265244 – x11-servers/xorg-server: CVE-2022-2319 and CVE-2022-2320

Bug 265244 - x11-servers/xorg-server: CVE-2022-2319 and CVE-2022-2320

Summary: x11-servers/xorg-server: CVE-2022-2319 and CVE-2022-2320

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Many People
Assignee:	freebsd-x11 (Nobody)

URL:	https://www.freshports.org/vuxml.php?...
Keywords:	security

Depends on:
Blocks:

Reported:	2022-07-15 22:55 UTC by John Kennedy
Modified:	2023-03-29 21:53 UTC (History)
CC List:	4 users (show)

See Also:	https://reviews.freebsd.org/D35661 260526

Flags:	bugzilla: maintainer-feedback? (x11) grahamperrin: merge-quarterly+

Attachments
three patches referenced from Xorg mail, portrevision bump (13.91 KB, patch) 2022-07-16 01:23 UTC, John Kennedy	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Kennedy 2022-07-15 22:55:28 UTC

https://www.theregister.com/2022/07/13/xorg_servers_updated/
https://lists.x.org/archives/xorg/2022-July/061035.html

CVE-2022-2319/ZDI-CAN-16062: X.Org Server ProcXkbSetGeometry Out-Of-Bounds Access
CVE-2022-2320/ZDI-CAN-16070: X.Org Server ProcXkbSetDeviceInfo Out-Of-Bounds Access

Not totally sure if xorg-server-1.20.14 is vulnerable to this (vs xorg-server-21.1.x).  Portscout thinks we need an upgrade, but I'm pretty sure that just falls under the tyranny of higher-value-found and please-don't-screw-with-numbering-schemes.

Comment 1 Jan Beich freebsd_committer

2022-07-16 00:09:50 UTC

https://gitlab.freedesktop.org/xorg/xserver/-/compare/f3d9c6ff12b5...06b23cccb116 from 21.1.4 applies fine on top of 1.20.14. Maybe 1.20.* has reached EOL.
 
Note, FreeBSD unlike Linux and OpenBSD runs Xorg with setuid bit (SUID option).

Comment 2 John Kennedy 2022-07-16 01:23:07 UTC

Created attachment 235286 [details]
three patches referenced from Xorg mail, portrevision bump

https://lists.x.org/archives/xorg/2022-July/061035.html

The three commits (two, plus backport reference) and a PORTREVISION bump in the Makefile.  I'm dogfooding this at the moment.

Comment 3 Jan Beich freebsd_committer

2022-08-02 17:24:41 UTC

After ports 88b0ae2bb9c6 main branch (/latest repo) is no longer affected. 2022Q3 branch (current /quarterly repo) is still afected, and 2022Q4 (future /quarterly repo) won't branch from main until 2022-10-01. One could wait 2 months for both CVEs to evaporate but /quarterly is default on -RELEASEs and was created for security backports in the first place.

Comment 4 Graham Perrin freebsd_committer

2022-12-14 05:03:52 UTC

Thanks. Triage: 

* the 'patch' keyword is deprecated

* summary line tags such as [2022Q3] are no longer used.

Please see <https://bugs.freebsd.org/bugzilla/> (changes, to the right); <https://bugs.freebsd.org/bugzilla/describekeywords.cgi> (updated); <https://wiki.freebsd.org/Bugzilla>.

Comment 5 Graham Perrin freebsd_committer

2022-12-14 05:20:55 UTC

(In reply to Jan Beich from comment #3)

Thanks; <https://www.freshports.org/x11-servers/xorg-server/#packages> confirms 21.1.4⋯ under quarterly. 

Maintainer timeout for the merge to quarterly, however I'll leave the flag at ? because (unless I'm mistaken) we're without VuXML entries.

Comment 6 Dimitry Andric freebsd_committer

2023-03-27 18:29:29 UTC

Should be fixed in https://cgit.freebsd.org/ports/commit/?id=f3039fe1340adfccc18903816ed05dca734855c2, which updates xorg-server to 21.1.7, for bug 268963.

Comment 7 Graham Perrin freebsd_committer

2023-03-29 21:53:14 UTC

(In reply to Graham Perrin from comment #5)

> … (unless I'm mistaken) we're without VuXML entries.

I still don't see entries for CVE-2022-2319 or CVE-2022-2320.