[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#906012: libxcursor: CVE-2015-9262

On Mon, Aug 27, 2018 at 05:40:01PM +0800, Bjoern wrote:
> -- Begin Quote: ----------------------
> From: Chris Lamb <lamby@debian.org>
> To: 906012@bugs.debian.org
> Cc: team@security.debian.org
> Subject: Re: libxcursor: CVE-2015-9262
> Date: Mon, 13 Aug 2018 08:18:27 +0100
> 
> [Message part 1 (text/plain, inline)]
> 
> Hi security team,
> 
> > libxcursor: CVE-2015-9262
> 
> I have prepared an update for stretch:
> 
>   libxcursor (1:1.1.14-1+deb9u2) stretch-security; urgency=high
> 
>    * Non-maintainer upload by the Security Team.
>    * Fix a denial of service or potentially code execution via
>      a one-byte heap overflow. (CVE-2015-9262) Closes: #906012)
> 
>   -- Chris Lamb <lamby@debian.org>  Mon, 13 Aug 2018 09:09:13 +0200
> 
> 
> Full debdiff attached. Permission to upload to stretch-security?
> -- End Quote: ------------------------
> 
> Hi Chris & Security Team:
> 
> Has Chris' patch for "Stretch" gone to /dev/null ?
> 
> "Stretch"/stable remains exposed whilst old-stable, testing, and unstable
> have been patched.
> 
> May I seek your enlightenment on this matter?

This turned out to be non-exploitable. A fix will be provided via the
stretch 9.6 point release.

Cheers,
        Moritz
Reply to: