Bug#1026071: marked as done (xorg-server: CVE-2022-4283 CVE-2022-46340 CVE-2022-46341 CVE-2022-46342 CVE-2022-46343 CVE-2022-46344)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 23 Dec 2022 12:47:17 +0000
with message-id <E1p8hSH-0074Fd-1u@fasolo.debian.org>
and subject line Bug#1026071: fixed in xorg-server 2:1.20.11-1+deb11u4
has caused the Debian Bug report #1026071,
regarding xorg-server: CVE-2022-4283 CVE-2022-46340 CVE-2022-46341 CVE-2022-46342 CVE-2022-46343 CVE-2022-46344
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1026071: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026071
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: xorg-server: CVE-2022-4283 CVE-2022-46340 CVE-2022-46341 CVE-2022-46342 CVE-2022-46343 CVE-2022-46344
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Wed, 14 Dec 2022 10:19:52 +0100
• Message-id: <[🔎] 167100959207.445942.8724360103306369336.reportbug@eldamar.lan>

Source: xorg-server
Version: 2:21.1.4-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerabilities were published for xorg-server.

CVE-2022-4283[0]:
| xkb: reset the radio_groups pointer to NULL after freeing it

CVE-2022-46340[1]:
| Xtest: disallow GenericEvents in XTestSwapFakeInput

CVE-2022-46341[2]:
| Xi: disallow passive grabs with a detail > 255

CVE-2022-46342[3]:
| Xext: free the XvRTVideoNotify when turning off from the same client

CVE-2022-46343[4]:
| Xext: free the screen saver resource when replacing it

CVE-2022-46344[5]:
| Xi: avoid integer truncation in length check of ProcXIChangeProperty

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-4283
    https://www.cve.org/CVERecord?id=CVE-2022-4283
[1] https://security-tracker.debian.org/tracker/CVE-2022-46340
    https://www.cve.org/CVERecord?id=CVE-2022-46340
[2] https://security-tracker.debian.org/tracker/CVE-2022-46341
    https://www.cve.org/CVERecord?id=CVE-2022-46341
[3] https://security-tracker.debian.org/tracker/CVE-2022-46342
    https://www.cve.org/CVERecord?id=CVE-2022-46342
[4] https://security-tracker.debian.org/tracker/CVE-2022-46343
    https://www.cve.org/CVERecord?id=CVE-2022-46343
[5] https://security-tracker.debian.org/tracker/CVE-2022-46344
    https://www.cve.org/CVERecord?id=CVE-2022-46344
[6] https://lists.x.org/archives/xorg-announce/2022-December/003302.html

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1026071-close@bugs.debian.org
• Subject: Bug#1026071: fixed in xorg-server 2:1.20.11-1+deb11u4
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Fri, 23 Dec 2022 12:47:17 +0000
• Message-id: <E1p8hSH-0074Fd-1u@fasolo.debian.org>
• Reply-to: Salvatore Bonaccorso <carnil@debian.org>

Source: xorg-server
Source-Version: 2:1.20.11-1+deb11u4
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
xorg-server, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1026071@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated xorg-server package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 17 Dec 2022 11:00:08 +0100
Source: xorg-server
Architecture: source
Version: 2:1.20.11-1+deb11u4
Distribution: bullseye-security
Urgency: high
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1026071
Changes:
 xorg-server (2:1.20.11-1+deb11u4) bullseye-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Xtest: disallow GenericEvents in XTestSwapFakeInput (CVE-2022-46340)
     (Closes: #1026071)
   * Xi: disallow passive grabs with a detail > 255 (CVE-2022-46341)
     (Closes: #1026071)
   * Xext: free the XvRTVideoNotify when turning off from the same client
     (CVE-2022-46342) (Closes: #1026071)
   * Xext: free the screen saver resource when replacing it (CVE-2022-46343)
     (Closes: #1026071)
   * Xi: return an error from XI property changes if verification failed
   * Xi: avoid integer truncation in length check of ProcXIChangeProperty
     (CVE-2022-46344) (Closes: #1026071)
   * xkb: reset the radio_groups pointer to NULL after freeing it
     (CVE-2022-4283) (Closes: #1026071)
Checksums-Sha1: 
 dde7bc1270bfc6f12a655ec97fde334ce092ab23 4391 xorg-server_1.20.11-1+deb11u4.dsc
 8560c7840e9de0b48c4b66190173f05b0e439187 171268 xorg-server_1.20.11-1+deb11u4.diff.gz
Checksums-Sha256: 
 51f66f51b2b3f561e7a27df6971d6849c03c26094962e4120bc54caeccf34bd4 4391 xorg-server_1.20.11-1+deb11u4.dsc
 4d90bda023a50ea5f2558247c286bcd9242d321edae92a7d18e22e7112c6179b 171268 xorg-server_1.20.11-1+deb11u4.diff.gz
Files: 
 88a91033cb3b049187acbd782beca174 4391 x11 optional xorg-server_1.20.11-1+deb11u4.dsc
 e4471c9b1a877b74928b6de8abc7157c 171268 x11 optional xorg-server_1.20.11-1+deb11u4.diff.gz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmOdm7tfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EW0QP/0lnXwSMBo6VNBIIlDnHSo4dhfrwE2VS
GcWb5diKV1VxA9ZZGmgoI2GegErCFPS+ZEjM3it0uqrQnHjzTZGZhV1XX0Hy59jB
vR8RGZf+p5I/BeyodkuqnZa7lyERniP35chCfeLRAnpDY4ofdWBGenAK9TeB52w/
Uz10GgAd24CtpdfXvhZu9fSEh+Kw3a7C61px7rCpiAg7Y7+rXkodutWzeHpEwCv/
HrZEtx4A++yLaQVAdYUibj5vBNYuAGI4t70oww69aQ7nCRZN/65q5CZhivqoXhGr
Qggvh5UwRLFCExw+Gclfo1zpArAlL0vWO79pVdc2vLu2HRyyvHeyT1So9sWc5wsS
8htPEzxC4KnlBarU8qlIo1xcSv8r93mrJGsqYdsTDFcGair70dLr16n+vcZfGw+V
SM/UTsrIVIotYCcNZyadHiXrpXXgjUukNNzVuqLMFopeDDQsW5PWE7dprujnnJlA
DCGESwc/EKxNaq5ZznQs43pk7G036y+bmpIFh1CMWdt6DFCbKd+w2eKCXWxflVy+
KJ2uWcBxtUWZX6+ya6VxiTwMvga1uqmPfUGxh4ZbPRd7796uAcB4ukmGceanIPi2
yUYsFRB9/vA4dxpLak/wd+P1Oxkk7D5ATAiL8qADqStLvjUW27ASaGo1KUFDpvsl
6Jm6WkG4Oepk
=ZPzt
-----END PGP SIGNATURE-----

--- End Message ---