 14:52:23 +0000 x11/libX11: Update to 1.8.7 PR: 274266 (cherry picked from commit e693977e5dae90afd3b822a8a8682bae1e7e1ee1) x11/libX11/Makefile | 3 +-- x11/libX11/distinfo | 6 +++--- x11/libX11/pkg-plist | 18 +++--------------- 3 files changed, 7 insertions(+), 20 deletions(-)