[SRU] caribou: Segfault (as regression of xorg CVE-2020-25712 fix) cause security issue for cinnamon
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
caribou (Debian) |
Fix Released
|
Unknown
|
|||
caribou (Ubuntu) |
Fix Released
|
Medium
|
Fantu | ||
Focal |
Fix Released
|
Medium
|
Steve Beattie | ||
Groovy |
Fix Released
|
Medium
|
Steve Beattie | ||
Hirsute |
Fix Released
|
Medium
|
Fantu |
Bug Description
[Impact]
There is a regression after solving CVE-2020-25712 (https:/
In cinnamon-
[Test Case]
In cinnamon-
[Where problems could occur]
The following versions of ubuntu are affected by the security caused by caribou crash of this issue:
- Focal (cinnamon 4.4)
- Groovy (cinnamon 4.6)
- Hirsute (bug solved with 0.4.21-7.1)
The patch attached in comment #10 (for Focal) have the same changes of 0.4.21-7.1 (debian unstable, debian testing and Hirsute) and same patches are used also in some other distros that already applied the fix faster (as security issue) and 1 week or more went by without experiencing regressions at the moment.
The patch is already tested in Focal, can be used also in Groovy (only changing focal->groovy).
CVE References
description: | updated |
Changed in caribou (Ubuntu Focal): | |
assignee: | nobody → Joshua Peisach (itzswirlz) |
Changed in caribou (Ubuntu Groovy): | |
assignee: | nobody → Joshua Peisach (itzswirlz) |
tags: | added: patch |
Changed in caribou (Ubuntu Focal): | |
assignee: | Joshua Peisach (itzswirlz) → nobody |
assignee: | nobody → Joshua Peisach (itzswirlz) |
Changed in caribou (Ubuntu Focal): | |
importance: | Undecided → Medium |
Changed in caribou (Ubuntu Groovy): | |
importance: | Undecided → Medium |
Changed in caribou (Ubuntu Hirsute): | |
importance: | Undecided → Medium |
tags: |
added: regression-update removed: regression |
description: | updated |
summary: |
- Segfault with gir1.2-caribou-1.0 keyboard device info regression + [SRU] caribou: Segfault (as regression of xorg CVE-2020-25712 fix) cause + security issue for cinnamon |
Changed in caribou (Ubuntu Hirsute): | |
assignee: | nobody → Fantu (fantonifabio) |
Changed in caribou (Debian): | |
status: | Unknown → Fix Released |
The main patch has been merged upstream in caribou, but build fails.
https:/ /gitlab. com/linuxmint/ pins/mint/ caribou/ -/commit/ 72fd18b747aea7b b9cf134dc62f2a8 5b2b4698dc - a new patch is needed too (it will in the debdiffs for Focal and Groovy be in the same patch) so hopefully that'll get merged and hopefully soon a release.