Summary: | <x11-base/xorg-server-{1.9.5-r2,1.10.6-r2,1.11.4-r2,1.12.4-r1,1.13.4} : VT-switched servers receive input from hot-plugged devices (CVE-2013-1940) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alexander Tsoy <alexander> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | x11 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Alexander Tsoy
2013-04-17 11:43:02 UTC
Fixed in: xorg-server-1.9.5-r2 xorg-server-1.10.6-r2 xorg-server-1.11.4-r2 xorg-server-1.12.4-r1 xorg-server-1.13.4 (In reply to comment #1) > Fixed in: > xorg-server-1.9.5-r2 > xorg-server-1.10.6-r2 > xorg-server-1.11.4-r2 > xorg-server-1.12.4-r1 > xorg-server-1.13.4 Which version we need to stabilize? Arches, please stabilize the versions mentioned in comment 1. amd64 stable x86 stable arm stable ia64 stable ppc stable ppc64 stable s390 stable sh stable sparc stable Stable for HPPA. alpha stable Vulnerable versions have been removed from the tree. CVE-2013-1940 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1940): X.Org X server before 1.13.4 and 1.4.x before 1.14.1 does not properly restrict access to input events when adding a new hot-plug device, which might allow physically proximate attackers to obtain sensitive information, as demonstrated by reading passwords from a tty. Thanks everyone. Added to existing GLSA draft This issue was resolved and addressed in GLSA 201405-07 at http://security.gentoo.org/glsa/glsa-201405-07.xml by GLSA coordinator Mikle Kolyada (Zlogene). |