X.Org Server 1.17.1 Released To Fix CVE-2015-0255

Bug #1420643 reported by dino99
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xorg-server (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

The vulnerability addressed by xorg-server 1.17.1 is CVE-2015-0255, which was made public today. The newest X.Org CVE is described as:
Olivier Fourdan from Red Hat has discovered a protocol handling issue in the way the X server code base handles the XkbSetGeometry request.

The issue stems from the server trusting the client to send valid string lengths in the request data. A malicious client with string lengths exceeding the request length can cause the server to copy adjacent memory data into the XKB structs. This data is then available to the client via the XkbGetGeometry request. The data length is at least up to 64k, it is possible to obtain more data by chaining strings, each string length is then determined by whatever happens to be in that 16-bit region of memory.

A similarly crafted request can likely cause the X server to crash.

This issue has been assigned CVE-2015-0255

http://lists.freedesktop.org/archives/xorg/2015-February/057158.html with avaliable patch

Hope vivid will soon get that upgrade, as it still has 1.16.2.901

CVE References

dino99 (9d9)
tags: added: bot-stop-nagging upgrade-software-version vivid
dino99 (9d9)
description: updated
description: updated
Revision history for this message
dino99 (9d9) wrote :

The canonical-x staging ppa have built it, and the installation/upgrade goes well but the qxl driver package is removed (abi issue ?)

dino99 (9d9)
affects: xorg (Ubuntu) → xorg-server (Ubuntu)
Revision history for this message
dino99 (9d9) wrote :

cve fixed

xorg-server (2:1.16.2.901-1ubuntu4) vivid; urgency=medium

  * SECURITY UPDATE: information leak and denial of service in
    XkbSetGeometry
    - debian/patches/CVE-2015-0255.patch: properly check lengths in
      xkb/xkb.c.
    - CVE-2015-0255
  * debian/patches/dix-allow-zero-height-putimage-requests.patch: fix
    regression in CVE-2014-8092 security update by allowing zero-height
    PutImage requests in dix/dispatch.c.
 -- Marc Deslauriers <email address hidden> Tue, 17 Feb 2015 07:56:08 -0500

dino99 (9d9)
Changed in xorg-server (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.