Summary: | <x11-base/xorg-server-{1.12.4-r4,1.15.2-r2}: Information leak in the XkbSetGeometry request of X servers (CVE-2015-0255) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Chandler Paul <thatslyude> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | x11 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://lists.x.org/archives/xorg/2015-February/057158.html | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 530652 | ||
Bug Blocks: |
Description
Chandler Paul
2015-02-10 23:19:40 UTC
The two patches mentioned in the e-mail apply perfectly against the latest stable xorg-server ebuild in portage. Running now and there don't seem to be any issues. *** Bug 539740 has been marked as a duplicate of this bug. *** xorg-server-1.12.4-r4.ebuild and xorg-server-1.15.2-r2.ebuild have been committed to fix this issue. Stabilization of these will be requested in bug 530652. CVE-2015-0255 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0255): X.Org Server (aka xserver and xorg-server) before 1.16.3 and 1.17.x before 1.17.1 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (crash) via a crafted string length value in a XkbSetGeometry request. Vulnerable versions have been removed from the tree. Added to existing GLSA request This issue was resolved and addressed in GLSA 201504-06 at https://security.gentoo.org/glsa/201504-06 by GLSA coordinator Sergey Popov (pinkbyte). |