Summary: | <x11-base/xorg-server-{1.9.5-r3,1.10.6-r3,1.11.4-r3,1.12.4-r2,1.13.4-r1,1.14.3-r2}: Use after free in Xserver handling of ImageText requests (CVE-2013-4396) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Chí-Thanh Christopher Nguyễn <chithanh> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | polynomial-c, x11 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://lists.x.org/archives/xorg-announce/2013-October/002332.html | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=487716 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Chí-Thanh Christopher Nguyễn
2013-10-08 21:57:03 UTC
Fixed in xorg-server-1.9.5-r3 xorg-server-1.10.6-r3 xorg-server-1.11.4-r3 xorg-server-1.12.4-r2 xorg-server-1.13.4-r1 xorg-server-1.14.3-r2 *** Bug 487536 has been marked as a duplicate of this bug. *** Arches, please stabilize the versions mentioned in comment 1. For everything prior to 1.14.3 I have dropped HPPA keywording. =x11-base/xorg-server-1.14.3-r2 is stable for HPPA. amd64 stable arm stable alpha stable ia64 stable ppc64 stable x86 stable ppc and sparc stable CVE-2013-4396 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4396): Use-after-free vulnerability in the doImageText function in dix/dixfonts.c in the xorg-server module before 1.14.4 in X.Org X11 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted ImageText request that triggers memory-allocation failure. Thanks everyone, GLSA request filed @maintainers: cleanup vulnerable versions, please Vulnerable versions have been removed from the tree. This issue was resolved and addressed in GLSA 201405-07 at http://security.gentoo.org/glsa/glsa-201405-07.xml by GLSA coordinator Mikle Kolyada (Zlogene). |