diff options
| author |   Ross Burton <ross@burtonini.com> | 2022-01-10 12:19:32 +0000 |
|---|---|---|
| committer |   Anuj Mittal <anuj.mittal@intel.com> | 2022-01-17 10:26:19 +0800 |
| commit | f82c65b3c69738401ecdac354ed65308929cc20f (patch) | |
| tree | e2946060f21efff23aeaf165f767d05bda9a25af | |
| parent | 12c4da7e9986ae8a6207bcc3a4aa787579d7b863 (diff) | |
| download | openembedded-core-contrib-f82c65b3c69738401ecdac354ed65308929cc20f.tar.gz | |
xserver-xorg: whitelist two CVEs
CVE-2011-4613 is specific to Debian/Ubuntu.
CVE-2020-25697 is a non-trivial attack that may not actually be feasible
considering the default behaviour for clients is to exit if the
connection is lost.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit afa2e6c31a79f75ff4113d53f618bbb349cd6c17)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
| -rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg.inc | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc index 497515a04a..d83cb94317 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc @@ -18,6 +18,14 @@ XORG_PN = "xorg-server" SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.bz2" CVE_PRODUCT = "xorg-server x_server" +# This is specific to Debian's xserver-wrapper.c +CVE_CHECK_WHITELIST += "CVE-2011-4613" +# As per upstream, exploiting this flaw is non-trivial and it requires exact +# timing on the behalf of the attacker. Many graphical applications exit if their +# connection to the X server is lost, so a typical desktop session is either +# impossible or difficult to exploit. There is currently no upstream patch +# available for this flaw. +CVE_CHECK_WHITELIST += "CVE-2020-25697" S = "${WORKDIR}/${XORG_PN}-${PV}" |