[honister,04/12] xserver-xorg: whitelist two CVEs

Message ID	cd14ceef48aff3186abd0c32165827f99be26622.1642385249.git.anuj.mittal@intel.com
State	Accepted, archived
Commit	cd14ceef48aff3186abd0c32165827f99be26622
Headers	show Return-Path: <anuj.mittal@intel.com> ip: 192.55.52.93, mailfrom: anuj.mittal@intel.com) From: Anuj Mittal <anuj.mittal@intel.com> To: openembedded-core@lists.openembedded.org Subject: [honister][PATCH 04/12] xserver-xorg: whitelist two CVEs Date: Mon, 17 Jan 2022 10:10:24 +0800 Message-Id: <cd14ceef48aff3186abd0c32165827f99be26622.1642385249.git.anuj.mittal@intel.com> In-Reply-To: <cover.1642385249.git.anuj.mittal@intel.com> References: <cover.1642385249.git.anuj.mittal@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[honister,01/12] epiphany: Update 40.3 -> 40.6 \| expand [honister,01/12] epiphany: Update 40.3 -> 40.6 [honister,02/12] lib/oe/reproducible: correctly set .git location when recursively looking for git … [honister,03/12] cve-check: add lockfile to task [honister,04/12] xserver-xorg: whitelist two CVEs [honister,05/12] rootfs-postcommands.bbclass: Make two comments use the new variable syntax [honister,06/12] oeqa/sstate: Fix allarch samesigs test [honister,07/12] linux-yocto/5.10: update to v5.10.89 [honister,08/12] linux-yocto/5.14: fix arm 32bit -rt warnings [honister,09/12] linux-yocto/5.10/cfg: add kcov feature fragment [honister,10/12] linux-yocto/5.10: update to v5.10.90 [honister,11/12] libsndfile1: fix CVE-2021-4156 [honister,12/12] go: upgrade 1.16.10 -> 1.16.13

Message ID

cd14ceef48aff3186abd0c32165827f99be26622.1642385249.git.anuj.mittal@intel.com

State

Accepted, archived

Commit

cd14ceef48aff3186abd0c32165827f99be26622

Headers

From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-core@lists.openembedded.org
Subject: [honister][PATCH 04/12] xserver-xorg: whitelist two CVEs
Date: Mon, 17 Jan 2022 10:10:24 +0800
Message-Id: 
 <cd14ceef48aff3186abd0c32165827f99be26622.1642385249.git.anuj.mittal@intel.com>
In-Reply-To: <cover.1642385249.git.anuj.mittal@intel.com>
References: <cover.1642385249.git.anuj.mittal@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[honister,01/12] epiphany: Update 40.3 -> 40.6 | expand

Commit Message

Mittal, Anuj Jan. 17, 2022, 2:10 a.m. UTC

From: Ross Burton <ross@burtonini.com>

CVE-2011-4613 is specific to Debian/Ubuntu.

CVE-2020-25697 is a non-trivial attack that may not actually be feasible
considering the default behaviour for clients is to exit if the
connection is lost.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit afa2e6c31a79f75ff4113d53f618bbb349cd6c17)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-graphics/xorg-xserver/xserver-xorg.inc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
index 85d0788eaf..8864564b3e 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -20,6 +20,14 @@  SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.xz"
 UPSTREAM_CHECK_REGEX = "xorg-server-(?P<pver>\d+(\.(?!99)\d+)+)\.tar"
 
 CVE_PRODUCT = "xorg-server x_server"
+# This is specific to Debian's xserver-wrapper.c
+CVE_CHECK_WHITELIST += "CVE-2011-4613"
+# As per upstream, exploiting this flaw is non-trivial and it requires exact
+# timing on the behalf of the attacker. Many graphical applications exit if their
+# connection to the X server is lost, so a typical desktop session is either
+# impossible or difficult to exploit. There is currently no upstream patch
+# available for this flaw.
+CVE_CHECK_WHITELIST += "CVE-2020-25697"
 
 S = "${WORKDIR}/${XORG_PN}-${PV}"

[honister,04/12] xserver-xorg: whitelist two CVEs

Commit Message

Patch