Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 466222 (CVE-2013-1940) - <x11-base/xorg-server-{1.9.5-r2,1.10.6-r2,1.11.4-r2,1.12.4-r1,1.13.4} : VT-switched servers receive input from hot-plugged devices (CVE-2013-1940)
Summary: <x11-base/xorg-server-{1.9.5-r2,1.10.6-r2,1.11.4-r2,1.12.4-r1,1.13.4} : VT-sw...
Status: RESOLVED FIXED
Alias: CVE-2013-1940
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-17 11:43 UTC by Alexander Tsoy
Modified: 2014-05-15 12:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Tsoy 2013-04-17 11:43:02 UTC
https://bugs.freedesktop.org/show_bug.cgi?id=63353
https://bugzilla.redhat.com/show_bug.cgi?id=950438

"xorg-server-1.13.4 and xorg-server-1.14.1 have been released with the fixes for this issue. No additional stable releases are planned at this point, users relying on 1.12 or earlier servers will have to apply the patch themselves."

Reproducible: Always
Comment 1 Chí-Thanh Christopher Nguyễn gentoo-dev 2013-04-17 22:50:44 UTC
Fixed in:
xorg-server-1.9.5-r2
xorg-server-1.10.6-r2
xorg-server-1.11.4-r2
xorg-server-1.12.4-r1
xorg-server-1.13.4
Comment 2 Agostino Sarubbo gentoo-dev 2013-04-18 08:00:23 UTC
(In reply to comment #1)
> Fixed in:
> xorg-server-1.9.5-r2
> xorg-server-1.10.6-r2
> xorg-server-1.11.4-r2
> xorg-server-1.12.4-r1
> xorg-server-1.13.4

Which version we need to stabilize?
Comment 3 Chí-Thanh Christopher Nguyễn gentoo-dev 2013-04-19 21:34:12 UTC
Arches, please stabilize the versions mentioned in comment 1.
Comment 4 Agostino Sarubbo gentoo-dev 2013-04-20 21:26:12 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-04-20 21:48:22 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-04-21 13:01:15 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-04-22 08:49:13 UTC
ia64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-04-22 09:08:55 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-04-22 10:12:57 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-04-22 10:35:27 UTC
s390 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-04-22 10:39:07 UTC
sh stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-04-22 10:41:00 UTC
sparc stable
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2013-04-22 11:46:47 UTC
Stable for HPPA.
Comment 14 Agostino Sarubbo gentoo-dev 2013-04-22 12:25:46 UTC
alpha stable
Comment 15 Chí-Thanh Christopher Nguyễn gentoo-dev 2013-04-22 12:42:22 UTC
Vulnerable versions have been removed from the tree.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2013-07-13 15:47:02 UTC
CVE-2013-1940 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1940):
  X.Org X server before 1.13.4 and 1.4.x before 1.14.1 does not properly
  restrict access to input events when adding a new hot-plug device, which
  might allow physically proximate attackers to obtain sensitive information,
  as demonstrated by reading passwords from a tty.
Comment 17 Sergey Popov gentoo-dev 2013-11-04 12:00:09 UTC
Thanks everyone. Added to existing GLSA draft
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2014-05-15 12:18:49 UTC
This issue was resolved and addressed in
 GLSA 201405-07 at http://security.gentoo.org/glsa/glsa-201405-07.xml
by GLSA coordinator Mikle Kolyada (Zlogene).