Date: Tue, 25 Aug 2020 17:26:32 +0000 (UTC) From: Niclas Zeising <zeising@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r546197 - head/security/vuxml Message-ID: <202008251726.07PHQWcv004270@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: zeising Date: Tue Aug 25 17:26:32 2020 New Revision: 546197 URL: https://svnweb.freebsd.org/changeset/ports/546197 Log: vuxml: Document xorg-server and libX11 vulns Document newly announced vulnerabilities in libX11 and xorg-server. Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Aug 25 17:04:02 2020 (r546196) +++ head/security/vuxml/vuln.xml Tue Aug 25 17:26:32 2020 (r546197) @@ -58,6 +58,92 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="ffa15b3b-e6f6-11ea-8cbf-54e1ad3d6335"> + <topic>xorg-server -- Multiple input validation failures in X server extensions</topic> + <affects> + <package> + <name>xorg-server</name> + <range><lt>1.20.8_4,1</lt></range> + </package> + <package> + <name>xephyr</name> + <range><lt>1.20.8_4,1</lt></range> + </package> + <package> + <name>xorg-vfbserver</name> + <range><lt>1.20.8_4,1</lt></range> + </package> + <package> + <name>xorg-nestserver</name> + <range><lt>1.20.8_4,1</lt></range> + </package> + <package> + <name>xwayland</name> + <range><lt>1.20.8_4,1</lt></range> + </package> + <package> + <name>xorg-dmx</name> + <range><lt>1.20.8_4,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The X.org project reports:</p> + <blockquote cite="https://lists.x.org/archives/xorg-announce/2020-August/003058.html">; + <p>All theses issuses can lead to local privileges elevation on + systems where the X server is running privileged.</p> + <p>The handler for the XkbSetNames request does not validate the + request length before accessing its contents.</p> + <p>An integer underflow exists in the handler for the + XIChangeHierarchy request.</p> + <p>An integer underflow exist in the handler for the XkbSelectEvents + request.</p> + <p> An integer underflow exist in the handler for the CreateRegister + request of the X record extension.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2020-14345</cvename> + <cvename>CVE-2020-14346</cvename> + <cvename>CVE-2020-14361</cvename> + <cvename>CVE-2020-14362</cvename> + <url>https://lists.x.org/archives/xorg-announce/2020-August/003058.html</url>; + </references> + <dates> + <discovery>2020-08-25</discovery> + <entry>2020-08-25</entry> + </dates> + </vuln> + + <vuln vid="8da79498-e6f6-11ea-8cbf-54e1ad3d6335"> + <topic>libX11 -- Doublefree in locale handlng code</topic> + <affects> + <package> + <name>libX11</name> + <range><lt>1.6.12</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The X.org project reports:</p> + <blockquote cite="https://lists.x.org/archives/xorg-announce/2020-August/003056.html">; + <p>There is an integer overflow and a double free vulnerability in + the way LibX11 handles locales. The integer overflow is a necessary + precursor to the double free.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2020-14363</cvename> + <url>https://lists.x.org/archives/xorg-announce/2020-August/003056.html</url>; + </references> + <dates> + <discovery>2020-08-25</discovery> + <entry>2020-08-25</entry> + </dates> + </vuln> + <vuln vid="719f06af-e45e-11ea-95a1-c3b8167b8026"> <topic>chrony <= 3.5.1 data corruption through symlink vulnerability writing the pidfile</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202008251726.07PHQWcv004270>