[Ubuntu-x-swat] [Bug 1794690] Re: Backport 0.8.2 for a CVE update
but not via a backport, so marking this as wontfix :) ** Changed in: libxkbcommon (Ubuntu Bionic) Status: Fix Released => Won't Fix -- You received this bug notification because you are a member of Ubuntu-X, which is subscribed to libxkbcommon in Ubuntu. https://bugs.launchpad.net/bugs/1794690 Title: Backport 0.8.2 for a CVE update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxkbcommon/+bug/1794690/+subscriptions ___ Mailing list: https://launchpad.net/~ubuntu-x-swat Post to : ubuntu-x-swat@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-x-swat More help : https://help.launchpad.net/ListHelp
[Ubuntu-x-swat] [Bug 1794690] Re: Backport 0.8.2 for a CVE update
The CVEs have been fixed in a security upload https://launchpad.net/ubuntu/+source/libxkbcommon/0.8.0-1ubuntu0.1 ** Changed in: libxkbcommon (Ubuntu Bionic) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu-X, which is subscribed to libxkbcommon in Ubuntu. https://bugs.launchpad.net/bugs/1794690 Title: Backport 0.8.2 for a CVE update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxkbcommon/+bug/1794690/+subscriptions ___ Mailing list: https://launchpad.net/~ubuntu-x-swat Post to : ubuntu-x-swat@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-x-swat More help : https://help.launchpad.net/ListHelp
[Ubuntu-x-swat] [Bug 1794690] Re: Backport 0.8.2 for a CVE update
leo: feel free to handle all updates via the security pocket(s), as I have no permission to upload there (AIUI). -- You received this bug notification because you are a member of Ubuntu-X, which is subscribed to libxkbcommon in Ubuntu. https://bugs.launchpad.net/bugs/1794690 Title: Backport 0.8.2 for a CVE update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxkbcommon/+bug/1794690/+subscriptions ___ Mailing list: https://launchpad.net/~ubuntu-x-swat Post to : ubuntu-x-swat@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-x-swat More help : https://help.launchpad.net/ListHelp
[Ubuntu-x-swat] [Bug 1794690] Re: Backport 0.8.2 for a CVE update
Not that I know of.. -- You received this bug notification because you are a member of Ubuntu-X, which is subscribed to libxkbcommon in Ubuntu. https://bugs.launchpad.net/bugs/1794690 Title: Backport 0.8.2 for a CVE update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxkbcommon/+bug/1794690/+subscriptions ___ Mailing list: https://launchpad.net/~ubuntu-x-swat Post to : ubuntu-x-swat@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-x-swat More help : https://help.launchpad.net/ListHelp
[Ubuntu-x-swat] [Bug 1794690] Re: Backport 0.8.2 for a CVE update
Is there any POC for check CVE-2018-15856? Trusty hasn't the file affected, but I'm wondering if it handles the same thing and is vulnerable and the only way to check this would be if we have any POC. Tks! ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-15856 -- You received this bug notification because you are a member of Ubuntu-X, which is subscribed to libxkbcommon in Ubuntu. https://bugs.launchpad.net/bugs/1794690 Title: Backport 0.8.2 for a CVE update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxkbcommon/+bug/1794690/+subscriptions ___ Mailing list: https://launchpad.net/~ubuntu-x-swat Post to : ubuntu-x-swat@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-x-swat More help : https://help.launchpad.net/ListHelp
[Ubuntu-x-swat] [Bug 1794690] Re: Backport 0.8.2 for a CVE update
leo: feel free to take over trusty/xenial, I don't have anything ready for them and if this needs to be handled differently, then that's fine too -- You received this bug notification because you are a member of Ubuntu-X, which is subscribed to libxkbcommon in Ubuntu. https://bugs.launchpad.net/bugs/1794690 Title: Backport 0.8.2 for a CVE update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxkbcommon/+bug/1794690/+subscriptions ___ Mailing list: https://launchpad.net/~ubuntu-x-swat Post to : ubuntu-x-swat@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-x-swat More help : https://help.launchpad.net/ListHelp
[Ubuntu-x-swat] [Bug 1794690] Re: Backport 0.8.2 for a CVE update
This is in the SRU queue but it looks like the security pocket might be a better target? I asked Timo to liase with the security team to get a decision on that. -- You received this bug notification because you are a member of Ubuntu-X, which is subscribed to libxkbcommon in Ubuntu. https://bugs.launchpad.net/bugs/1794690 Title: Backport 0.8.2 for a CVE update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxkbcommon/+bug/1794690/+subscriptions ___ Mailing list: https://launchpad.net/~ubuntu-x-swat Post to : ubuntu-x-swat@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-x-swat More help : https://help.launchpad.net/ListHelp
