Public bug reported:
[Impact]
0.8.2 has completed the fuzzing work started in 0.8.1, so backport the package
from cosmic to fix these CVE's:
CVE-2018-15853 CVE-2018-15854 CVE-2018-15855 CVE-2018-15856
CVE-2018-15857 CVE-2018-15858 CVE-2018-15859 CVE-2018-15861
CVE-2018-15862 CVE-2018-15863 CVE-2018-15864.
upstream NEWS:
libxkbcommon 0.8.2 - 2018-08-05
==================
- Fix various problems found with fuzzing (see commit messages for
more details):
- Fix a few NULL-dereferences, out-of-bounds access and undefined behavior
in the XKB text format parser.
libxkbcommon 0.8.1 - 2018-08-03
==================
- Fix various problems found in the meson build (see commit messages for more
details):
- Fix compilation on Darwin.
- Fix compilation of the x11 tests and demos when XCB is installed in a
non-standard location.
- Fix xkbcommon-x11.pc missing the Requires specification.
- Fix various problems found with fuzzing and Coverity (see commit messages for
more details):
- Fix stack overflow in the XKB text format parser when evaluating boolean
negation.
- Fix NULL-dereferences in the XKB text format parser when some unsupported
tokens appear (the tokens are still parsed for backward compatibility).
- Fix NULL-dereference in the XKB text format parser when parsing an
xkb_geometry section.
- Fix an infinite loop in the Compose text format parser on some
inputs.
- Fix an invalid free() when using multiple keysyms.
- Replace the Unicode characters for the leftanglebracket and rightanglebracket
keysyms from the deprecated LEFT/RIGHT-POINTING ANGLE BRACKET to
MATHEMATICAL LEFT/RIGHT ANGLE BRACKET.
- Reject out-of-range Unicode codepoints in xkb_keysym_to_utf8 and
xkb_keysym_to_utf32.
[Test case]
install the update, check that nothing breaks wrt keyboard handling
[Regression potential]
slim, this has been in cosmic for some time already, and upstream specifically
asked to backport this to stable releases
There are some other changes to the packaging, but these are harmless
and won't regress anything.
** Affects: libxkbcommon (Ubuntu)
Importance: Undecided
Status: Fix Released
** Affects: libxkbcommon (Ubuntu Bionic)
Importance: Undecided
Assignee: Timo Aaltonen (tjaalton)
Status: In Progress
** Also affects: libxkbcommon (Ubuntu Bionic)
Importance: Undecided
Status: New
** Changed in: libxkbcommon (Ubuntu)
Status: New => Fix Released
** Changed in: libxkbcommon (Ubuntu Bionic)
Status: New => In Progress
** Changed in: libxkbcommon (Ubuntu Bionic)
Assignee: (unassigned) => Timo Aaltonen (tjaalton)
--
You received this bug notification because you are a member of Ubuntu-X,
which is subscribed to libxkbcommon in Ubuntu.
https://bugs.launchpad.net/bugs/1794690
Title:
Backport 0.8.2 for a CVE update
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libxkbcommon/+bug/1794690/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~ubuntu-x-swat
Post to : ubuntu-x-swat@lists.launchpad.net
Unsubscribe : https://launchpad.net/~ubuntu-x-swat
More help : https://help.launchpad.net/ListHelp
