Summary: | <x11-base/xorg-server-1.12.4-r3, <x11-base/xorg-server-1.15.2-r1 multiple vulnerabilities (CVE-2014-{8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8102,8103}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Chí-Thanh Christopher Nguyễn <chithanh> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | critical | CC: | ab4bd, alexander, marduk, pacho, x11 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://lists.x.org/archives/xorg-announce/2014-December/002500.html | ||
Whiteboard: | A1 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 500372 | ||
Bug Blocks: |
Description
Chí-Thanh Christopher Nguyễn
![]() *xorg-server-1.16.2.901 (09 Dec 2014) 09 Dec 2014; Rémi Cardona <remi@gentoo.org> +xorg-server-1.16.2.901.ebuild: Bump to 1.16.2.901 (without Michał's eselect-opengl overhaul). This fixes all the referenced CVEs in the summary. (In reply to Rémi Cardona from comment #1) > *xorg-server-1.16.2.901 (09 Dec 2014) > > 09 Dec 2014; Rémi Cardona <remi@gentoo.org> +xorg-server-1.16.2.901.ebuild: > Bump to 1.16.2.901 (without Michał's eselect-opengl overhaul). > > This fixes all the referenced CVEs in the summary. Hi. I just synced portage and it seems I cannot install this package. eselect-opengl-1.2.7 is the only visible version of that package (via package.mask). However eselect-opengl-1.2.7 blocks this package: RDEPEND=">=app-admin/eselect-1.2.4 !<media-libs/mesa-8.0.3-r1 !<x11-proto/glproto-1.4.15-r1 !=media-libs/mesa-10.3.4-r1 !>=media-libs/mesa-10.3.5-r1 !>=x11-proto/glproto-1.4.17-r1 !>=x11-base/xorg-server-1.16.2-r1" <----- here This is in the ~amd64 branch. I am unsure how to proceed. (In reply to Albert W. Hopkins from comment #2) > Hi. I just synced portage and it seems I cannot install this package. > > eselect-opengl-1.2.7 is the only visible version of that package (via > package.mask). However eselect-opengl-1.2.7 blocks this package: The blocker has been relaxed by Patrick in portage. Sync again, it should work. Sorry for the hasty bump. CVE-2014-8103 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8103): X.Org Server (aka xserver and xorg-server) 1.15.0 through 1.16.x before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) sproc_dri3_query_version, (2) sproc_dri3_open, (3) sproc_dri3_pixmap_from_buffer, (4) sproc_dri3_buffer_from_pixmap, (5) sproc_dri3_fence_from_fd, (6) sproc_dri3_fd_from_fence, (7) proc_present_query_capabilities, (8) sproc_present_query_version, (9) sproc_present_pixmap, (10) sproc_present_notify_msc, (11) sproc_present_select_input, or (12) sproc_present_query_capabilities function in the (a) DRI3 or (b) Present extension. CVE-2014-8102 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8102): The SProcXFixesSelectSelectionInput function in the XFixes extension in X.Org X Window System (aka X11 or X) X11R6.8.0 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length value. CVE-2014-8101 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8101): The RandR extension in XFree86 4.2.0, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) SProcRRQueryVersion, (2) SProcRRGetScreenInfo, (3) SProcRRSelectInput, or (4) SProcRRConfigureOutputProperty function. CVE-2014-8100 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8100): The Render extension in XFree86 4.0.1, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) ProcRenderQueryVersion, (2) SProcRenderQueryVersion, (3) SProcRenderQueryPictFormats, (4) SProcRenderQueryPictIndexValues, (5) SProcRenderCreatePicture, (6) SProcRenderChangePicture, (7) SProcRenderSetPictureClipRectangles, (8) SProcRenderFreePicture, (9) SProcRenderComposite, (10) SProcRenderScale, (11) SProcRenderCreateGlyphSet, (12) SProcRenderReferenceGlyphSet, (13) SProcRenderFreeGlyphSet, (14) SProcRenderFreeGlyphs, or (15) SProcRenderCompositeGlyphs function. CVE-2014-8099 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8099): The XVideo extension in XFree86 4.0.0, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) SProcXvQueryExtension, (2) SProcXvQueryAdaptors, (3) SProcXvQueryEncodings, (4) SProcXvGrabPort, (5) SProcXvUngrabPort, (6) SProcXvPutVideo, (7) SProcXvPutStill, (8) SProcXvGetVideo, (9) SProcXvGetStill, (10) SProcXvPutImage, (11) SProcXvShmPutImage, (12) SProcXvSelectVideoNotify, (13) SProcXvSelectPortNotify, (14) SProcXvStopVideo, (15) SProcXvSetPortAttribute, (16) SProcXvGetPortAttribute, (17) SProcXvQueryBestSize, (18) SProcXvQueryPortAttributes, (19) SProcXvQueryImageAttributes, or (20) SProcXvListImageFormats function. CVE-2014-8098 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8098): The GLX extension in XFree86 