mirror of
https://git.yoctoproject.org/poky
synced 2026-04-13 05:02:24 +02:00
xserver-xorg: whitelist two CVEs
CVE-2011-4613 is specific to Debian/Ubuntu. CVE-2020-25697 is a non-trivial attack that may not actually be feasible considering the default behaviour for clients is to exit if the connection is lost. (From OE-Core rev: f82c65b3c69738401ecdac354ed65308929cc20f) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit afa2e6c31a79f75ff4113d53f618bbb349cd6c17) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Ross Burton
committed by
Richard Purdie
Richard Purdie
parent
d4928afea6
commit
3314a8f59e
@@ -18,6 +18,14 @@ XORG_PN = "xorg-server"
|
||||
SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.bz2"
|
||||
|
||||
CVE_PRODUCT = "xorg-server x_server"
|
||||
# This is specific to Debian's xserver-wrapper.c
|
||||
CVE_CHECK_WHITELIST += "CVE-2011-4613"
|
||||
# As per upstream, exploiting this flaw is non-trivial and it requires exact
|
||||
# timing on the behalf of the attacker. Many graphical applications exit if their
|
||||
# connection to the X server is lost, so a typical desktop session is either
|
||||
# impossible or difficult to exploit. There is currently no upstream patch
|
||||
# available for this flaw.
|
||||
CVE_CHECK_WHITELIST += "CVE-2020-25697"
|
||||
|
||||
S = "${WORKDIR}/${XORG_PN}-${PV}"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user