[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#867492: marked as done (xorg-server: CVE-2017-10971 CVE-2017-10972)



Your message dated Sat, 15 Jul 2017 21:02:18 +0000
with message-id <E1dWUCg-0001ws-TD@fasolo.debian.org>
and subject line Bug#867492: fixed in xorg-server 2:1.19.2-1+deb9u1
has caused the Debian Bug report #867492,
regarding xorg-server: CVE-2017-10971 CVE-2017-10972
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
867492: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867492
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Source: xorg-server
Version: 2:1.16.4-1
Severity: grave
Tags: upstream patch security
Justification: user security hole

Hi,

the following vulnerabilities were published for xorg-server, filling
the bug to track it int the BTS.

CVE-2017-10971[0]:
| In the X.Org X server before 2017-06-19, a user authenticated to an X
| Session could crash or execute code in the context of the X Server by
| exploiting a stack overflow in the endianness conversion of X Events.

CVE-2017-10972[1]:
| Uninitialized data in endianness conversion in the XEvent handling of
| the X.Org X Server before 2017-06-19 allowed authenticated malicious
| users to access potentially privileged data from the X server.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-10971
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10971
[1] https://security-tracker.debian.org/tracker/CVE-2017-10972
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10972
[2] https://bugzilla.suse.com/show_bug.cgi?id=1035283

Could you please check back with team@s.d.o if those warrant a DSA.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: xorg-server
Source-Version: 2:1.19.2-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
xorg-server, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 867492@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated xorg-server package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 07 Jul 2017 07:09:57 +0200
Source: xorg-server
Binary: xserver-xorg-core xserver-xorg-core-udeb xserver-xorg-dev xdmx xdmx-tools xnest xvfb xserver-xephyr xserver-common xorg-server-source xwayland xserver-xorg-legacy
Architecture: source
Version: 2:1.19.2-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 867492
Description: 
 xdmx       - distributed multihead X server
 xdmx-tools - Distributed Multihead X tools
 xnest      - Nested X server
 xorg-server-source - Xorg X server - source files
 xserver-common - common files used by various X servers
 xserver-xephyr - nested X server
 xserver-xorg-core - Xorg X server - core server
 xserver-xorg-core-udeb - Xorg X server - core server (udeb)
 xserver-xorg-dev - Xorg X server - development files
 xserver-xorg-legacy - setuid root Xorg server wrapper
 xvfb       - Virtual Framebuffer 'fake' X server
 xwayland   - Xwayland X server
Changes:
 xorg-server (2:1.19.2-1+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2017-10971: stack buffer overflow in X Event structures handling
     (Closes: #867492)
   * CVE-2017-10972: information leak due to an uninitialized stack area when
     swapping endianess.
     (Closes: #867492)
Package-Type: udeb
Checksums-Sha1: 
 ea4dca71ed8a1884545f5b1731f328849791de18 4998 xorg-server_1.19.2-1+deb9u1.dsc
 3648335593b9d267e44737b89694d38b99e3aee4 8321615 xorg-server_1.19.2.orig.tar.gz
 2c0650cf7a648d1639e0dd2292393c05d92b6a0c 140641 xorg-server_1.19.2-1+deb9u1.diff.gz
Checksums-Sha256: 
 ad0d88dc1374aaa736e85b2d1f1495c95d5d8d48ab37ffd9a8e6bd2b80fb16f2 4998 xorg-server_1.19.2-1+deb9u1.dsc
 191d91d02c059c66747635e145c30bc1004e703fe3b74439e26c0d05d5c4d28b 8321615 xorg-server_1.19.2.orig.tar.gz
 0e309c92c661fc7e90beff5da2a9dca418ac6c618f9892f923ca1a237f38d941 140641 xorg-server_1.19.2-1+deb9u1.diff.gz
Files: 
 cee7d7b9295a67b197cd1f8ee9886ece 4998 x11 optional xorg-server_1.19.2-1+deb9u1.dsc
 dfa411de6ce6fe35128d3b2e06941135 8321615 x11 optional xorg-server_1.19.2.orig.tar.gz
 3fdaa3df20863f0181682f35b00417c2 140641 x11 optional xorg-server_1.19.2-1+deb9u1.diff.gz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllfHn5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EovcP/R/h1t/bu/ntg/ouW2N/qOIeA44GcywB
okwfut447qHVAsT48uriJAH1qqP3dHyKdmdKKcnuNrvYB2MQDl4f5ZLoI51HTVE3
yDu08eWqaFfFDMeSIsRJL0PKBYFuhjBmbNNcKtv6KkX3iDNhJOPv9EMjVGIfOsuI
UizRTbnTqqu8VZPz0SVbtD6rJEnWl6/Lnkbi3y0A0zyBbPix3al4fCFCPhVufDcd
WmwbPpvRQ/pzSKZxuwMdl0hm1It07LDAg8ZnFd9tqjpZ3DE6Bf8LVWUGvDRVFxbp
8lXL7AjNugdgclFzTNMOxGQl+Vdtd7CvoKHNMmZbkLoGaYlQ+G5fbYS03h1Y6XOl
uTw5YsKFAbxj8WFmLFyxnl2Ax+XO2a74ykYepBwig0Zp3jh7vxLcJOHZECYKK4lZ
lVp3P8KcOSnM2GiHPo8zgjTwaM5B5DiVfzzTaezpQU5JBL7o+584uiprkh9DwnNB
4swzbzQsCbLBi+e/C2cuKecH3N06RPq9cnShPe79OrG14ZIkN79syqph6gMeoUSZ
/uV/MCtvh+LO7nCDNcLJZTvGouXmnytbhwMdgzReDsssrv6wi3B9o9kR4y3NUdNr
A3P3t1vB26xcyx8iOfWEasif4AQ6tqIKonVhh3quG/KTuynqP6/9zTaU4VLvspDL
JWgb/ojo7/ix
=fI3a
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: