Bug 107733

Summary: update for x11-servers/xorg-server: multiple vulnerabilities
Product: Ports & Packages Reporter: Eygene Ryabinkin <rea-fbsd>
Component: Individual Port(s)Assignee: freebsd-x11 (Nobody) <x11>
Status: Closed FIXED    
Severity: Affects Only Me CC: x11
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
CVE-2006-3739-3740-6102-6103-6104.diff none

Description Eygene Ryabinkin 2007-01-10 10:00:30 UTC 
Two patches was issued by X.org that are fixing
- CVE-2006-6101 CVE-2006-6102 CVE-2006-6103,
- CVE-2006-2006-3739 and CVE 2006-3740.
Current xorg-server-6.9.0_5 misses them.

Fix: The patch that incorporates original vendor patches and bumps the
portrevision is attached. Original patch x11r6.9.0-dbe-render.diff was
modified: made proper patchfile locations by adding 'programs/Xserver/'
to patch file locations. The code was untouched.
How-To-Repeat: Go to http://xorg.freedesktop.org/releases/X11R6.9.0/patches/index.html
and read entries about aforementioned vulnerabilities.
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2007-01-10 10:00:40 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->freebsd-x11

Over to maintainer
Comment 2 dfilter service freebsd_committer freebsd_triage 2007-01-27 20:22:27 UTC 
lesi        2007-01-27 20:22:20 UTC

  FreeBSD ports repository

  Modified files:
    x11-servers/xorg-server Makefile distinfo 
  Log:
  Add vendor patch preventing overwiting of data on the stack or other
  parts of server by dbe and render extensions.
  
  PR:             ports/107733
  Security:       CVE-2006-6101 CVE-2006-6102 CVE-2006-6103
  
  Revision  Changes    Path
  1.41      +6 -1      ports/x11-servers/xorg-server/Makefile
  1.6       +3 -0      ports/x11-servers/xorg-server/distinfo
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 3 dfilter service freebsd_committer freebsd_triage 2007-01-27 20:25:27 UTC 
lesi        2007-01-27 20:24:58 UTC

  FreeBSD ports repository

  Modified files:
    x11/xorg-libraries   Makefile distinfo 
  Log:
  Add vendor patch preventing arbitrary code execution or denial of
  service by adding malicious font to X server font path.
  
  PR:             ports/107733
  Security:       CVE-2006-3739, CVE 2006-3740
  
  Revision  Changes    Path
  1.16      +5 -0      ports/x11/xorg-libraries/Makefile
  1.6       +3 -0      ports/x11/xorg-libraries/distinfo
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 4 lesi freebsd_committer freebsd_triage 2007-01-27 20:25:42 UTC 
State Changed
From-To: open->closed

Rather than putting patches in files, vendor patches are used directly. 
Note that CVE-2006-3739 and CVE-2006-3740 apply to libraries rather than server. 
Thanks!