Bug 38251 - libx11: Multiple issues (3.2)
libx11: Multiple issues (3.2)
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.2
Other Linux
: P3 normal (vote)
: UCS 3.2-5-errata
Assigned To: Arvid Requate
Janek Walkenhorst
Depends on:
  Show dependency treegraph
Reported: 2015-04-13 15:48 CEST by Arvid Requate
Modified: 2015-05-07 13:50 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2015-04-13 15:48:15 CEST
+++ This bug was initially created as a clone of Bug #38250 +++

4-byte buffer overflow in MakeBigReq (CVE-2013-7439)

Note: As this is a macro, of course all maintained libraries that use the macro or SetReqLen to create large requests will need to be recompiled: libxrender libxi libxfixes libxrandr libsdl1.2 libxv xserver-xorg-video-vmware cairo (see Debian sec tracker for current list). Probably we can release them independently one after the other but we should check that they don't break at the moment this libx11 update is rolled out.
Comment 1 Arvid Requate univentionstaff 2015-04-15 19:27:43 CEST
The DSA version has been imported and built in errata3.2-5.

Advisory: 2015-04-15-libx11.yaml

All dependent packages have been cherrypicked and rebuilt in errata3.2-5:

From UCS 3.2-0: libxfixes libxrandr libxext libxrender libxi libxv open-vm-tools
From errata3.1-1: cairo
From UCS 3.0-0: libsdl1.2 tightvnc xserver-xorg-video-vmware texlive-bin

I also checked openoffice.org which is not affected.

Corresponding advisories have been commited.
Comment 2 Janek Walkenhorst univentionstaff 2015-05-03 21:19:20 CEST
* libx11 *
Advisory: OK
Tests: OK
Changelog: OK
Comment 3 Janek Walkenhorst univentionstaff 2015-05-05 18:10:21 CEST
* cairo *
seems missing? (Or advisory version is wrong)

* rest *
Advisories: OK
Tests: OK
Comment 4 Arvid Requate univentionstaff 2015-05-06 13:42:18 CEST
Good point, the build of cairo failed because "libpixman-1-dev" was missing. Why? It was imported and built in errata3.1-1, but never got released (actually it's just a build-dependency). Looking deeper, the cairo update built in errata3.1-1 also never got released. So this stuff is obsolete:

pixman 0.24.0-1~bpo60+1 imported on 2013-08-15 09:25:04.499547
in  scope errata3.1-1

cairo 1.10.2-7~bpo60+1 imported on 2013-08-15 10:42:12.377343
in scope errata3.1-1

Instead these versions are valid:
pixman 0.16.4-1 imported on 2010-02-12 12:16:48.258771
in release tag 3.0-0-0

pixman 0.16.4-1+deb6u1 imported on 2014-04-09 13:21:50.735248
in scope ucs3.2-2 (via Bug 33776)

cairo 1.8.10-6 imported on 2010-12-23 21:21:57.090469
in release tag 3.0-0-0

So I removed that bogous 1.10.2-7~bpo60+1 version from errata3.2-5 and cherrypicked the 1.8.10-6 version from release tag 3.0-0-0 instead.
Package has been rebuilt and advisory is updated.
Comment 5 Janek Walkenhorst univentionstaff 2015-05-06 19:01:24 CEST
(In reply to Janek Walkenhorst from comment #2)
> * cairo *
> Advisory: OK
> Tests: OK