An issue with how X handles the XkbSetGeometry request has been found by our friends at Red Hat, this issue can apparently result in the leaking of information from the X server. More information, and patches, can be found here. http://lists.x.org/archives/xorg/2015-February/057158.html I haven't tried to apply the patch to Gentoo's latest X server release yet, so I'll try that in just a little bit and let you guys know if it works as-is.
The two patches mentioned in the e-mail apply perfectly against the latest stable xorg-server ebuild in portage. Running now and there don't seem to be any issues.
*** Bug 539740 has been marked as a duplicate of this bug. ***
xorg-server-1.12.4-r4.ebuild and xorg-server-1.15.2-r2.ebuild have been committed to fix this issue. Stabilization of these will be requested in bug 530652.
CVE-2015-0255 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0255): X.Org Server (aka xserver and xorg-server) before 1.16.3 and 1.17.x before 1.17.1 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (crash) via a crafted string length value in a XkbSetGeometry request.
Vulnerable versions have been removed from the tree.
Added to existing GLSA request
This issue was resolved and addressed in GLSA 201504-06 at https://security.gentoo.org/glsa/201504-06 by GLSA coordinator Sergey Popov (pinkbyte).