From e03384682242c27b149197f42738ab0ce35cff00 Mon Sep 17 00:00:00 2001 From: Niclas Zeising Date: Sun, 20 May 2018 13:14:18 +0000 Subject: Update VuXML entry for xorg-server issues Update VuXML entry for xorg-server issues related to CVE-2017-10971 and CVE-2017-10972. The version check was wrong missing the portepoch which meant that the entry never matched anything. It was also only added for xorg-server 1.19, while we have 1.18 in base. Fix formatting and edit the overly long lines. --- security/vuxml/vuln.xml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'security') diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 6cfa612fec1b..dc322328db50 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -8529,15 +8529,22 @@ Using a handcrafted message, remote code execution seems to be possible.

xorg-server - 1.19.3 + 1.18.4_6,1 + 1.19.0,11.19.3,1

xorg-server developers reports:

-
In the X.Org X server before 2017-06-19, a user authenticated to an X Session could crash or execute code in the context of the X Server by exploiting a stack overflow in the endianness conversion of X Events.
-
Uninitialized data in endianness conversion in the XEvent handling of the X.Org X Server before 2017-06-19 allowed authenticated malicious users to access potentially privileged data from the X server.
+
In the X.Org X server before 2017-06-19, a user authenticated to + an X Session could crash or execute code in the context of the X + Server by exploiting a stack overflow in the endianness conversion + of X Events.
+
Uninitialized data in endianness conversion in the XEvent handling + of the X.Org X Server before 2017-06-19 allowed authenticated + malicious users to access potentially privileged data from the X + server.

@@ -8556,6 +8563,7 @@ Using a handcrafted message, remote code execution seems to be possible.

2017-07-06 2017-10-17 + 2018-05-20 -- cgit v1.2.3