diff options
authorRoss Burton <>2022-01-10 12:19:32 +0000
committerRichard Purdie <>2022-01-25 12:07:01 +0000
commit3314a8f59ec5ae4d4637eefc96bedc7b57a55eb7 (patch)
parentd4928afea65c3e171821e002e9b4ca96114965d2 (diff)
xserver-xorg: whitelist two CVEs
CVE-2011-4613 is specific to Debian/Ubuntu. CVE-2020-25697 is a non-trivial attack that may not actually be feasible considering the default behaviour for clients is to exit if the connection is lost. (From OE-Core rev: f82c65b3c69738401ecdac354ed65308929cc20f) Signed-off-by: Ross Burton <> Signed-off-by: Richard Purdie <> (cherry picked from commit afa2e6c31a79f75ff4113d53f618bbb349cd6c17) Signed-off-by: Anuj Mittal <> Signed-off-by: Richard Purdie <>
1 files changed, 8 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/ b/meta/recipes-graphics/xorg-xserver/
index 497515a04a..d83cb94317 100644
--- a/meta/recipes-graphics/xorg-xserver/
+++ b/meta/recipes-graphics/xorg-xserver/
@@ -18,6 +18,14 @@ XORG_PN = "xorg-server"
SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.bz2"
CVE_PRODUCT = "xorg-server x_server"
+# This is specific to Debian's xserver-wrapper.c
+# As per upstream, exploiting this flaw is non-trivial and it requires exact
+# timing on the behalf of the attacker. Many graphical applications exit if their
+# connection to the X server is lost, so a typical desktop session is either
+# impossible or difficult to exploit. There is currently no upstream patch
+# available for this flaw.
+CVE_CHECK_WHITELIST += "CVE-2020-25697"
S = "${WORKDIR}/${XORG_PN}-${PV}"