[dunfell,09/11] xserver-xorg: whitelist two CVEs

Message ID	c477e35d01e7b8443b680f6456ac92a15fbfeaa2.1642083419.git.steve@sakoman.com
State	Accepted, archived
Commit	c477e35d01e7b8443b680f6456ac92a15fbfeaa2
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.214.177, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 09/11] xserver-xorg: whitelist two CVEs Date: Thu, 13 Jan 2022 04:37:13 -1000 Message-Id: <c477e35d01e7b8443b680f6456ac92a15fbfeaa2.1642083419.git.steve@sakoman.com> In-Reply-To: <cover.1642083419.git.steve@sakoman.com> References: <cover.1642083419.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[dunfell,01/11] valgrind: skip flakey ptest (gdbserver_tests/hginfo) \| expand [dunfell,01/11] valgrind: skip flakey ptest (gdbserver_tests/hginfo) [dunfell,02/11] oeqa/selftest/cases/tinfoil.py: increase timeout 60->120s test_wait_event [dunfell,03/11] cve-update-db-native: use fetch task [dunfell,04/11] cve-check: add lockfile to task [dunfell,05/11] xserver-xorg: update CVE_PRODUCT [dunfell,06/11] wic: misc: Do not find for executables in ASSUME_PROVIDED [dunfell,07/11] wic: use shutil.which [dunfell,08/11] expat: Update HOMEPAGE to current url [dunfell,09/11] xserver-xorg: whitelist two CVEs [dunfell,10/11] parselogs: add a couple systemd false positives [dunfell,11/11] glibc: Add fix for data races in pthread_create and TLS access

Message ID

c477e35d01e7b8443b680f6456ac92a15fbfeaa2.1642083419.git.steve@sakoman.com

State

Accepted, archived

Commit

c477e35d01e7b8443b680f6456ac92a15fbfeaa2

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][dunfell 09/11] xserver-xorg: whitelist two CVEs
Date: Thu, 13 Jan 2022 04:37:13 -1000
Message-Id: 
 <c477e35d01e7b8443b680f6456ac92a15fbfeaa2.1642083419.git.steve@sakoman.com>
In-Reply-To: <cover.1642083419.git.steve@sakoman.com>
References: <cover.1642083419.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[dunfell,01/11] valgrind: skip flakey ptest (gdbserver_tests/hginfo) | expand

Commit Message

Steve Sakoman Jan. 13, 2022, 2:37 p.m. UTC

From: Ross Burton <ross@burtonini.com>

CVE-2011-4613 is specific to Debian/Ubuntu.

CVE-2020-25697 is a non-trivial attack that may not actually be feasible
considering the default behaviour for clients is to exit if the
connection is lost.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit afa2e6c31a79f75ff4113d53f618bbb349cd6c17)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-graphics/xorg-xserver/xserver-xorg.inc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
index 02daafc098..c891211c40 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -19,6 +19,14 @@  XORG_PN = "xorg-server"
 SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.bz2"
 
 CVE_PRODUCT = "xorg-server x_server"
+# This is specific to Debian's xserver-wrapper.c
+CVE_CHECK_WHITELIST += "CVE-2011-4613"
+# As per upstream, exploiting this flaw is non-trivial and it requires exact
+# timing on the behalf of the attacker. Many graphical applications exit if their
+# connection to the X server is lost, so a typical desktop session is either
+# impossible or difficult to exploit. There is currently no upstream patch
+# available for this flaw.
+CVE_CHECK_WHITELIST += "CVE-2020-25697"
 
 S = "${WORKDIR}/${XORG_PN}-${PV}"

[dunfell,09/11] xserver-xorg: whitelist two CVEs

Commit Message

Patch