Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 635974 (CVE-2017-12176, CVE-2017-12177, CVE-2017-12178, CVE-2017-12179, CVE-2017-12180, CVE-2017-12181, CVE-2017-12182, CVE-2017-12183)

Summary: <x11-base/xorg-server-1.19.5: Multiple vulnerabilities
Product: Gentoo Security Reporter: Christopher Díaz Riveros (RETIRED) <chrisadr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: x11
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 633910    

Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-31 01:27:42 UTC
From URL:

One regression fix since 1.19.4 (mea culpa), and fixes for CVEs 2017-
12176 through 2017-12187. C is a terrible language, please stop writing
code in it.

Adam Jackson (2):
      Revert "xf86-video-modesetting: Add ms_queue_vblank helper [v3]"
      xserver 1.19.5

Michal Srb (1):
      os: Make sure big requests have sufficient length.

Nathan Kidd (7):
      Unvalidated lengths
      xfixes: unvalidated lengths (CVE-2017-12183)
      hw/xfree86: unvalidated lengths
      Xi: integer overflow and unvalidated length in (S)ProcXIBarrierReleasePointer
      Xi: fix wrong extra length check in ProcXIChangeHierarchy (CVE-2017-12178)
      dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo (CVE-2017-12177)
      Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-31 01:29:49 UTC
@Maintainers please let us know when everything is fixed and tree is clean.

Thank you
Comment 2 Matt Turner gentoo-dev 2017-10-31 18:16:06 UTC
Vulnerable versions removed in

commit 67af98328e08ad9e53a857d1b51c9ecea8716ead
Author: Matt Turner <>
Date:   Mon Oct 30 18:44:14 2017 -0700

    x11-base/xorg-server: Drop vulnerable versions
Comment 3 D'juan McDonald (domhnall) 2017-10-31 21:55:51 UTC
@security, please add to CVE.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-11-10 23:06:57 UTC
This issue was resolved and addressed in
 GLSA 201711-05 at
by GLSA coordinator Aaron Bauman (b-man).