1. Forum
  2. Usenet
  3. LINUX.DEBIAN.MAINT.X

  • Bug#867492: xorg-server: CVE-2017-10971 CVE-2017-10972

    From Salvatore Bonaccorso@21:1/5 to All on Thu Jul 6 23:50:02 2017
    XPost: linux.debian.bugs.dist

    Source: xorg-server
    Version: 2:1.16.4-1
    Severity: grave
    Tags: upstream patch security
    Justification: user security hole

    Hi,

    the following vulnerabilities were published for xorg-server, filling
    the bug to track it int the BTS.

    CVE-2017-10971[0]:
    | In the X.Org X server before 2017-06-19, a user authenticated to an X
    | Session could crash or execute code in the context of the X Server by
    | exploiting a stack overflow in the endianness conversion of X Events.

    CVE-2017-10972[1]:
    | Uninitialized data in endianness conversion in the XEvent handling of
    | the X.Org X Server before 2017-06-19 allowed authenticated malicious
    | users to access potentially privileged data from the X server.

    If you fix the vulnerabilities please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2017-10971
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10971
    [1] https://security-tracker.debian.org/tracker/CVE-2017-10972
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10972
    [2] https://bugzilla.suse.com/show_bug.cgi?id=1035283

    Could you please check back with team@s.d.o if those warrant a DSA.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)