Debian Bug report logs -
#1026071
xorg-server: CVE-2022-4283 CVE-2022-46340 CVE-2022-46341 CVE-2022-46342 CVE-2022-46343 CVE-2022-46344
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 14 Dec 2022 09:21:04 UTC
Severity: grave
Tags: security, upstream
Found in version xorg-server/2:21.1.4-3
Fixed in version xorg-server/2:21.1.5-1
Done: Salvatore Bonaccorso <carnil@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#1026071; Package src:xorg-server.
(Wed, 14 Dec 2022 09:21:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian X Strike Force <debian-x@lists.debian.org>.
(Wed, 14 Dec 2022 09:21:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: xorg-server
Version: 2:21.1.4-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerabilities were published for xorg-server.
CVE-2022-4283[0]:
| xkb: reset the radio_groups pointer to NULL after freeing it
CVE-2022-46340[1]:
| Xtest: disallow GenericEvents in XTestSwapFakeInput
CVE-2022-46341[2]:
| Xi: disallow passive grabs with a detail > 255
CVE-2022-46342[3]:
| Xext: free the XvRTVideoNotify when turning off from the same client
CVE-2022-46343[4]:
| Xext: free the screen saver resource when replacing it
CVE-2022-46344[5]:
| Xi: avoid integer truncation in length check of ProcXIChangeProperty
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-4283
https://www.cve.org/CVERecord?id=CVE-2022-4283
[1] https://security-tracker.debian.org/tracker/CVE-2022-46340
https://www.cve.org/CVERecord?id=CVE-2022-46340
[2] https://security-tracker.debian.org/tracker/CVE-2022-46341
https://www.cve.org/CVERecord?id=CVE-2022-46341
[3] https://security-tracker.debian.org/tracker/CVE-2022-46342
https://www.cve.org/CVERecord?id=CVE-2022-46342
[4] https://security-tracker.debian.org/tracker/CVE-2022-46343
https://www.cve.org/CVERecord?id=CVE-2022-46343
[5] https://security-tracker.debian.org/tracker/CVE-2022-46344
https://www.cve.org/CVERecord?id=CVE-2022-46344
[6] https://lists.x.org/archives/xorg-announce/2022-December/003302.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#1026071; Package src:xorg-server.
(Wed, 14 Dec 2022 09:36:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Timo Aaltonen <tjaalton@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>.
(Wed, 14 Dec 2022 09:36:11 GMT) (full text, mbox, link).
Message #10 received at 1026071@bugs.debian.org (full text, mbox, reply):
Salvatore Bonaccorso kirjoitti 14.12.2022 klo 11.19:
> Source: xorg-server
> Version: 2:21.1.4-3
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
>
> Hi,
>
> The following vulnerabilities were published for xorg-server.
>
> CVE-2022-4283[0]:
> | xkb: reset the radio_groups pointer to NULL after freeing it
>
> CVE-2022-46340[1]:
> | Xtest: disallow GenericEvents in XTestSwapFakeInput
>
> CVE-2022-46341[2]:
> | Xi: disallow passive grabs with a detail > 255
>
> CVE-2022-46342[3]:
> | Xext: free the XvRTVideoNotify when turning off from the same client
>
> CVE-2022-46343[4]:
> | Xext: free the screen saver resource when replacing it
>
> CVE-2022-46344[5]:
> | Xi: avoid integer truncation in length check of ProcXIChangeProperty
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2022-4283
> https://www.cve.org/CVERecord?id=CVE-2022-4283
> [1] https://security-tracker.debian.org/tracker/CVE-2022-46340
> https://www.cve.org/CVERecord?id=CVE-2022-46340
> [2] https://security-tracker.debian.org/tracker/CVE-2022-46341
> https://www.cve.org/CVERecord?id=CVE-2022-46341
> [3] https://security-tracker.debian.org/tracker/CVE-2022-46342
> https://www.cve.org/CVERecord?id=CVE-2022-46342
> [4] https://security-tracker.debian.org/tracker/CVE-2022-46343
> https://www.cve.org/CVERecord?id=CVE-2022-46343
> [5] https://security-tracker.debian.org/tracker/CVE-2022-46344
> https://www.cve.org/CVERecord?id=CVE-2022-46344
> [6] https://lists.x.org/archives/xorg-announce/2022-December/003302.html
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
>
I've uploaded 21.1.5-1 ~20min ago :) All of these were referenced in the
changelog.
btw, there's a typo in one of the CVE's, it's -46283 not -4283:
https://lists.x.org/archives/xorg-announce/2022-December/003302.html
the typo is also on the git commit but I fixed it on d/changelog
--
t
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#1026071; Package src:xorg-server.
(Wed, 14 Dec 2022 09:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>.
(Wed, 14 Dec 2022 09:45:03 GMT) (full text, mbox, link).
