LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Ubuntu alert USN-1232-2 (xorg-server)



From:
    	      Marc Deslauriers <marc.deslauriers@canonical.com> 


To:
    	      ubuntu-security-announce@lists.ubuntu.com 


Subject:
    	      [USN-1232-2] X.Org X server regression 


Date:
    	      Wed, 19 Oct 2011 17:13:40 -0400


Message-ID:
    	      <1319058820.12439.4.camel@mdlinux>


Archive-link:
    	      Article, Thread
              


==========================================================================
Ubuntu Security Notice USN-1232-2
October 19, 2011

xorg-server regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.04 LTS

Summary:

USN-1232-1 caused a regression with GLX support.

Software Description:
- xorg-server: X.Org X server

Details:

USN-1232-1 fixed vulnerabilities in the X.Org X server. A regression was
found on Ubuntu 10.04 LTS that affected GLX support.

This update temporarily disables the fix for CVE-2010-4818 that introduced
the regression.

We apologize for the inconvenience.

Original advisory details:

 It was discovered that the X server incorrectly handled certain malformed
 input. An authorized attacker could exploit this to cause the X server to
 crash, leading to a denial or service, or possibly execute arbitrary code
 with root privileges. This issue only affected Ubuntu 10.04 LTS and 10.10.
 (CVE-2010-4818)
 
 It was discovered that the X server incorrectly handled certain malformed
 input. An authorized attacker could exploit this to cause the X server to
 crash, leading to a denial or service, or possibly read arbitrary data from
 the X server process. This issue only affected Ubuntu 10.04 LTS.
 (CVE-2010-4819)
 
 Vladz discovered that the X server incorrectly handled lock files. A local
 attacker could use this flaw to determine if a file existed or not.
 (CVE-2011-4028)
 
 Vladz discovered that the X server incorrectly handled setting lock file
 permissions. A local attacker could use this flaw to gain read permissions
 on arbitrary files and view sensitive information. (CVE-2011-4029)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.04 LTS:
  xserver-xorg-core               2:1.7.6-2ubuntu7.9

After a standard system update you need to restart your session to make
all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-1232-2
  http://www.ubuntu.com/usn/usn-1232-1
  https://launchpad.net/bugs/877905

Package Information:
  https://launchpad.net/ubuntu/+source/xorg-server/2:1.7.6-...


-- 
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security...
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds