[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1026071: xorg-server: CVE-2022-4283 CVE-2022-46340 CVE-2022-46341 CVE-2022-46342 CVE-2022-46343 CVE-2022-46344

hi Timo,

On Wed, Dec 14, 2022 at 11:28:39AM +0200, Timo Aaltonen wrote:
> Salvatore Bonaccorso kirjoitti 14.12.2022 klo 11.19:
> > Source: xorg-server
> > Version: 2:21.1.4-3
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> > X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> > 
> > Hi,
> > 
> > The following vulnerabilities were published for xorg-server.
> > 
> > CVE-2022-4283[0]:
> > | xkb: reset the radio_groups pointer to NULL after freeing it
> > 
> > CVE-2022-46340[1]:
> > | Xtest: disallow GenericEvents in XTestSwapFakeInput
> > 
> > CVE-2022-46341[2]:
> > | Xi: disallow passive grabs with a detail > 255
> > 
> > CVE-2022-46342[3]:
> > | Xext: free the XvRTVideoNotify when turning off from the same client
> > 
> > CVE-2022-46343[4]:
> > | Xext: free the screen saver resource when replacing it
> > 
> > CVE-2022-46344[5]:
> > | Xi: avoid integer truncation in length check of ProcXIChangeProperty
> > 
> > If you fix the vulnerabilities please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2022-4283
> >      https://www.cve.org/CVERecord?id=CVE-2022-4283
> > [1] https://security-tracker.debian.org/tracker/CVE-2022-46340
> >      https://www.cve.org/CVERecord?id=CVE-2022-46340
> > [2] https://security-tracker.debian.org/tracker/CVE-2022-46341
> >      https://www.cve.org/CVERecord?id=CVE-2022-46341
> > [3] https://security-tracker.debian.org/tracker/CVE-2022-46342
> >      https://www.cve.org/CVERecord?id=CVE-2022-46342
> > [4] https://security-tracker.debian.org/tracker/CVE-2022-46343
> >      https://www.cve.org/CVERecord?id=CVE-2022-46343
> > [5] https://security-tracker.debian.org/tracker/CVE-2022-46344
> >      https://www.cve.org/CVERecord?id=CVE-2022-46344
> > [6] https://lists.x.org/archives/xorg-announce/2022-December/003302.html
> > 
> > Please adjust the affected versions in the BTS as needed.
> > 
> > Regards,
> > Salvatore
> > 
> 
> I've uploaded 21.1.5-1 ~20min ago :) All of these were referenced in the
> changelog.

hehe, thanks. I guess we had a race with filling the bug and the
upload. Thanks.
> 
> btw, there's a typo in one of the CVE's, it's -46283 not -4283:
> 
> https://lists.x.org/archives/xorg-announce/2022-December/003302.html
> 
> the typo is also on the git commit but I fixed it on d/changelog

Should already be correct in above listing and security-tracker. But
right the final advisory upstream still has the typo.

Regards,
Salvatore
Reply to: