Bug 256034 - x11/libX11: Update to 1.7.1
Summary: x11/libX11: Update to 1.7.1
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Jung-uk Kim
URL: https://gitlab.freedesktop.org/xorg/l...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-20 16:52 UTC by Daniel Engberg
Modified: 2022-02-08 21:45 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (x11)


Attachments
Patch for libX11 (825 bytes, patch)
2021-05-20 16:52 UTC, Daniel Engberg
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Engberg freebsd_committer 2021-05-20 16:52:01 UTC
Created attachment 225131 [details]
Patch for libX11

Update libX11 to 1.7.1
Upstream references this a bugfix release and also references CVE-2021-31535 but there's no info over at https://nvd.nist.gov/vuln/detail/CVE-2021-31535
Upstream's information: https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02ae650f00c4a53deb625211a0527126c605

Compile tested on 13.0-STABLE #0 stable/13-n245283-70a2e9a3d44 (arm64) (make, make check-plist)
Poudriere testport OK 12.2-RELEASE (amd64)
Poudriere testport OK 11.4-RELEASE (amd64)
Comment 1 Jung-uk Kim freebsd_committer 2021-05-20 17:01:51 UTC
Security Advisory:

https://lists.x.org/archives/xorg-devel/2021-May/058713.html
Comment 2 Daniel Engberg freebsd_committer 2021-05-20 17:05:41 UTC
I apologize, it should say 
Compile tested on 13.0-STABLE #0 stable/13-n245227-5ec4eb443e8 (amd64) (make, make check-plist) instead of the arm64 stuff

Thanks for finding that Jung-uk Kim!
Comment 3 Jung-uk Kim freebsd_committer 2021-05-20 17:38:32 UTC
I'll take it.
Comment 4 commit-hook freebsd_committer 2021-05-20 17:53:45 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=275cdd9b5f5b66999dc8bcafa610eaa85b5b7b55

commit 275cdd9b5f5b66999dc8bcafa610eaa85b5b7b55
Author:     Daniel Engberg <daniel.engberg.lists@pyret.net>
AuthorDate: 2021-05-20 17:44:43 +0000
Commit:     Jung-uk Kim <jkim@FreeBSD.org>
CommitDate: 2021-05-20 17:51:12 +0000

    x11/libX11: Update to 1.7.1.

    https://lists.x.org/archives/xorg-announce/2021-May/003088.html
    https://lists.x.org/archives/xorg-announce/2021-May/003089.html

    PR:             256034
    Security:       CVE-2021-31535

 x11/libX11/Makefile | 2 +-
 x11/libX11/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 5 Jung-uk Kim freebsd_committer 2021-05-20 17:58:22 UTC
Committed, thanks!
Comment 6 Niclas Zeising freebsd_committer 2021-05-28 09:33:00 UTC
Did you write a voXML entry for this, I can't find any.
Since it is a security issue, it needs a VuXML entry as well.
Comment 7 Niclas Zeising freebsd_committer 2021-05-28 09:33:30 UTC
Was it merged back to the quarterly branch?  There is no mention of that in the commit message.
Comment 8 Jung-uk Kim freebsd_committer 2021-05-28 15:33:07 UTC
(In reply to Niclas Zeising from comment #7)
> Was it merged back to the quarterly branch?  There is no mention of that in
> the commit message.

I wanted to but 2021Q2 wasn't updated to 1.7.0 in the first place.

https://cgit.freebsd.org/ports/tree/x11/libX11/Makefile?h=2021Q2
Comment 9 Jung-uk Kim freebsd_committer 2021-05-28 15:36:05 UTC
(In reply to Niclas Zeising from comment #6)
> Did you write a voXML entry for this, I can't find any.
> Since it is a security issue, it needs a VuXML entry as well.

Actually, I was waiting for someone to MFH this commit.

https://cgit.freebsd.org/ports/commit/?id=ee545c31194e74fd0f6c484723b965e4bcaa0446
Comment 10 Niclas Zeising freebsd_committer 2021-05-31 06:35:14 UTC
(In reply to Jung-uk Kim from comment #9)

Feel free to merge that commit as well then, if it is needed to get the security fix in to the quarterly branch.

A VuXML entry should be created either way, otherwise people don't know that libX11 is vulnerable.  This can be done even if the fix isn't in the quarterly branch yet.
Comment 11 commit-hook freebsd_committer 2021-06-01 14:41:30 UTC
A commit in branch 2021Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=c0f9304ef928105ed2616c2bda5f9a48f6dae053

commit c0f9304ef928105ed2616c2bda5f9a48f6dae053
Author:     Daniel Engberg <daniel.engberg.lists@pyret.net>
AuthorDate: 2021-05-20 17:44:43 +0000
Commit:     Jung-uk Kim <jkim@FreeBSD.org>
CommitDate: 2021-06-01 14:39:34 +0000

    x11/libX11: Update to 1.7.1.

    https://lists.x.org/archives/xorg-announce/2021-May/003088.html
    https://lists.x.org/archives/xorg-announce/2021-May/003089.html

    PR:             256034
    Security:       CVE-2021-31535

    (cherry picked from commit 275cdd9b5f5b66999dc8bcafa610eaa85b5b7b55)

 x11/libX11/Makefile | 2 +-
 x11/libX11/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 12 commit-hook freebsd_committer 2021-06-01 15:13:37 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=51990d40050a8fb47d2296d87f205423613f0707

commit 51990d40050a8fb47d2296d87f205423613f0707
Author:     Jung-uk Kim <jkim@FreeBSD.org>
AuthorDate: 2021-06-01 15:08:03 +0000
Commit:     Jung-uk Kim <jkim@FreeBSD.org>
CommitDate: 2021-06-01 15:13:05 +0000

    security/vuxml: Document vulnerability in x11/libX11

    PR:             256034
    Security:       CVE-2021-31535

 security/vuxml/vuln.xml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)