Bug 223286

Summary: x11-servers/xorg-server: CVE-2017-12176 through CVE-2017-12187 need to be fixed in 2017Q4
Product: Ports & Packages Reporter: FStl <felixstella>
Component: Individual Port(s)Assignee: freebsd-x11 (Nobody) <x11>
Status: Closed FIXED    
Severity: Affects Some People CC: corvid, zeising
Priority: --- Flags: bugzilla: maintainer-feedback? (x11)
Version: Latest   
Hardware: Any   
OS: Any   

Description FStl 2017-10-28 04:16:56 UTC 
CVE-2017-12176 through CVE-2017-12187 were fixed in head but have not been fixed in 2017Q4.

https://svnweb.freebsd.org/ports?view=revision&revision=452027
Comment 1 corvid 2017-11-26 16:15:05 UTC 
Still needed…
Comment 2 commit-hook freebsd_committer freebsd_triage 2017-12-09 16:59:27 UTC 
A commit references this bug:

Author: zeising
Date: Sat Dec  9 16:59:16 UTC 2017
New revision: 455866
URL: https://svnweb.freebsd.org/changeset/ports/455866

Log:
  MFH: r452027

  Fix security issues: CVE-2017-12176 through CVE-2017-12187 in xorg-server.
  Bump all the slaves due to not being sure where the shared code is used.

  Security:	7274e0cc-575f-41bc-8619-14a41b3c2ad0

  Approved by:	ports-secteam (eadler)
  PR:		223286

Changes:
_U  branches/2017Q4/
  branches/2017Q4/x11-servers/xorg-nestserver/Makefile
  branches/2017Q4/x11-servers/xorg-server/Makefile
  branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12176
  branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12177
  branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12178
  branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12179
  branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12183
  branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-1218x
  branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-1218y
  branches/2017Q4/x11-servers/xorg-server/files/patch-os_io.c
  branches/2017Q4/x11-servers/xorg-vfbserver/Makefile
  branches/2017Q4/x11-servers/xwayland/Makefile
Comment 3 Niclas Zeising freebsd_committer freebsd_triage 2017-12-09 17:00:18 UTC 
Merged
Comment 4 Chris Hutchinson 2017-12-09 22:19:37 UTC 
(In reply to commit-hook from comment #2)
> A commit references this bug:
> 
> Author: zeising
  ...
> 
> Log:
>   MFH: r452027
> 
>   Bump all the slaves due to not being sure where the shared code is used.
> 
Why do we not know where the shared code is used? Shouldn't that have been
found, rather than forcing a rebuild on everything?
Comment 5 Niclas Zeising freebsd_committer freebsd_triage 2017-12-09 22:24:07 UTC 
Because rebuilding all slave ports isn't really a problem, and it takes too much time and effort to dig into the xorg internals and figure out exactly how the varios X servers share code.  I'd prefer to use my time for other more productive things, especially when this only adds a couple of minutes of build time.