On Thu, Nov 17, 2022 at 12:19 AM Ranjitsinh Rathod < [email protected]> wrote:
> Hi all, > > When I see the below link from NVD, latest analysis shows that this CVE is > nota security bug. > Link - https://nvd.nist.gov/vuln/detail/CVE-2022-3555 > > I have a question to all that do we really need to fix this as security > issue? > No, I think you may be working from an old CVE report. If you check the weekly report from Sun 06 Nov 2022 you'll see that the database was updated and this CVE (and one other) have been removed: https://lists.openembedded.org/g/openembedded-core/message/172763 I have also come across some other CVEs for binutils which were rejected by > NVD. The thing is NVD rejected these CVEs, but it is still showing as > Unpatched by cve-tool in Yocto. > https://nvd.nist.gov/vuln/detail/CVE-2022-38126 > https://nvd.nist.gov/vuln/detail/CVE-2022-38127 > https://nvd.nist.gov/vuln/detail/CVE-2022-38128 > Same situation here, the database was recently updated and these CVEs removed. See Sun 13 Nov 2022 report: https://lists.openembedded.org/g/openembedded-core/message/173190 Steve > Thanks, > > Best Regards, > > *Ranjitsinh Rathod* > Technical Leader | | KPIT Technologies Ltd. > Cellphone: +91-84606 92403 > > *__________________________________________ *KPIT <http://www.kpit.com/> | > Follow us on LinkedIn <http://www.kpit.com/linkedin> > > <https://www.kpit.com/TheNewBrand> > ------------------------------ > *From:* [email protected] < > [email protected]> on behalf of vkumbhar via > lists.openembedded.org <[email protected]> > *Sent:* Thursday, November 17, 2022 11:55 AM > *To:* [email protected] < > [email protected]> > *Cc:* Vivek Kumbhar <[email protected]> > *Subject:* [OE-core][dunfell][PATCH v2] libx11: fix CVE-2022-3555 memory > leak in _XFreeX11XCBStructure() of xcb_disp.c > > Caution: This email originated from outside of the KPIT. Do not click > links or open attachments unless you recognize the sender and know the > content is safe. > > From: Vivek Kumbhar <[email protected]> > > Upstream-Status: Backport [ > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.freedesktop.org%2Fxorg%2Flib%2Flibx11%2F-%2Fcommit%2F8a368d808fec166b5fb3dfe6312aab22c7ee20af&data=05%7C01%7Cranjitsinh.rathod%40kpit.com%7C3e0855325f3b4933ce4108dac864a287%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C638042631831458383%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=unGI59Cc2Rqxlr3JY6eu%2BU72w5p%2FmZOpcn5b7WhNlno%3D&reserved=0 > ] > > Signed-off-by: Vivek Kumbhar <[email protected]> > --- > .../xorg-lib/libx11/CVE-2022-3555.patch | 38 +++++++++++++++++++ > .../recipes-graphics/xorg-lib/libx11_1.6.9.bb | 1 + > 2 files changed, 39 insertions(+) > create mode 100644 > meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch > > diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch > b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch > new file mode 100644 > index 0000000000..82309e7f62 > --- /dev/null > +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch > @@ -0,0 +1,38 @@ > +From 5f43fbe704d32a6934bb3b3957feb85c20414ad9 Mon Sep 17 00:00:00 2001 > +From: Vivek Kumbhar <[email protected]> > +Date: Thu, 17 Nov 2022 11:33:01 +0530 > +Subject: [PATCH] CVE-2022-3555 > + > +Upstream-Status: Backport [ > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.freedesktop.org%2Fxorg%2Flib%2Flibx11%2F-%2Fcommit%2F8a368d808fec166b5fb3dfe6312aab22c7ee20af&data=05%7C01%7Cranjitsinh.rathod%40kpit.com%7C3e0855325f3b4933ce4108dac864a287%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C638042631831458383%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=unGI59Cc2Rqxlr3JY6eu%2BU72w5p%2FmZOpcn5b7WhNlno%3D&reserved=0 > ] > +CVE: CVE-2022-3555 > +Signed-off-by: Vivek Kumbhar <[email protected]> > + > +Fix two memory leaks in _XFreeX11XCBStructure() > + > +Even when XCloseDisplay() was called, some memory was leaked. > + > +XCloseDisplay() calls _XFreeDisplayStructure(), which calls > +_XFreeX11XCBStructure(). > + > +However, _XFreeX11XCBStructure() did not destroy the condition variables, > +resulting in the leaking of some 40 bytes. > +--- > + src/xcb_disp.c | 2 ++ > + 1 file changed, 2 insertions(+) > + > +diff --git a/src/xcb_disp.c b/src/xcb_disp.c > +index 0fa40de..03fa1e8 100644 > +--- a/src/xcb_disp.c > ++++ b/src/xcb_disp.c > +@@ -102,6 +102,8 @@ void _XFreeX11XCBStructure(Display *dpy) > + dpy->xcb->pending_requests = tmp->next; > + free(tmp); > + } > ++ xcondition_clear(dpy->xcb->event_notify); > ++ xcondition_clear(dpy->xcb->reply_notify); > + xcondition_free(dpy->xcb->event_notify); > + xcondition_free(dpy->xcb->reply_notify); > + Xfree(dpy->xcb); > +-- > +2.25.1 > + > diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb > b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb > index 72ab1d4150..ad3fab1204 100644 > --- a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb > +++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb > @@ -17,6 +17,7 @@ SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \ > file://CVE-2020-14363.patch \ > file://CVE-2021-31535.patch \ > file://CVE-2022-3554.patch \ > + file://CVE-2022-3555.patch \ > " > > SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2" > -- > 2.25.1 > > This message contains information that may be privileged or confidential > and is the property of the KPIT Technologies Ltd. It is intended only for > the person to whom it is addressed. If you are not the intended recipient, > you are not authorized to read, print, retain copy, disseminate, > distribute, or use this message or any part thereof. If you receive this > message in error, please notify the sender immediately and delete all > copies of this message. KPIT Technologies Ltd. does not accept any > liability for virus infected mails. >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#173427): https://lists.openembedded.org/g/openembedded-core/message/173427 Mute This Topic: https://lists.openembedded.org/mt/95085090/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
