Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 635974 (CVE-2017-12176, CVE-2017-12177, CVE-2017-12178, CVE-2017-12179, CVE-2017-12180, CVE-2017-12181, CVE-2017-12182, CVE-2017-12183) - <x11-base/xorg-server-1.19.5: Multiple vulnerabilities
Summary: <x11-base/xorg-server-1.19.5: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-12176, CVE-2017-12177, CVE-2017-12178, CVE-2017-12179, CVE-2017-12180, CVE-2017-12181, CVE-2017-12182, CVE-2017-12183
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://lists.x.org/archives/xorg-ann...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2017-13721, CVE-2017-13723
  Show dependency tree
 
Reported: 2017-10-31 01:27 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2017-11-10 23:06 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-31 01:27:42 UTC 
From URL:

One regression fix since 1.19.4 (mea culpa), and fixes for CVEs 2017-
12176 through 2017-12187. C is a terrible language, please stop writing
code in it.

Adam Jackson (2):
      Revert "xf86-video-modesetting: Add ms_queue_vblank helper [v3]"
      xserver 1.19.5

Michal Srb (1):
      os: Make sure big requests have sufficient length.

Nathan Kidd (7):
      Unvalidated lengths
      xfixes: unvalidated lengths (CVE-2017-12183)
      hw/xfree86: unvalidated lengths
      Xi: integer overflow and unvalidated length in (S)ProcXIBarrierReleasePointer
      Xi: fix wrong extra length check in ProcXIChangeHierarchy (CVE-2017-12178)
      dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo (CVE-2017-12177)
      Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-31 01:29:49 UTC 
@Maintainers please let us know when everything is fixed and tree is clean.

Thank you
Comment 2 Matt Turner gentoo-dev 2017-10-31 18:16:06 UTC 
Vulnerable versions removed in

commit 67af98328e08ad9e53a857d1b51c9ecea8716ead
Author: Matt Turner <mattst88@gentoo.org>
Date:   Mon Oct 30 18:44:14 2017 -0700

    x11-base/xorg-server: Drop vulnerable versions
Comment 3 D'juan McDonald (domhnall) 2017-10-31 21:55:51 UTC 
@security, please add to CVE.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-11-10 23:06:57 UTC 
This issue was resolved and addressed in
 GLSA 201711-05 at https://security.gentoo.org/glsa/201711-05
by GLSA coordinator Aaron Bauman (b-man).