Bug#867492: xorg-server: CVE-2017-10971 CVE-2017-10972

[Salvatore Bonaccorso <carnil@debian.org>]

Source: xorg-server
Version: 2:1.16.4-1
Severity: grave
Tags: upstream patch security
Justification: user security hole

Hi,

the following vulnerabilities were published for xorg-server, filling
the bug to track it int the BTS.

CVE-2017-10971[0]:
| In the X.Org X server before 2017-06-19, a user authenticated to an X
| Session could crash or execute code in the context of the X Server by
| exploiting a stack overflow in the endianness conversion of X Events.

CVE-2017-10972[1]:
| Uninitialized data in endianness conversion in the XEvent handling of
| the X.Org X Server before 2017-06-19 allowed authenticated malicious
| users to access potentially privileged data from the X server.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-10971
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10971
[1] https://security-tracker.debian.org/tracker/CVE-2017-10972
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10972
[2] https://bugzilla.suse.com/show_bug.cgi?id=1035283

Could you please check back with team@s.d.o if those warrant a DSA.

Regards,
Salvatore