466222 – (CVE-2013-1940) <x11-base/xorg-server-{1.9.5-r2,1.10.6-r2,1.11.4-r2,1.12.4-r1,1.13.4} : VT-switched servers receive input from hot-plugged devices (CVE-2013-1940)

Bug 466222 (CVE-2013-1940) - <x11-base/xorg-server-{1.9.5-r2,1.10.6-r2,1.11.4-r2,1.12.4-r1,1.13.4} : VT-switched servers receive input from hot-plugged devices (CVE-2013-1940)

Summary: <x11-base/xorg-server-{1.9.5-r2,1.10.6-r2,1.11.4-r2,1.12.4-r1,1.13.4} : VT-sw...

Status:	RESOLVED FIXED

Alias:	CVE-2013-1940

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	A4 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2013-04-17 11:43 UTC by Alexander Tsoy
Modified:	2014-05-15 12:18 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Tsoy 2013-04-17 11:43:02 UTC

https://bugs.freedesktop.org/show_bug.cgi?id=63353
https://bugzilla.redhat.com/show_bug.cgi?id=950438

"xorg-server-1.13.4 and xorg-server-1.14.1 have been released with the fixes for this issue. No additional stable releases are planned at this point, users relying on 1.12 or earlier servers will have to apply the patch themselves."

Reproducible: Always

Comment 1 Chí-Thanh Christopher Nguyễn gentoo-dev

2013-04-17 22:50:44 UTC

Fixed in:
xorg-server-1.9.5-r2
xorg-server-1.10.6-r2
xorg-server-1.11.4-r2
xorg-server-1.12.4-r1
xorg-server-1.13.4

Comment 2 Agostino Sarubbo gentoo-dev

2013-04-18 08:00:23 UTC

(In reply to comment #1)
> Fixed in:
> xorg-server-1.9.5-r2
> xorg-server-1.10.6-r2
> xorg-server-1.11.4-r2
> xorg-server-1.12.4-r1
> xorg-server-1.13.4

Which version we need to stabilize?

Comment 3 Chí-Thanh Christopher Nguyễn gentoo-dev

2013-04-19 21:34:12 UTC

Arches, please stabilize the versions mentioned in comment 1.

Comment 4 Agostino Sarubbo gentoo-dev

2013-04-20 21:26:12 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2013-04-20 21:48:22 UTC

x86 stable

Comment 6 Agostino Sarubbo gentoo-dev

2013-04-21 13:01:15 UTC

arm stable

Comment 7 Agostino Sarubbo gentoo-dev

2013-04-22 08:49:13 UTC

ia64 stable

Comment 8 Agostino Sarubbo gentoo-dev

2013-04-22 09:08:55 UTC

ppc stable

Comment 9 Agostino Sarubbo gentoo-dev

2013-04-22 10:12:57 UTC

ppc64 stable

Comment 10 Agostino Sarubbo gentoo-dev

2013-04-22 10:35:27 UTC

s390 stable

Comment 11 Agostino Sarubbo gentoo-dev

2013-04-22 10:39:07 UTC

sh stable

Comment 12 Agostino Sarubbo gentoo-dev

2013-04-22 10:41:00 UTC

sparc stable

Comment 13 Jeroen Roovers (RETIRED) gentoo-dev

2013-04-22 11:46:47 UTC

Stable for HPPA.

Comment 14 Agostino Sarubbo gentoo-dev

2013-04-22 12:25:46 UTC

alpha stable

Comment 15 Chí-Thanh Christopher Nguyễn gentoo-dev

2013-04-22 12:42:22 UTC

Vulnerable versions have been removed from the tree.

Comment 16 GLSAMaker/CVETool Bot gentoo-dev

2013-07-13 15:47:02 UTC

CVE-2013-1940 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1940):
  X.Org X server before 1.13.4 and 1.4.x before 1.14.1 does not properly
  restrict access to input events when adding a new hot-plug device, which
  might allow physically proximate attackers to obtain sensitive information,
  as demonstrated by reading passwords from a tty.

Comment 17 Sergey Popov (RETIRED) gentoo-dev

2013-11-04 12:00:09 UTC

Thanks everyone. Added to existing GLSA draft

Comment 18 GLSAMaker/CVETool Bot gentoo-dev

2014-05-15 12:18:49 UTC

This issue was resolved and addressed in
 GLSA 201405-07 at http://security.gentoo.org/glsa/glsa-201405-07.xml
by GLSA coordinator Mikle Kolyada (Zlogene).