Univention Bugzilla – Bug 38251
libx11: Multiple issues (3.2)
Last modified: 2015-05-07 13:50:36 CEST
+++ This bug was initially created as a clone of Bug #38250 +++ 4-byte buffer overflow in MakeBigReq (CVE-2013-7439) Note: As this is a macro, of course all maintained libraries that use the macro or SetReqLen to create large requests will need to be recompiled: libxrender libxi libxfixes libxrandr libsdl1.2 libxv xserver-xorg-video-vmware cairo (see Debian sec tracker for current list). Probably we can release them independently one after the other but we should check that they don't break at the moment this libx11 update is rolled out.
The DSA version has been imported and built in errata3.2-5. Advisory: 2015-04-15-libx11.yaml All dependent packages have been cherrypicked and rebuilt in errata3.2-5: From UCS 3.2-0: libxfixes libxrandr libxext libxrender libxi libxv open-vm-tools From errata3.1-1: cairo From UCS 3.0-0: libsdl1.2 tightvnc xserver-xorg-video-vmware texlive-bin I also checked openoffice.org which is not affected. Corresponding advisories have been commited.
* libx11 * Advisory: OK Tests: OK Changelog: OK
* cairo * seems missing? (Or advisory version is wrong) * rest * Advisories: OK Tests: OK
Good point, the build of cairo failed because "libpixman-1-dev" was missing. Why? It was imported and built in errata3.1-1, but never got released (actually it's just a build-dependency). Looking deeper, the cairo update built in errata3.1-1 also never got released. So this stuff is obsolete: =============================================================== pixman 0.24.0-1~bpo60+1 imported on 2013-08-15 09:25:04.499547 in scope errata3.1-1 cairo 1.10.2-7~bpo60+1 imported on 2013-08-15 10:42:12.377343 in scope errata3.1-1 =============================================================== Instead these versions are valid: =============================================================== pixman 0.16.4-1 imported on 2010-02-12 12:16:48.258771 in release tag 3.0-0-0 pixman 0.16.4-1+deb6u1 imported on 2014-04-09 13:21:50.735248 in scope ucs3.2-2 (via Bug 33776) cairo 1.8.10-6 imported on 2010-12-23 21:21:57.090469 in release tag 3.0-0-0 =============================================================== So I removed that bogous 1.10.2-7~bpo60+1 version from errata3.2-5 and cherrypicked the 1.8.10-6 version from release tag 3.0-0-0 instead. Package has been rebuilt and advisory is updated.
(In reply to Janek Walkenhorst from comment #2) > * cairo * > Advisory: OK > Tests: OK
<http://errata.univention.de/ucs/3.2/312.html> <http://errata.univention.de/ucs/3.2/313.html> <http://errata.univention.de/ucs/3.2/314.html> <http://errata.univention.de/ucs/3.2/315.html> <http://errata.univention.de/ucs/3.2/316.html> <http://errata.univention.de/ucs/3.2/317.html> <http://errata.univention.de/ucs/3.2/318.html> <http://errata.univention.de/ucs/3.2/319.html> <http://errata.univention.de/ucs/3.2/320.html> <http://errata.univention.de/ucs/3.2/321.html> <http://errata.univention.de/ucs/3.2/322.html> <http://errata.univention.de/ucs/3.2/323.html> <http://errata.univention.de/ucs/3.2/325.html>