Bug#867492: marked as done (xorg-server: CVE-2017-10971 CVE-2017-10972)
Your message dated Sat, 15 Jul 2017 21:02:18 + with message-idand subject line Bug#867492: fixed in xorg-server 2:1.19.2-1+deb9u1 has caused the Debian Bug report #867492, regarding xorg-server: CVE-2017-10971 CVE-2017-10972 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 867492: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867492 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: xorg-server Version: 2:1.16.4-1 Severity: grave Tags: upstream patch security Justification: user security hole Hi, the following vulnerabilities were published for xorg-server, filling the bug to track it int the BTS. CVE-2017-10971[0]: | In the X.Org X server before 2017-06-19, a user authenticated to an X | Session could crash or execute code in the context of the X Server by | exploiting a stack overflow in the endianness conversion of X Events. CVE-2017-10972[1]: | Uninitialized data in endianness conversion in the XEvent handling of | the X.Org X Server before 2017-06-19 allowed authenticated malicious | users to access potentially privileged data from the X server. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-10971 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10971 [1] https://security-tracker.debian.org/tracker/CVE-2017-10972 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10972 [2] https://bugzilla.suse.com/show_bug.cgi?id=1035283 Could you please check back with team@s.d.o if those warrant a DSA. Regards, Salvatore --- End Message --- --- Begin Message --- Source: xorg-server Source-Version: 2:1.19.2-1+deb9u1 We believe that the bug you reported is fixed in the latest version of xorg-server, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 867...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso (supplier of updated xorg-server package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 07 Jul 2017 07:09:57 +0200 Source: xorg-server Binary: xserver-xorg-core xserver-xorg-core-udeb xserver-xorg-dev xdmx xdmx-tools xnest xvfb xserver-xephyr xserver-common xorg-server-source xwayland xserver-xorg-legacy Architecture: source Version: 2:1.19.2-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian X Strike Force Changed-By: Salvatore Bonaccorso Closes: 867492 Description: xdmx - distributed multihead X server xdmx-tools - Distributed Multihead X tools xnest - Nested X server xorg-server-source - Xorg X server - source files xserver-common - common files used by various X servers xserver-xephyr - nested X server xserver-xorg-core - Xorg X server - core server xserver-xorg-core-udeb - Xorg X server - core server (udeb) xserver-xorg-dev - Xorg X server - development files xserver-xorg-legacy - setuid root Xorg server wrapper xvfb - Virtual Framebuffer 'fake' X server xwayland - Xwayland X server Changes: xorg-server (2:1.19.2-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-10971: stack buffer overflow in X Event structures handling (Closes: #867492) * CVE-2017-10972: information leak due to an uninitialized stack area when swapping endianess. (Closes: #867492) Package-Type: udeb Checksums-Sha1: ea4dca71ed8a1884545f5b1731f328849791de18 4998 xorg-server_1.19.2-1+deb9u1.dsc 3648335593b9d267e44737b89694d38b99e3aee4 8321615 xorg-server_1.19.2.orig.tar.gz 2c0650cf7a648d1639e0dd2292393c05d92b6a0c 140641 xorg-server_1.19.2-1+deb9u1.diff.gz Checksums-Sha256: ad0d88dc1374aaa736e85b2d1f1495c95d5d8d48ab37ffd9a8e6bd2b80fb16f2 4998 xorg-server_1.19.2-1+deb9u1.dsc 191d91d02c059c66747635e145c30bc1004e703fe3b74439e26c0d05d5c4d28b 8321615 xorg-server_1.19.2.orig.tar.gz 0e309c92c661fc7e90beff5da2a9dca418ac6c618f9892f923ca1a237f38d941 140641
Bug#867492: marked as done (xorg-server: CVE-2017-10971 CVE-2017-10972)
Your message dated Fri, 07 Jul 2017 06:04:14 + with message-idand subject line Bug#867492: fixed in xorg-server 2:1.19.3-2 has caused the Debian Bug report #867492, regarding xorg-server: CVE-2017-10971 CVE-2017-10972 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 867492: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867492 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: xorg-server Version: 2:1.16.4-1 Severity: grave Tags: upstream patch security Justification: user security hole Hi, the following vulnerabilities were published for xorg-server, filling the bug to track it int the BTS. CVE-2017-10971[0]: | In the X.Org X server before 2017-06-19, a user authenticated to an X | Session could crash or execute code in the context of the X Server by | exploiting a stack overflow in the endianness conversion of X Events. CVE-2017-10972[1]: | Uninitialized data in endianness conversion in the XEvent handling of | the X.Org X Server before 2017-06-19 allowed authenticated malicious | users to access potentially privileged data from the X server. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-10971 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10971 [1] https://security-tracker.debian.org/tracker/CVE-2017-10972 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10972 [2] https://bugzilla.suse.com/show_bug.cgi?id=1035283 Could you please check back with team@s.d.o if those warrant a DSA. Regards, Salvatore --- End Message --- --- Begin Message --- Source: xorg-server Source-Version: 2:1.19.3-2 We believe that the bug you reported is fixed in the latest version of xorg-server, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 867...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Julien Cristau (supplier of updated xorg-server package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 07 Jul 2017 07:31:11 +0200 Source: xorg-server Binary: xserver-xorg-core xserver-xorg-core-udeb xserver-xorg-dev xdmx xdmx-tools xnest xvfb xserver-xephyr xserver-common xorg-server-source xwayland xserver-xorg-legacy Architecture: source Version: 2:1.19.3-2 Distribution: unstable Urgency: high Maintainer: Debian X Strike Force Changed-By: Julien Cristau Description: xdmx - distributed multihead X server xdmx-tools - Distributed Multihead X tools xnest - Nested X server xorg-server-source - Xorg X server - source files xserver-common - common files used by various X servers xserver-xephyr - nested X server xserver-xorg-core - Xorg X server - core server xserver-xorg-core-udeb - Xorg X server - core server (udeb) xserver-xorg-dev - Xorg X server - development files xserver-xorg-legacy - setuid root Xorg server wrapper xvfb - Virtual Framebuffer 'fake' X server xwayland - Xwayland X server Closes: 867492 Changes: xorg-server (2:1.19.3-2) unstable; urgency=high . * CVE-2017-10972: information leak out of the X server due to an uninitialized stack area when swapping: - Xi: Zero target buffer in SProcXSendExtensionEvent * CVE-2017-10971: stack overflow due to missing GenericEvent handling in XSendEvent: - dix: Disallow GenericEvent in SendEvent request - Xi: Verify all events in ProcXSendExtensionEvent - Xi: Do not try to swap GenericEvent * With both those fixes, this closes: #867492 Checksums-Sha1: 7e66cc3ec78d67e7776e44db1505d7f7d90bbeb8 4815 xorg-server_1.19.3-2.dsc bc90bf9b9bef5e1583c53dd72fd39f062c5404f7 139662 xorg-server_1.19.3-2.diff.gz Checksums-Sha256: b12e94496dd2cb00d75170be13276dd29361ef8f9dd5f4b918db636476355e63 4815 xorg-server_1.19.3-2.dsc 743dca1680e454b2e166fdd2a5e36ca09145bbbd939503b791c74914eeb4603f 139662 xorg-server_1.19.3-2.diff.gz Files: 9b309c48911de10dab1277c4871e237d 4815 x11 optional