[Ubuntu-x-swat] [Bug 1794690] Re: Backport 0.8.2 for a CVE update
Hi Timo, Are you planning to update only for bionic or will you do this also for trusty and xenial? Asking that because I was/am planning to put that update in my stack for xenial and trusty. []'s -- You received this bug notification because you are a member of Ubuntu-X, which is subscribed to libxkbcommon in Ubuntu. https://bugs.launchpad.net/bugs/1794690 Title: Backport 0.8.2 for a CVE update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxkbcommon/+bug/1794690/+subscriptions ___ Mailing list: https://launchpad.net/~ubuntu-x-swat Post to : ubuntu-x-swat@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-x-swat More help : https://help.launchpad.net/ListHelp
[Ubuntu-x-swat] [Bug 1794690] Re: Backport 0.8.2 for a CVE update
** Description changed: [Impact] 0.8.2 has completed the fuzzing work started in 0.8.1, so backport the package from cosmic to fix these CVE's: CVE-2018-15853 CVE-2018-15854 CVE-2018-15855 CVE-2018-15856 CVE-2018-15857 CVE-2018-15858 CVE-2018-15859 CVE-2018-15861 CVE-2018-15862 CVE-2018-15863 CVE-2018-15864. upstream NEWS: libxkbcommon 0.8.2 - 2018-08-05 == - Fix various problems found with fuzzing (see commit messages for - more details): + more details): - - Fix a few NULL-dereferences, out-of-bounds access and undefined behavior - in the XKB text format parser. - + - Fix a few NULL-dereferences, out-of-bounds access and undefined behavior + in the XKB text format parser. libxkbcommon 0.8.1 - 2018-08-03 == - Fix various problems found in the meson build (see commit messages for more - details): + details): - - Fix compilation on Darwin. + - Fix compilation on Darwin. - - Fix compilation of the x11 tests and demos when XCB is installed in a - non-standard location. + - Fix compilation of the x11 tests and demos when XCB is installed in a + non-standard location. - - Fix xkbcommon-x11.pc missing the Requires specification. + - Fix xkbcommon-x11.pc missing the Requires specification. - Fix various problems found with fuzzing and Coverity (see commit messages for - more details): + more details): - - Fix stack overflow in the XKB text format parser when evaluating boolean - negation. + - Fix stack overflow in the XKB text format parser when evaluating boolean + negation. - - Fix NULL-dereferences in the XKB text format parser when some unsupported - tokens appear (the tokens are still parsed for backward compatibility). + - Fix NULL-dereferences in the XKB text format parser when some unsupported + tokens appear (the tokens are still parsed for backward compatibility). - - Fix NULL-dereference in the XKB text format parser when parsing an - xkb_geometry section. + - Fix NULL-dereference in the XKB text format parser when parsing an + xkb_geometry section. - - Fix an infinite loop in the Compose text format parser on some + - Fix an infinite loop in the Compose text format parser on some inputs. - - Fix an invalid free() when using multiple keysyms. + - Fix an invalid free() when using multiple keysyms. - Replace the Unicode characters for the leftanglebracket and rightanglebracket - keysyms from the deprecated LEFT/RIGHT-POINTING ANGLE BRACKET to - MATHEMATICAL LEFT/RIGHT ANGLE BRACKET. + keysyms from the deprecated LEFT/RIGHT-POINTING ANGLE BRACKET to + MATHEMATICAL LEFT/RIGHT ANGLE BRACKET. - Reject out-of-range Unicode codepoints in xkb_keysym_to_utf8 and - xkb_keysym_to_utf32. + xkb_keysym_to_utf32. [Test case] install the update, check that nothing breaks wrt keyboard handling [Regression potential] slim, this has been in cosmic for some time already, and upstream specifically asked to backport this to stable releases + + There are some other changes to the packaging, but these are harmless + and won't regress anything. -- You received this bug notification because you are a member of Ubuntu-X, which is subscribed to libxkbcommon in Ubuntu. https://bugs.launchpad.net/bugs/1794690 Title: Backport 0.8.2 for a CVE update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxkbcommon/+bug/1794690/+subscriptions ___ Mailing list: https://launchpad.net/~ubuntu-x-swat Post to : ubuntu-x-swat@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-x-swat More help : https://help.launchpad.net/ListHelp
