From 6e7bede9bed8280fe0399aa1cae7e58bf1fdc6b2 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Wed, 26 Aug 2020 17:05:56 -0400 Subject: gnu: xorg-server: Update replacement to 1.20.9 [security-fixes]. Includes fixes for CVE-2020-1436, CVE-2020-14345, CVE-2020-14346, and CVE-2020-14361. * gnu/packages/xorg.scm (xorg-server/fixed): Update to 1.20.9. * gnu/packages/patches/xorg-server-CVE-2020-14347.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - .../patches/xorg-server-CVE-2020-14347.patch | 33 ---------------------- gnu/packages/xorg.scm | 11 +++++--- 3 files changed, 7 insertions(+), 38 deletions(-) delete mode 100644 gnu/packages/patches/xorg-server-CVE-2020-14347.patch (limited to 'gnu') diff --git a/gnu/local.mk b/gnu/local.mk index 2f851afe4e..97a494f24a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1674,7 +1674,6 @@ dist_patch_DATA = \ %D%/packages/patches/xf86-video-voodoo-pcitag.patch \ %D%/packages/patches/xfce4-panel-plugins.patch \ %D%/packages/patches/xfce4-settings-defaults.patch \ - %D%/packages/patches/xorg-server-CVE-2020-14347.patch \ %D%/packages/patches/xplanet-1.3.1-cxx11-eof.patch \ %D%/packages/patches/xplanet-1.3.1-libdisplay_DisplayOutput.cpp.patch \ %D%/packages/patches/xplanet-1.3.1-libimage_gif.c.patch \ diff --git a/gnu/packages/patches/xorg-server-CVE-2020-14347.patch b/gnu/packages/patches/xorg-server-CVE-2020-14347.patch deleted file mode 100644 index c54b93d764..0000000000 --- a/gnu/packages/patches/xorg-server-CVE-2020-14347.patch +++ /dev/null @@ -1,33 +0,0 @@ -From aac28e162e5108510065ad4c323affd6deffd816 Mon Sep 17 00:00:00 2001 -From: Matthieu Herrb -Date: Sat, 25 Jul 2020 19:33:23 +0200 -Subject: [PATCH] fix for ZDI-11426 - -Avoid leaking un-initalized memory to clients by zeroing the -whole pixmap on initial allocation. - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Matthieu Herrb -Reviewed-by: Alan Coopersmith ---- - dix/pixmap.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/dix/pixmap.c b/dix/pixmap.c -index 1186d7dbb..5a0146bbb 100644 ---- a/dix/pixmap.c -+++ b/dix/pixmap.c -@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize) - if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize) - return NullPixmap; - -- pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize); -+ pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize); - if (!pPixmap) - return NullPixmap; - --- -2.27.0 - diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm index bb49d40fb6..b3aa7e7192 100644 --- a/gnu/packages/xorg.scm +++ b/gnu/packages/xorg.scm @@ -5447,15 +5447,18 @@ communicates with the user via graphical controls such as buttons and draggable titlebars and borders.") (license license:x11))) -(define xorg-server/fixed ; Fixes CVE-2020-14347 +(define xorg-server/fixed ; security fixes (package (inherit xorg-server) + (version "1.20.9") (source (origin (inherit (package-source xorg-server)) - (patches - (append (origin-patches (package-source xorg-server)) - (search-patches "xorg-server-CVE-2020-14347.patch"))))))) + (uri (string-append "mirror://xorg/individual/xserver/" + "xorg-server-" version ".tar.bz2")) + (sha256 + (base32 + "0w9mrnffvjgmwi50kln15i8rpdskxv97r78l75wlcmg4vzhg46g2")))))) ;; This package is intended to be used when building GTK+. ;; Note: It's currently marked as "hidden" to avoid having two non-eq? -- cgit v1.2.3