4.0, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) __glXDisp_Render, (2) __glXDisp_RenderLarge, (3) __glXDispSwap_VendorPrivate, (4) __glXDispSwap_VendorPrivateWithReply, (5) set_client_info, (6) __glXDispSwap_SetClientInfoARB, (7) DoSwapInterval, (8) DoGetProgramString, (9) DoGetString, (10) __glXDispSwap_RenderMode, (11) __glXDisp_GetCompressedTexImage, (12) __glXDispSwap_GetCompressedTexImage, (13) __glXDisp_FeedbackBuffer, (14) __glXDispSwap_FeedbackBuffer, (15) __glXDisp_SelectBuffer, (16) __glXDispSwap_SelectBuffer, (17) __glXDisp_Flush, (18) __glXDispSwap_Flush, (19) __glXDisp_Finish, (20) __glXDispSwap_Finish, (21) __glXDisp_ReadPixels, (22) __glXDispSwap_ReadPixels, (23) __glXDisp_GetTexImage, (24) __glXDispSwap_GetTexImage, (25) __glXDisp_GetPolygonStipple, (26) __glXDispSwap_GetPolygonStipple, (27) __glXDisp_GetSeparableFilter, (28) __glXDisp_GetSeparableFilterEXT, (29) __glXDisp_GetConvolutionFilter, (30) __glXDisp_GetConvolutionFilterEXT, (31) __glXDisp_GetHistogram, (32) __glXDisp_GetHistogramEXT, (33) __glXDisp_GetMinmax, (34) __glXDisp_GetMinmaxEXT, (35) __glXDisp_GetColorTable, (36) __glXDisp_GetColorTableSGI, (37) GetSeparableFilter, (38) GetConvolutionFilter, (39) GetHistogram, (40) GetMinmax, or (41) GetColorTable function. CVE-2014-8097 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8097): The DBE extension in X.Org X Window System (aka X11 or X) X11R6.1 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) ProcDbeSwapBuffers or (2) SProcDbeSwapBuffers function. CVE-2014-8096 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8096): The SProcXCMiscGetXIDList function in the XC-MISC extension in X.Org X Window System (aka X11 or X) X11R6.0 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value. CVE-2014-8095 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8095): The XInput extension in X.Org X Window System (aka X11 or X) X11R4 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) SProcXChangeDeviceControl, (2) ProcXChangeDeviceControl, (3) ProcXChangeFeedbackControl, (4) ProcXSendExtensionEvent, (5) SProcXIAllowEvents, (6) SProcXIChangeCursor, (7) ProcXIChangeHierarchy, (8) SProcXIGetClientPointer, (9) SProcXIGrabDevice, (10) SProcXIUngrabDevice, (11) ProcXIUngrabDevice, (12) SProcXIPassiveGrabDevice, (13) ProcXIPassiveGrabDevice, (14) SProcXIPassiveUngrabDevice, (15) ProcXIPassiveUngrabDevice, (16) SProcXListDeviceProperties, (17) SProcXDeleteDeviceProperty, (18) SProcXIListProperties, (19) SProcXIDeleteProperty, (20) SProcXIGetProperty, (21) SProcXIQueryDevice, (22) SProcXIQueryPointer, (23) SProcXISelectEvents, (24) SProcXISetClientPointer, (25) SProcXISetFocus, (26) SProcXIGetFocus, or (27) SProcXIWarpPointer function. CVE-2014-8094 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8094): Integer overflow in the ProcDRI2GetBuffers function in the DRI2 extension in X.Org Server (aka xserver and xorg-server) 1.7.0 through 1.16.x before 1.16.3 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request, which triggers an out-of-bounds read or write. CVE-2014-8093 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8093): Multiple integer overflows in the GLX extension in XFree86 4.0, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request to the (1) __glXDisp_ReadPixels, (2) __glXDispSwap_ReadPixels, (3) __glXDisp_GetTexImage, (4) __glXDispSwap_GetTexImage, (5) GetSeparableFilter, (6) GetConvolutionFilter, (7) GetHistogram, (8) GetMinmax, (9) GetColorTable, (10) __glXGetAnswerBuffer, (11) __GLX_GET_ANSWER_BUFFER, (12) __glXMap1dReqSize, (13) __glXMap1fReqSize, (14) Map2Size, (15) __glXMap2dReqSize, (16) __glXMap2fReqSize, (17) __glXImageSize, or (18) __glXSeparableFilter2DReqSize function, which triggers an out-of-bounds read or write. CVE-2014-8092 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8092): Multiple integer overflows in X.Org X Window System (aka X11 or X) X11R1 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request to the (1) ProcPutImage, (2) GetHosts, (3) RegionSizeof, or (4) REQUEST_FIXED_SIZE function, which triggers an out-of-bounds read or write. CVE-2014-8091 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8091): X.Org X Window System (aka X11 and X) X11R5 and X.Org Server (aka xserver and xorg-server) before 1.16.3, when using SUN-DES-1 (Secure RPC) authentication credentials, does not check the return value of a malloc call, which allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a crafted connection request. x11-base/xorg-server-1.12.4-r3 and x11-base/xorg-server-1.15.2-r1 have been committed to the tree. Arches, please stabilize x11-base/xorg-server-1.12.4-r3 x11-base/xorg-server-1.15.2-r1 amd64 stable x86 done. Stable for HPPA. sparc stable ppc64 stable ppc stable ia64 stable arm stable alpha stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Vulnerable versions >=1.15.0 have been dropped, vulnerable versions before 1.15.0 have been lastrited and package.mask'ed. In the future please follow the Whiteboard in the GLSA Coordinator Guide, there is a reason for the glsa? It lets security know that action needs to be done. In this case file a GLSA. New GLSA Request filed. This issue was resolved and addressed in GLSA 201504-06 at https://security.gentoo.org/glsa/201504-06 by GLSA coordinator Sergey Popov (pinkbyte). This issue was resolved and addressed in GLSA 201504-06 at https://security.gentoo.org/glsa/201504-06 by GLSA coordinator Sergey Popov (pinkbyte). |