Message #15 received at 1026071@bugs.debian.org (full text, mbox, reply):
hi Timo,
On Wed, Dec 14, 2022 at 11:28:39AM +0200, Timo Aaltonen wrote:
> Salvatore Bonaccorso kirjoitti 14.12.2022 klo 11.19:
> > Source: xorg-server
> > Version: 2:21.1.4-3
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> > X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> >
> > Hi,
> >
> > The following vulnerabilities were published for xorg-server.
> >
> > CVE-2022-4283[0]:
> > | xkb: reset the radio_groups pointer to NULL after freeing it
> >
> > CVE-2022-46340[1]:
> > | Xtest: disallow GenericEvents in XTestSwapFakeInput
> >
> > CVE-2022-46341[2]:
> > | Xi: disallow passive grabs with a detail > 255
> >
> > CVE-2022-46342[3]:
> > | Xext: free the XvRTVideoNotify when turning off from the same client
> >
> > CVE-2022-46343[4]:
> > | Xext: free the screen saver resource when replacing it
> >
> > CVE-2022-46344[5]:
> > | Xi: avoid integer truncation in length check of ProcXIChangeProperty
> >
> > If you fix the vulnerabilities please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2022-4283
> > https://www.cve.org/CVERecord?id=CVE-2022-4283
> > [1] https://security-tracker.debian.org/tracker/CVE-2022-46340
> > https://www.cve.org/CVERecord?id=CVE-2022-46340
> > [2] https://security-tracker.debian.org/tracker/CVE-2022-46341
> > https://www.cve.org/CVERecord?id=CVE-2022-46341
> > [3] https://security-tracker.debian.org/tracker/CVE-2022-46342
> > https://www.cve.org/CVERecord?id=CVE-2022-46342
> > [4] https://security-tracker.debian.org/tracker/CVE-2022-46343
> > https://www.cve.org/CVERecord?id=CVE-2022-46343
> > [5] https://security-tracker.debian.org/tracker/CVE-2022-46344
> > https://www.cve.org/CVERecord?id=CVE-2022-46344
> > [6] https://lists.x.org/archives/xorg-announce/2022-December/003302.html
> >
> > Please adjust the affected versions in the BTS as needed.
> >
> > Regards,
> > Salvatore
> >
>
> I've uploaded 21.1.5-1 ~20min ago :) All of these were referenced in the
> changelog.
hehe, thanks. I guess we had a race with filling the bug and the
upload. Thanks.
>
> btw, there's a typo in one of the CVE's, it's -46283 not -4283:
>
> https://lists.x.org/archives/xorg-announce/2022-December/003302.html
>
> the typo is also on the git commit but I fixed it on d/changelog
Should already be correct in above listing and security-tracker. But
right the final advisory upstream still has the typo.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#1026071; Package src:xorg-server.
(Wed, 14 Dec 2022 10:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Timo Aaltonen <tjaalton@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>.
(Wed, 14 Dec 2022 10:03:03 GMT) (full text, mbox, link).
Message #20 received at 1026071@bugs.debian.org (full text, mbox, reply):
Salvatore Bonaccorso kirjoitti 14.12.2022 klo 11.42:
>>
>> btw, there's a typo in one of the CVE's, it's -46283 not -4283:
>>
>> https://lists.x.org/archives/xorg-announce/2022-December/003302.html
>>
>> the typo is also on the git commit but I fixed it on d/changelog
>
> Should already be correct in above listing and security-tracker. But
> right the final advisory upstream still has the typo.
Hmm so the announce mail was wrong and it's actually -4283?? These
aren't public so I wasn't able to check, my bad..
--
t
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#1026071; Package src:xorg-server.
(Wed, 14 Dec 2022 13:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>.
(Wed, 14 Dec 2022 13:27:04 GMT) (full text, mbox, link).
Message #25 received at 1026071@bugs.debian.org (full text, mbox, reply):
Hi Timo,
On Wed, Dec 14, 2022 at 12:01:53PM +0200, Timo Aaltonen wrote:
> Salvatore Bonaccorso kirjoitti 14.12.2022 klo 11.42:
> > >
> > > btw, there's a typo in one of the CVE's, it's -46283 not -4283:
> > >
> > > https://lists.x.org/archives/xorg-announce/2022-December/003302.html
> > >
> > > the typo is also on the git commit but I fixed it on d/changelog
> >
> > Should already be correct in above listing and security-tracker. But
> > right the final advisory upstream still has the typo.
>
> Hmm so the announce mail was wrong and it's actually -4283?? These aren't
> public so I wasn't able to check, my bad..
Yes the 4-digit one is the correct one. Unfortunately the typo
apparently did still propagated to the official announce even it was
noticied before.
Regards,
Salvatore
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Wed, 14 Dec 2022 13:42:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 14 Dec 2022 13:42:03 GMT) (full text, mbox, link).
