Backport 0.8.2 for a CVE update
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| libxkbcommon (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Bionic |
Won't Fix
|
Undecided
|
Timo Aaltonen | ||
Bug Description
[Impact]
0.8.2 has completed the fuzzing work started in 0.8.1, so backport the package from cosmic to fix these CVE's:
CVE-2018-15853 CVE-2018-15854 CVE-2018-15855 CVE-2018-15856
CVE-2018-15857 CVE-2018-15858 CVE-2018-15859 CVE-2018-15861
CVE-2018-15862 CVE-2018-15863 CVE-2018-15864.
upstream NEWS:
libxkbcommon 0.8.2 - 2018-08-05
==================
- Fix various problems found with fuzzing (see commit messages for
more details):
- Fix a few NULL-dereferences, out-of-bounds access and undefined behavior
in the XKB text format parser.
libxkbcommon 0.8.1 - 2018-08-03
==================
- Fix various problems found in the meson build (see commit messages for more
details):
- Fix compilation on Darwin.
- Fix compilation of the x11 tests and demos when XCB is installed in a
non-standard location.
- Fix xkbcommon-x11.pc missing the Requires specification.
- Fix various problems found with fuzzing and Coverity (see commit messages for
more details):
- Fix stack overflow in the XKB text format parser when evaluating boolean
negation.
- Fix NULL-dereferences in the XKB text format parser when some unsupported
tokens appear (the tokens are still parsed for backward compatibility).
- Fix NULL-dereference in the XKB text format parser when parsing an
xkb_geometry section.
- Fix an infinite loop in the Compose text format parser on some inputs.
- Fix an invalid free() when using multiple keysyms.
- Replace the Unicode characters for the leftanglebracket and rightanglebracket
keysyms from the deprecated LEFT/RIGHT-POINTING ANGLE BRACKET to
MATHEMATICAL LEFT/RIGHT ANGLE BRACKET.
- Reject out-of-range Unicode codepoints in xkb_keysym_to_utf8 and
xkb_keysym_
[Test case]
install the update, check that nothing breaks wrt keyboard handling
[Regression potential]
slim, this has been in cosmic for some time already, and upstream specifically asked to backport this to stable releases
There are some other changes to the packaging, but these are harmless and won't regress anything.
CVE References
| Changed in libxkbcommon (Ubuntu): | |
| status: | New → Fix Released |
| Changed in libxkbcommon (Ubuntu Bionic): | |
| assignee: | nobody → Timo Aaltonen (tjaalton) |
| status: | New → In Progress |
| description: | updated |
| Leonidas S. Barbosa (leosilvab) wrote | #1 |
| Robie Basak (racb) wrote | #2 |
| Timo Aaltonen (tjaalton) wrote | #3 |
| Leonidas S. Barbosa (leosilvab) wrote | #4 |
| Timo Aaltonen (tjaalton) wrote | #5 |
| Robie Basak (racb) wrote Proposed package upload rejected | #6 |
| Timo Aaltonen (tjaalton) wrote | #7 |
| Sebastien Bacher (seb128) wrote | #8 |
| Changed in libxkbcommon (Ubuntu Bionic): | |
| status: | In Progress → Fix Released |
| Timo Aaltonen (tjaalton) wrote | #9 |
| Changed in libxkbcommon (Ubuntu Bionic): | |
| status: | Fix Released → Won't Fix |
Hi Timo,
Are you planning to update only for bionic or will you do this also for trusty and xenial?
Asking that because I was/am planning to put that update in my stack for xenial and trusty.
[]'s