Vulnerability roundup 85: libxkbcommon-0.7.2: 8 advisories [7.8]

[ckauhaus]

search, files

• [ ] CVE-2018-15857 CVSSv3=7.8 (nixos-20.03, nixos-unstable)
• [ ] CVE-2018-15853 CVSSv3=5.5 (nixos-20.03, nixos-unstable)
• [ ] CVE-2018-15858 CVSSv3=5.5 (nixos-20.03, nixos-unstable)
• [ ] CVE-2018-15859 CVSSv3=5.5 (nixos-20.03, nixos-unstable)
• [ ] CVE-2018-15861 CVSSv3=5.5 (nixos-20.03, nixos-unstable)
• [ ] CVE-2018-15862 CVSSv3=5.5 (nixos-20.03, nixos-unstable)
• [ ] CVE-2018-15863 CVSSv3=5.5 (nixos-20.03, nixos-unstable)
• [ ] CVE-2018-15864 CVSSv3=5.5 (nixos-20.03, nixos-unstable)

Scanned versions: nixos-20.03: a84b797b28e; nixos-unstable: 22c98819ccd. May contain false positives.

Cc @ttuegel

[ttuegel]

@michalrus @mrVanDalo The only package using the vulnerable version of libxkbcommon is Bitwig Studio. Is there a newer version of this package that would be compatible with newer libxkbcommon?

[mrVanDalo]

I'm updating to 20.09 right now, and libxkbcommon (7.2) is not compiling anymore anyway.

[4/96] Compiling C object libxkbcommon-internal.a.p/meson-generated_parser.c.o
FAILED: libxkbcommon-internal.a.p/meson-generated_parser.c.o 
gcc -Ilibxkbcommon-internal.a.p -I. -I.. -I../src -fdiagnostics-color=always -pipe -D_FILE_OFFSET_BITS=64 -std=c99 -fvisibility=hidden -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wpointer-arith -Wmissing-declarations -Wformat=2 -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Wbad-function-cast -Wshadow -Wlogical-op -Wdate-time -Wwrite-strings -include config.h -fPIC -MD -MQ libxkbcommon-internal.a.p/meson-generated_parser.c.o -MF libxkbcommon-internal.a.p/meson-generated_parser.c.o.d -o libxkbcommon-internal.a.p/meson-generated_parser.c.o -c libxkbcommon-internal.a.p/parser.c
libxkbcommon-internal.a.p/parser.c: In function '_xkbcommon_parse':
libxkbcommon-internal.a.p/parser.c:1631:12: error: 'YYEMPTY' undeclared (first use in this function)
 1631 |   yychar = YYEMPTY; /* Cause a token to be read.  */
      |            ^~~~~~~
libxkbcommon-internal.a.p/parser.c:1631:12: note: each undeclared identifier is reported only once for each function it appears in
libxkbcommon-internal.a.p/parser.c:1751:22: error: 'YYerror' undeclared (first use in this function); did you mean 'perror'?
 1751 |   else if (yychar == YYerror)
      |                      ^~~~~~~
      |                      perror
libxkbcommon-internal.a.p/parser.c:1757:16: error: 'YYUNDEF' undeclared (first use in this function); did you mean 'YYUSE'?
 1757 |       yychar = YYUNDEF;
      |                ^~~~~~~
      |                YYUSE
  GEN      man/base32.1
  GEN      man/basenc.1
  GEN      man/basename.1
  GEN      man/cat.1
[7/96] Compiling C object libxkbcommon-internal.a.p/src_compose_parser.c.o
ninja: build stopped: subcommand failed.

I had no time checking if a newer libxkbcommon library is working, yet.