Gentoo Archives: gentoo-announce

From: Kristian Fiskerstrand <k_f@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 201704-03 ] X.Org: Multiple vulnerabilities
Date: Mon, 10 Apr 2017 21:42:45
Message-Id: 45c074b5-7f5f-7729-6c0b-be2b8a6a88b9@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201704-03
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: X.Org: Multiple vulnerabilities
9 Date: April 10, 2017
10 Bugs: #596182, #611350, #611352, #611354
11 ID: 201704-03
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been found in X.Org server and
19 libraries, the worse of which allowing local attackers to execute
20 arbitrary code.
21
22 Background
23 ==========
24
25 X.Org X servers
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 x11-base/xorg-server < 1.19.2 >= 1.19.2
34 2 x11-libs/libICE < 1.0.9-r1 >= 1.0.9-r1
35 3 x11-libs/libXdmcp < 1.1.2-r1 >= 1.1.2-r1
36 4 x11-libs/libXrender < 0.9.10 >= 0.9.10
37 5 x11-libs/libXi < 1.7.7 >= 1.7.7
38 6 x11-libs/libXrandr < 1.5.1 >= 1.5.1
39 7 x11-libs/libXfixes < 5.0.3 >= 5.0.3
40 8 x11-libs/libXv < 1.0.11 >= 1.0.11
41 -------------------------------------------------------------------
42 8 affected packages
43
44 Description
45 ===========
46
47 Multiple vulnerabilities have been discovered in X.Org server and
48 libraries. Please review the CVE identifiers referenced below for
49 details.
50
51 Impact
52 ======
53
54 A local or remote users can utilize the vulnerabilities to attach to
55 the X.Org session as a user and execute arbitrary code.
56
57 Workaround
58 ==========
59
60 There is no known workaround at this time.
61
62 Resolution
63 ==========
64
65 All X.Org-server users should upgrade to the latest version:
66
67 # emerge --sync
68 # emerge --ask --oneshot --verbose ">=x11-base/xorg-server-1.19.2"
69
70 All libICE users should upgrade to the latest version:
71
72 # emerge --sync
73 # emerge --ask --oneshot --verbose ">=x11-libs/libICE-1.0.9-r1"
74
75 All libXdmcp users should upgrade to the latest version:
76
77 # emerge --sync
78 # emerge --ask --oneshot --verbose ">=x11-libs/libXdmcp-1.1.2-r1"
79
80 All libXrender users should upgrade to the latest version:
81
82 # emerge --sync
83 # emerge --ask --oneshot --verbose ">=x11-libs/libXrender-0.9.10"
84
85 All libXi users should upgrade to the latest version:
86
87 # emerge --sync
88 # emerge --ask --oneshot --verbose ">=x11-libs/libXi-1.7.7"
89
90 All libXrandr users should upgrade to the latest version:
91
92 # emerge --sync
93 # emerge --ask --oneshot --verbose ">=x11-libs/libXrandr-1.5.1"
94
95 All libXfixes users should upgrade to the latest version:
96
97 # emerge --sync
98 # emerge --ask --oneshot --verbose ">=x11-libs/libXfixes-5.0.3"
99
100 All libXv users should upgrade to the latest version:
101
102 # emerge --sync
103 # emerge --ask --oneshot --verbose ">=x11-libs/libXv-1.0.11"
104
105 References
106 ==========
107
108 [ 1 ] CVE-2016-5407
109 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5407
110 [ 2 ] CVE-2016-7942
111 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7942
112 [ 3 ] CVE-2016-7943
113 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7943
114 [ 4 ] CVE-2016-7944
115 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7944
116 [ 5 ] CVE-2016-7945
117 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7945
118 [ 6 ] CVE-2016-7946
119 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7946
120 [ 7 ] CVE-2016-7947
121 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7947
122 [ 8 ] CVE-2016-7948
123 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7948
124 [ 9 ] CVE-2016-7949
125 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7949
126 [ 10 ] CVE-2016-7950
127 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7950
128 [ 11 ] CVE-2016-7953
129 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7953
130 [ 12 ] CVE-2017-2624
131 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2624
132 [ 13 ] CVE-2017-2625
133 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2625
134 [ 14 ] CVE-2017-2626
135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2626
136
137 Availability
138 ============
139
140 This GLSA and any updates to it are available for viewing at
141 the Gentoo Security Website:
142
143 https://security.gentoo.org/glsa/201704-03
144
145 Concerns?
146 =========
147
148 Security is a primary focus of Gentoo Linux and ensuring the
149 confidentiality and security of our users' machines is of utmost
150 importance to us. Any security concerns should be addressed to
151 security@g.o or alternatively, you may file a bug at
152 https://bugs.gentoo.org.
153
154 License
155 =======
156
157 Copyright 2017 Gentoo Foundation, Inc; referenced text
158 belongs to its owner(s).
159
160 The contents of this document are licensed under the
161 Creative Commons - Attribution / Share Alike license.
162
163 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature