Bug#378464: marked as done (xserver-xorg: CVE-2006-1526)
Your message dated Mon, 14 Aug 2006 12:50:06 +0200
with message-id <20060814105006.GA27580@linuxfr.org>
and subject line xserver-xorg: CVE-2006-1526
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: xserver-xorg
Version: 1:7.0.22
Severity: important
Tags: security patch
Back in may CVE-2006-1526 was reported [1] and fixed [2]. I looked at my
current testing output:
helge@remaxp:/usr/share/doc/xserver-xorg$ Xorg -version
X Window System Version 7.0.0
Release Date: 21 December 2005
X Protocol Version 11, Revision 0, Release 7.0
Build Operating System:Linux 2.6.16-1-vserver-amd64-k8 x86_64
Current Operating System: Linux remaxp 2.6.14.6-grsec-cz02 #1 Sun Jun 18 09:35:5
4 CEST 2006 x86_64
Build Date: 16 March 2006
Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
Module Loader present
and see that my server was build *before* the date of the report. Since I did
not see a bug report [3] on this nor did I find anything in
/usr/share/doc/xserver-xorg, I report this here to track this for Etch.
Possibly a fix can be taken from the Ubuntu USN[4].
I am not sure about the severity, please coordinate if an update Etch
security is necessary.
Furthermore I did not see an DSA for Sarge[5], if Sarge is not vulnerable
then please remember to update the appropriate list[6] accordingly.
[1] http://lwn.net/Articles/182316/
[2] http://lwn.net/Articles/182310/
[3] http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=xserver-xorg
[4] http://lwn.net/Alerts/182541/
[5] http://www.debian.org/security/nonvulns-sarge
[6] http://www.debian.org/security/2006/
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14.6-grsec-cz02
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)
Versions of packages xserver-xorg depends on:
ii debconf 1.5.2 Debian configuration management sy
ii x11-common 1:7.0.22 X Window System (X.Org) infrastruc
ii xbase-clients 1:7.1.ds-2 miscellaneous X clients
ii xkb-data 0.8-5 X Keyboard Extension (XKB) configu
ii xserver-xorg-core 1:1.0.2-9 X.Org X server -- core server
ii xserver-xorg-input-evdev [xs 1:1.0.0.5-2 X.Org X server -- evdev input driv
ii xserver-xorg-input-kbd [xser 1:1.0.1.3-2 X.Org X server -- keyboard input d
ii xserver-xorg-input-mouse [xs 1:1.0.4-3 X.Org X server -- mouse input driv
ii xserver-xorg-video-ati [xser 1:6.5.8.0-1 X.Org X server -- ATI display driv
ii xserver-xorg-video-dummy [xs 1:0.1.0.5-2 X.Org X server -- dummy display dr
ii xserver-xorg-video-fbdev [xs 1:0.1.0.5-2 X.Org X server -- fbdev display dr
ii xserver-xorg-video-glint [xs 1:1.0.1.3-3 X.Org X server -- Glint display dr
ii xserver-xorg-video-v4l [xser 0.0.1.5-1 X.Org X server -- Video 4 Linux di
ii xserver-xorg-video-vesa [xse 1:1.0.1.3-2 X.Org X server -- VESA display dri
ii xserver-xorg-video-vga [xser 1:4.0.0.5-2 X.Org X server -- VGA display driv
Versions of packages xserver-xorg recommends:
ii discover1 1.7.18 hardware identification system
pn laptop-detect <none> (no description available)
ii mdetect 0.5.2.1 mouse device autodetection tool
pn xresprobe <none> (no description available)
-- debconf-show failed
--
Dr. Helge Kreutzmann debian@helgefjell.de
Dipl.-Phys. http://www.helgefjell.de/debian.php
64bit GNU powered gpg signed mail preferred
Help keep free software "libre": http://www.ffii.de/
--- End Message ---
--- Begin Message ---
[Cc'ing team@security.d.o about the sarge status]
On Sun, Jul 16, 2006 at 04:31:41PM +0200, Helge Kreutzmann wrote:
> Package: xserver-xorg
> Version: 1:7.0.22
> Severity: important
> Tags: security patch
>
> Back in may CVE-2006-1526 was reported [1] and fixed [2]. I looked at my
> current testing output:
> helge@remaxp:/usr/share/doc/xserver-xorg$ Xorg -version
>
> X Window System Version 7.0.0
> Release Date: 21 December 2005
> X Protocol Version 11, Revision 0, Release 7.0
> Build Operating System:Linux 2.6.16-1-vserver-amd64-k8 x86_64
> Current Operating System: Linux remaxp 2.6.14.6-grsec-cz02 #1 Sun Jun 18 09:35:5
> 4 CEST 2006 x86_64
> Build Date: 16 March 2006
> Before reporting problems, check http://wiki.x.org
> to make sure that you have the latest version.
> Module Loader present
>
> and see that my server was build *before* the date of the report.
I do not know where this date comes from, but here is the relevant entry
from /usr/share/doc/xserver-xorg-core/changelog.Debian.gz:
xorg-server (1:1.0.2-8) unstable; urgency=low
* Move xserverrc back to xbase-clients. Thanks Benjamin Mesing.
* Add 15_security_allocate_local.diff. This fixes Bug fd.o bug #6642.
Fix buffer overflow in Render. (CVE 2006-1526). Patch by Eric Anholt.
-- David Nusinow <dnusinow@debian.org> Tue, 2 May 2006 21:47:17 -0400
Unstable and testing have been fixed.
[...]
> Furthermore I did not see an DSA for Sarge[5], if Sarge is not vulnerable
> then please remember to update the appropriate list[6] accordingly.
I had a look at 4.3.0 sources; routines miTriFan and miTriStrip have a
different algorithm and are not vulnerable in sarge.
Denis
--- End Message ---
Reply to: