bug#48039: closed (xorg-server might be vulnerable to CVE-2021-3472)

[GNU bug Tracking System]

Your message dated Mon, 26 Apr 2021 20:28:47 +0200
with message-id 
<87zgxkrjc0.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me>
and subject line 
has caused the debbugs.gnu.org bug report #48039,
regarding xorg-server might be vulnerable to CVE-2021-3472
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)


-- 
48039: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=48039
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

--- Begin Message --- Subject: xorg-server might be vulnerable to CVE-2021-3472 Date: Mon, 26 Apr 2021 19:25:35 +0200

Hi, just found this [fn:1]:

A flaw was found in xorg-x11-server in versions before 1.20.11. An
integer underflow can occur in xserver which can lead to a local
privilege escalation.

The commit fixing the bug should be the one at [fn:2], and latest tagged
version (1.20.11) should be fixed.

On a side note, the redhat issue tracker says that [fn:3]:

Xorg server does not run with root privileges in Red Hat Enterprise
Linux 8, therefore this flaw has been rated as having moderate impact
for Red Hat Enterprise linux 8.

Is it possible for guix too not to run the server as root?  I've no idea
myself

guix refresh -l xorg-server
Building the following 73 packages would ensure 121

I just rebuilt xorg-server itself with the attached patch, and building
other packages now but it might take some time on my server.  I'll let
you know how it goes.

[fn:1] https://nvd.nist.gov/vuln/detail/CVE-2021-3472
[fn:2]
https://gitlab.freedesktop.org/xorg/xserver/-/commit/7aaf54a1884f71dc363f0b884e57bcb67407a6cd
[fn:3] https://bugzilla.redhat.com/show_bug.cgi?id=1944167

0001-gnu-xorg-server-Update-to-1.20.11.patch
Description: Text Data

--- End Message ---

> --- Begin Message ---
>
>
>
> Date: 
>
> Mon, 26 Apr 2021 20:28:47 +0200
>
>
>
>
>
> --- End Message ---