xserver-xorg: whitelist two CVEs

CVE-2011-4613 is specific to Debian/Ubuntu. CVE-2020-25697 is a non-trivial attack that may not actually be feasible considering the default behaviour for clients is to exit if the connection is lost. (From OE-Core rev: cd14ceef48aff3186abd0c32165827f99be26622) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit afa2e6c31a79f75ff4113d53f618bbb349cd6c17) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross@burtonini.com> 2022-01-10 12:19:32 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-01-19 11:11:58 +0000
commit: f4ccd33a7b0af597d1056659ef92b5a6e246e9d0 (patch)
tree: d82fd5718fb2572264a79468ab3fdca4318fe284 /meta
parent: 79a6976be6a69a2c9f21d99b30d5a04310a94ada (diff)
download: poky-f4ccd33a7b0af597d1056659ef92b5a6e246e9d0.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
index 85d0788eaf..8864564b3e 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -20,6 +20,14 @@ SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.xz"
 UPSTREAM_CHECK_REGEX = "xorg-server-(?P<pver>\d+(\.(?!99)\d+)+)\.tar"
 CVE_PRODUCT = "xorg-server x_server"
+# This is specific to Debian's xserver-wrapper.c
+CVE_CHECK_WHITELIST += "CVE-2011-4613"
+# As per upstream, exploiting this flaw is non-trivial and it requires exact
+# timing on the behalf of the attacker. Many graphical applications exit if their
+# connection to the X server is lost, so a typical desktop session is either
+# impossible or difficult to exploit. There is currently no upstream patch
+# available for this flaw.
+CVE_CHECK_WHITELIST += "CVE-2020-25697"
 S = "${WORKDIR}/${XORG_PN}-${PV}"
author	Ross Burton <ross@burtonini.com>	2022-01-10 12:19:32 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-01-19 11:11:58 +0000
commit	f4ccd33a7b0af597d1056659ef92b5a6e246e9d0 (patch)
tree	d82fd5718fb2572264a79468ab3fdca4318fe284 /meta
parent	79a6976be6a69a2c9f21d99b30d5a04310a94ada (diff)
download	poky-f4ccd33a7b0af597d1056659ef92b5a6e246e9d0.tar.gz

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc index 85d0788eaf..8864564b3e 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -20,6 +20,14 @@ SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.xz"
20	UPSTREAM_CHECK_REGEX = "xorg-server-(?P<pver>\d+(\.(?!99)\d+)+)\.tar"	20	UPSTREAM_CHECK_REGEX = "xorg-server-(?P<pver>\d+(\.(?!99)\d+)+)\.tar"
21		21
22	CVE_PRODUCT = "xorg-server x_server"	22	CVE_PRODUCT = "xorg-server x_server"
		23	# This is specific to Debian's xserver-wrapper.c
		24	CVE_CHECK_WHITELIST += "CVE-2011-4613"
		25	# As per upstream, exploiting this flaw is non-trivial and it requires exact
		26	# timing on the behalf of the attacker. Many graphical applications exit if their
		27	# connection to the X server is lost, so a typical desktop session is either
		28	# impossible or difficult to exploit. There is currently no upstream patch
		29	# available for this flaw.
		30	CVE_CHECK_WHITELIST += "CVE-2020-25697"
23		31
24	S = "${WORKDIR}/${XORG_PN}-${PV}"	32	S = "${WORKDIR}/${XORG_PN}-${PV}"
25		33