Message #30 received at 1026071-done@bugs.debian.org (full text, mbox, reply):
Source: xorg-server
Source-Version: 2:21.1.5-1
----- Forwarded message from Debian FTP Masters <ftpmaster@ftp-master.debian.org> -----
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Resent-From: debian-devel-changes@lists.debian.org
Reply-To: debian-devel@lists.debian.org
Date: Wed, 14 Dec 2022 10:10:32 +0000
To: debian-devel-changes@lists.debian.org
Subject: Accepted xorg-server 2:21.1.5-1 (source) into unstable
Message-Id: <E1p5Oie-006m4z-Q7@fasolo.debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 14 Dec 2022 11:10:24 +0200
Source: xorg-server
Built-For-Profiles: noudeb
Architecture: source
Version: 2:21.1.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Timo Aaltonen <tjaalton@debian.org>
Changes:
xorg-server (2:21.1.5-1) unstable; urgency=medium
.
* New upstream release.
- CVE-2022-46340, CVE-2022-46341, CVE-2022-46342, CVE-2022-46343,
CVE-2022-46344, CVE-2022-46283
* Add signing-key from Peter Hutterer.
Checksums-Sha1:
9879f8698e606006d3c860870a54a11d2bad59ac 4207 xorg-server_21.1.5-1.dsc
c5efdc5696815a8925e371b5237223f60c920568 8917627 xorg-server_21.1.5.orig.tar.gz
e54e3660bcd95539a17841075f330a3a05a6a9bf 195 xorg-server_21.1.5.orig.tar.gz.asc
a4e0502f05552a701fce55f8dcd23547f39ce122 169209 xorg-server_21.1.5-1.diff.gz
e6d3bdb6bcbe24fd0d7531191dbf7086d40ba95f 10540 xorg-server_21.1.5-1_source.buildinfo
Checksums-Sha256:
40b27446f4a6c6d54b734a199f9f94f37d6b66092635d2ac018180e0678800ae 4207 xorg-server_21.1.5-1.dsc
5e391867bfe44ce766a8c748e7563dc9678c229af72b5f94e221a92b1b04b7a1 8917627 xorg-server_21.1.5.orig.tar.gz
e677f4436820c0863c2fb1043a498f81d9f6cfea808ced5bf5921686238cc1bb 195 xorg-server_21.1.5.orig.tar.gz.asc
735c73342e8a3b9b9b722837cf783a0bcf368aaf8b5f844a3f11c19bedb3b258 169209 xorg-server_21.1.5-1.diff.gz
90d9e9e338b615d58d48446e532dd7a5c175aa73207872ac51fbce9627cf8f03 10540 xorg-server_21.1.5-1_source.buildinfo
Files:
9b01577aea185661100ab83359d82492 4207 x11 optional xorg-server_21.1.5-1.dsc
8afa3a9cb1cbe3101183eedc9773243f 8917627 x11 optional xorg-server_21.1.5.orig.tar.gz
428b0a04ac6dd4ce330fcefe018f16cb 195 x11 optional xorg-server_21.1.5.orig.tar.gz.asc
748b63932c6fc2c8637c3402f933d7a9 169209 x11 optional xorg-server_21.1.5-1.diff.gz
c073e5207fd1a10192f148863a1b965a 10540 x11 optional xorg-server_21.1.5-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAmOZlHIACgkQy3AxZaiJ
hNy5og//QeAZC2vM07n6MWyt/WImdSd/pKJpLlDwnwpLr9tbxNRhZO3V6RnjC7r+
faNUbU73wjLNNqOAFE8JlwzVB3jJ+go4vezU/C0L/mIugJvb9i/devUYidUfgOXp
NNQXZtbc81l84pWQs/Wn31TqllxkDk1NMM1msOw/EFd7Z1Aje0tWk/OpdgSPEgZL
uxvyoWC9sucOhEGE5K2efUYYPdU59dXFG/NlfzmegSdwR2FKUl0MtF6HtwqFG8Tx
sWjw1ObFAcU9AZQh0HIeWIjYNafFaHwnlyZmmmmrvos4n2VlT8JAMWu/SS5euRj+
qVzuijzgeSNpbNUezNSYz+6phJTdRr06qha8zBk5U6Z6fuBtf0pyHFz3TXbo1A2d
VVOnyBR+fyU/H/WBUkhk5ltzSf3O9NiwCaLAbphgZRzFitMO748CTgxZwSvQZnFu
Iy9xsWKY5/8ZcdrOcKStZy38LMuVS7sQZFz26fPT7fThtPtREj/uUuXCww0X+Eqa
p8ADNUfOqmyXJjyWypCgTREu8o6msDns/obR0DhVUoPzhm/BhIbBRTYZBsXMlEy9
YUbeTOv/W7AvfXNwI8peHi9oY24UXCYdRazeJiVt9VzJ0vWNbHKTj/IpWnODhmKo
UUIgfwyoE5lr58Wuo3n4hpO4hrqfkylbUJGfm0Qtn3k/u8q9+uY=
=2se2
-----END PGP SIGNATURE-----
----- End forwarded message -----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Dec 15 07:19:59 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon