Skip to content

xorg.xorgserver: 1.20.13 -> 21.1.4#182103

Closed
lheckemann wants to merge 1 commit intoNixOS:masterfrom
DeterminateSystems:xorg-bump
Closed

xorg.xorgserver: 1.20.13 -> 21.1.4#182103
lheckemann wants to merge 1 commit intoNixOS:masterfrom
DeterminateSystems:xorg-bump

Conversation

@lheckemann
Copy link
Member

@lheckemann lheckemann commented Jul 19, 2022
edited
Loading

This addresses "multiple input validation failures in X server
extensions" as reported in
https://lists.x.org/archives/xorg/2022-July/061035.html

These issues can lead to privilege escalation when the X server is
running as root (as it still often does on NixOS), as well as remote
code execution via SSH X forwarding.

Fixes CVE-2022-2319
Fixes CVE-2022-2320

I will have a look if we can backport just the security patches, or if we'll need the whole (somewhat unusually numbered) version bump. I suspect that if the patches aren't trivial to backport, the X server is a stable enough piece of software that it should be safe to backport the whole version.

Things done

@lheckemann
xorg.xorgserver: 1.20.13 -> 21.1.4
7b95c53 
This addresses "multiple input validation failures in X server
extensions" as reported in
https://lists.x.org/archives/xorg/2022-July/061035.html

These issues can lead to privilege escalation when the X server is
running as root (as it still often does on NixOS), as well as remote
code execution via SSH X forwarding.

Fixes CVE-2022-2319
Fixes CVE-2022-2320
@lheckemann lheckemann added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Jul 19, 2022
@ofborg ofborg bot added 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 1001-2500 This PR causes many rebuilds on Linux and should target the staging branches. labels Jul 19, 2022
@vcunat
Copy link
Member

vcunat commented Jul 19, 2022

@lheckemann
Copy link
Member Author

lheckemann commented Jul 19, 2022

gah, how did I miss that...

@lheckemann lheckemann closed this Jul 19, 2022
@vcunat
Copy link
Member

vcunat commented Jul 19, 2022

It wasn't that easy to find on GitHub, but retrospectively I'm surprised that you missed it in the chatroom https://matrix.to/#/#security:nixos.org

@lheckemann lheckemann deleted the xorg-bump branch July 20, 2022 07:07
@Artturin Artturin mentioned this pull request Dec 18, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 1001-2500 This PR causes many rebuilds on Linux and should target the staging branches.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lheckemann @vcunat

Comments