diff options
| author | Mark H Weaver <mhw@netris.org> | 2020-08-26 17:05:56 -0400 |
|---|---|---|
| committer | Mark H Weaver <mhw@netris.org> | 2020-08-27 00:13:38 -0400 |
| commit | 6e7bede9bed8280fe0399aa1cae7e58bf1fdc6b2 (patch) | |
| tree | 110f0e08d7021359a16a80323edb59cbd6e00703 | |
| parent | 2ab8e6067c56165304bd7f119a179ea509676020 (diff) | |
| download | guix-6e7bede9bed8280fe0399aa1cae7e58bf1fdc6b2.tar.gz | |
gnu: xorg-server: Update replacement to 1.20.9 [security-fixes].
Includes fixes for CVE-2020-1436, CVE-2020-14345, CVE-2020-14346, and CVE-2020-14361. * gnu/packages/xorg.scm (xorg-server/fixed): Update to 1.20.9. * gnu/packages/patches/xorg-server-CVE-2020-14347.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it.
| -rw-r--r-- | gnu/local.mk | 1 | ||||
| -rw-r--r-- | gnu/packages/patches/xorg-server-CVE-2020-14347.patch | 33 | ||||
| -rw-r--r-- | gnu/packages/xorg.scm | 11 |
3 files changed, 7 insertions, 38 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 2f851afe4e..97a494f24a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1674,7 +1674,6 @@ dist_patch_DATA = \ %D%/packages/patches/xf86-video-voodoo-pcitag.patch \ %D%/packages/patches/xfce4-panel-plugins.patch \ %D%/packages/patches/xfce4-settings-defaults.patch \ - %D%/packages/patches/xorg-server-CVE-2020-14347.patch \ %D%/packages/patches/xplanet-1.3.1-cxx11-eof.patch \ %D%/packages/patches/xplanet-1.3.1-libdisplay_DisplayOutput.cpp.patch \ %D%/packages/patches/xplanet-1.3.1-libimage_gif.c.patch \ diff --git a/gnu/packages/patches/xorg-server-CVE-2020-14347.patch b/gnu/packages/patches/xorg-server-CVE-2020-14347.patch deleted file mode 100644 index c54b93d764..0000000000 --- a/gnu/packages/patches/xorg-server-CVE-2020-14347.patch +++ /dev/null @@ -1,33 +0,0 @@ -From aac28e162e5108510065ad4c323affd6deffd816 Mon Sep 17 00:00:00 2001 -From: Matthieu Herrb <matthieu@herrb.eu> -Date: Sat, 25 Jul 2020 19:33:23 +0200 -Subject: [PATCH] fix for ZDI-11426 - -Avoid leaking un-initalized memory to clients by zeroing the -whole pixmap on initial allocation. - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> -Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> ---- - dix/pixmap.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/dix/pixmap.c b/dix/pixmap.c -index 1186d7dbb..5a0146bbb 100644 ---- a/dix/pixmap.c -+++ b/dix/pixmap.c -@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize) - if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize) - return NullPixmap; - -- pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize); -+ pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize); - if (!pPixmap) - return NullPixmap; - --- -2.27.0 - diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm index bb49d40fb6..b3aa7e7192 100644 --- a/gnu/packages/xorg.scm +++ b/gnu/packages/xorg.scm @@ -5447,15 +5447,18 @@ communicates with the user via graphical controls such as buttons and draggable titlebars and borders.") (license license:x11))) -(define xorg-server/fixed ; Fixes CVE-2020-14347 +(define xorg-server/fixed ; security fixes (package (inherit xorg-server) + (version "1.20.9") (source (origin (inherit (package-source xorg-server)) - (patches - (append (origin-patches (package-source xorg-server)) - (search-patches "xorg-server-CVE-2020-14347.patch"))))))) + (uri (string-append "mirror://xorg/individual/xserver/" + "xorg-server-" version ".tar.bz2")) + (sha256 + (base32 + "0w9mrnffvjgmwi50kln15i8rpdskxv97r78l75wlcmg4vzhg46g2")))))) ;; This package is intended to be used when building GTK+. ;; Note: It's currently marked as "hidden" to avoid having two non-eq? |