Bug 223286 - x11-servers/xorg-server: CVE-2017-12176 through CVE-2017-12187 need to be fixed in 2017Q4
Summary: x11-servers/xorg-server: CVE-2017-12176 through CVE-2017-12187 need to be fix...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-x11 (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-28 04:16 UTC by FStl
Modified: 2017-12-09 22:24 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (x11)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description FStl 2017-10-28 04:16:56 UTC 
CVE-2017-12176 through CVE-2017-12187 were fixed in head but have not been fixed in 2017Q4.

https://svnweb.freebsd.org/ports?view=revision&revision=452027
Comment 1 corvid 2017-11-26 16:15:05 UTC 
Still needed…
Comment 2 commit-hook freebsd_committer freebsd_triage 2017-12-09 16:59:27 UTC 
A commit references this bug:

Author: zeising
Date: Sat Dec  9 16:59:16 UTC 2017
New revision: 455866
URL: https://svnweb.freebsd.org/changeset/ports/455866

Log:
  MFH: r452027

  Fix security issues: CVE-2017-12176 through CVE-2017-12187 in xorg-server.
  Bump all the slaves due to not being sure where the shared code is used.

  Security:	7274e0cc-575f-41bc-8619-14a41b3c2ad0

  Approved by:	ports-secteam (eadler)
  PR:		223286

Changes:
_U  branches/2017Q4/
  branches/2017Q4/x11-servers/xorg-nestserver/Makefile
  branches/2017Q4/x11-servers/xorg-server/Makefile
  branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12176
  branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12177
  branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12178
  branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12179
  branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12183
  branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-1218x
  branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-1218y
  branches/2017Q4/x11-servers/xorg-server/files/patch-os_io.c
  branches/2017Q4/x11-servers/xorg-vfbserver/Makefile
  branches/2017Q4/x11-servers/xwayland/Makefile
Comment 3 Niclas Zeising freebsd_committer freebsd_triage 2017-12-09 17:00:18 UTC 
Merged
Comment 4 Chris Hutchinson 2017-12-09 22:19:37 UTC 
(In reply to commit-hook from comment #2)
> A commit references this bug:
> 
> Author: zeising
  ...
> 
> Log:
>   MFH: r452027
> 
>   Bump all the slaves due to not being sure where the shared code is used.
> 
Why do we not know where the shared code is used? Shouldn't that have been
found, rather than forcing a rebuild on everything?
Comment 5 Niclas Zeising freebsd_committer freebsd_triage 2017-12-09 22:24:07 UTC 
Because rebuilding all slave ports isn't really a problem, and it takes too much time and effort to dig into the xorg internals and figure out exactly how the varios X servers share code.  I'd prefer to use my time for other more productive things, especially when this only adds a couple of minutes of build time.