Bug#906012: libxcursor: CVE-2015-9262

To: Chris Lamb <lamby@debian.org>
Cc: 906012@bugs.debian.org, Moritz Muehlenhoff <mmuhlenhoff@wikimedia.org>, team@security.debian.org
Subject: Bug#906012: libxcursor: CVE-2015-9262
From: Bjoern <brn@iinet.net.au>
Date: Thu, 30 Aug 2018 15:43:10 +0800
Message-id: <[🔎] 3e4f726a-4089-dfd2-fa29-7fe0259307be@iinet.net.au>
Reply-to: Bjoern <brn@iinet.net.au>, 906012@bugs.debian.org
In-reply-to: <[🔎] 20180827102241.GA22063@korn.westfalen.local>
References: <[🔎] 304965bc-5820-88b0-fc99-a75e7127cf94@iinet.net.au> <[🔎] 20180827102241.GA22063@korn.westfalen.local> <[🔎] 1534144288.3106836.1472094864.6CCC8480@webmail.messagingengine.com>

On 27/08/18 18:22, Moritz Muehlenhoff wrote:

On Mon, Aug 27, 2018 at 05:40:01PM +0800, Bjoern wrote:

-- Begin Quote: ----------------------
From: Chris Lamb <lamby@debian.org>
To: 906012@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: libxcursor: CVE-2015-9262
Date: Mon, 13 Aug 2018 08:18:27 +0100

[Message part 1 (text/plain, inline)]

Hi security team,

libxcursor: CVE-2015-9262


I have prepared an update for stretch:

   libxcursor (1:1.1.14-1+deb9u2) stretch-security; urgency=high

    * Non-maintainer upload by the Security Team.
    * Fix a denial of service or potentially code execution via
      a one-byte heap overflow. (CVE-2015-9262) Closes: #906012)

   -- Chris Lamb <lamby@debian.org>  Mon, 13 Aug 2018 09:09:13 +0200


Full debdiff attached. Permission to upload to stretch-security?
-- End Quote: ------------------------

Hi Chris & Security Team:

Has Chris' patch for "Stretch" gone to /dev/null ?

"Stretch"/stable remains exposed whilst old-stable, testing, and unstable
have been patched.

May I seek your enlightenment on this matter?


This turned out to be non-exploitable. A fix will be provided via the
stretch 9.6 point release.

Cheers,
         Moritz

Hi.

As I am clearly unfamiliar with your processes, I really wouldappreciate the clarification to better my understanding and perhapsquell my concerns:

* How far away is the 9.6 point release (given that 9.5 was releasedjust over 1.5 months ago)?

* Why could the issue not be dealt with by simply supplying the fix inthe nearer term as a security update? Would it not be better to err onthe side of caution?

* I still would like to be pointed to the reference(s) and/or criteriaused by the Security Team to determine that the issue is non-exploitableand a minor issue. I have searched around to find references regardingCVE-2015-9262 being non-exploitable, but have so far not found anythingsuggesting such - hence my request for a pointer.

I ask your forgiveness for my persistence on this matter and beg thatyou don't dismiss me out of hand. What may very well be clear to you -unfortunately is not currently clear to me, or perhaps other potentialfuture contributors to the Debian project I might add.

I notice that a similar protocol of "ignored security issue"/"minorissue" is applied to the recent security bug raised against libx11.


I really would welcome constructive feedback here.

Kindest regards,
Bjoern.

Reply to:

Follow-Ups:
- Bug#906012: libxcursor: CVE-2015-9262
  - From: Julien Cristau <jcristau@debian.org>

References:
- Bug#906012: libxcursor: CVE-2015-9262
  - From: Bjoern <brn@iinet.net.au>
- Bug#906012: libxcursor: CVE-2015-9262
  - From: Moritz Muehlenhoff <mmuhlenhoff@wikimedia.org>
- Bug#906012: libxcursor: CVE-2015-9262
  - From: Chris Lamb <lamby@debian.org>

Prev by Date: Bug#900087: xserver-xorg-video-amdgpu: AMD RX 550 often locks up
Next by Date: Bug#907302: marked as done (CVE-2018-15864 CVE-2018-15863 CVE-2018-15862 CVE-2018-15861 CVE-2018-15859 CVE-2018-15858 CVE-2018-15857 CVE-2018-15856 CVE-2018-15855 CVE-2018-15854 CVE-2018-15853)
Previous by thread: Bug#906012: libxcursor: CVE-2015-9262
Next by thread: Bug#906012: libxcursor: CVE-2015-9262
Index(es):
- Date
- Thread