Bug 1035283 (CVE-2017-10971)

Summary: VUL-0: CVE-2017-10971 CVE-2017-10972: xorg-x11-server: various overflows in event processor
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P2 - High CC: meissner, mmarek, patrik.jakobsson
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:oes11-sp2:63768 CVSSv3:RedHat:CVE-2017-10971:7.0:(AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSSv3:RedHat:CVE-2017-10972:4.7:(AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) CVSSv2:NVD:CVE-2017-10972:4.0:(AV:N/AC:L/Au:S/C:P/I:N/A:N) CVSSv2:NVD:CVE-2017-10971:6.5:(AV:N/AC:L/Au:S/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Patches to fix the issues

Comment 9 Michal Srb 2017-06-05 15:02:05 UTC
Created attachment 727708 [details]
Patches to fix the issues

The patches I sent to xorg-security@lists.x.org are in the attachment.

Projects are prepared with them backported in IBS:
home:michalsrb:branches:bnc1035283:SUSE:SLE-11-SP3:Update/xorg-x11-server
home:michalsrb:branches:bnc1035283:SUSE:SLE-12-SP1:Update/xorg-x11-server
home:michalsrb:branches:bnc1035283:SUSE:SLE-12-SP2:Update/xorg-x11-server
home:michalsrb:branches:bnc1035283:SUSE:SLE-12:Update/xorg-x11-server

The code didn't change in a while, so only backporting necessary were whitespace fixes.
Comment 13 Michal Srb 2017-06-12 11:43:04 UTC
Update from the security mailing list:

Peter Hutterer <peter.hutterer@who-t.net>:
> doh, sorry that one got swamped out. IMO we don't need a CVE here and 
> I'm happy to push this directly. I'll let this sit for a few days for 
> anyone to convince the list to do the CVE happy dance.
Comment 14 Michal Srb 2017-06-23 13:25:46 UTC
The patches have been (silently) pushed to X server's upstream. So we are free to release the update.
Comment 16 Marcus Meissner 2017-06-27 15:43:40 UTC
making bug public.

the x team has decided these are not security problems.
Comment 18 Michal Srb 2017-07-03 11:50:13 UTC
(In reply to Marcus Meissner from comment #16)
> making bug public.
> 
> the x team has decided these are not security problems.

Do we still consider it a security problem? So now when the submissions are done, should I close the bug or reassign to security team?
Comment 24 Marcus Meissner 2017-07-06 11:02:38 UTC
(In reply to Marcus Meissner from comment #23)
> I requested a CVE (stack overflow) for:
> 
> https://cgit.freedesktop.org/xorg/xserver/commit/
> ?id=ba336b24052122b136486961c82deac76bbde455
> https://cgit.freedesktop.org/xorg/xserver/commit/
> ?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d
> https://cgit.freedesktop.org/xorg/xserver/commit/
> ?id=215f894965df5fb0bb45b107d84524e700d2073c

CVE-2017-10971.

> And one CVE (information leak) for:
> 
> https://cgit.freedesktop.org/xorg/xserver/commit/
> ?id=05442de962d3dc624f79fc1a00eca3ffc5489ced

CVE-2017-10972.
Comment 25 Marcus Meissner 2017-07-06 12:17:07 UTC
so yes .. handling as security issue. if you can add the CVE ids to factory that would be great.
Comment 27 Swamp Workflow Management 2017-07-07 04:59:18 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-07-14.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63759
Comment 29 Bernhard Wiedemann 2017-07-07 10:00:28 UTC
This is an autogenerated message for OBS integration:
This bug (1035283) was mentioned in
https://build.opensuse.org/request/show/508731 Factory / xorg-x11-server
https://build.opensuse.org/request/show/508736 42.2 / xorg-x11-server
Comment 30 Bernhard Wiedemann 2017-07-10 14:00:30 UTC
This is an autogenerated message for OBS integration:
This bug (1035283) was mentioned in
https://build.opensuse.org/request/show/509178 42.3 / xorg-x11-server
Comment 36 Bernhard Wiedemann 2017-07-12 10:00:27 UTC
This is an autogenerated message for OBS integration:
This bug (1035283) was mentioned in
https://build.opensuse.org/request/show/509658 42.3 / xorg-x11-server
Comment 37 Swamp Workflow Management 2017-07-12 19:12:05 UTC
SUSE-SU-2017:1850-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1035283
CVE References: CVE-2017-10971,CVE-2017-10972
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xorg-x11-server-7.4-27.121.2
SUSE Linux Enterprise Server 11-SP4 (src):    xorg-x11-server-7.4-27.121.2
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xorg-x11-server-7.4-27.121.2
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xorg-x11-server-7.4-27.121.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xorg-x11-server-7.4-27.121.2
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xorg-x11-server-7.4-27.121.2
Comment 39 Swamp Workflow Management 2017-07-14 13:10:21 UTC
SUSE-SU-2017:1859-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1035283
CVE References: CVE-2017-10971,CVE-2017-10972
Sources used:
SUSE OpenStack Cloud 6 (src):    xorg-x11-server-7.6_1.15.2-53.3.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    xorg-x11-server-7.6_1.15.2-53.3.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    xorg-x11-server-7.6_1.15.2-53.3.1
Comment 40 Swamp Workflow Management 2017-07-14 13:10:51 UTC
SUSE-SU-2017:1860-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1035283
CVE References: CVE-2017-10971,CVE-2017-10972
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-74.2
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-74.2
SUSE Linux Enterprise Server 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-74.2
SUSE Linux Enterprise Desktop 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-74.2
Comment 41 Swamp Workflow Management 2017-07-14 13:11:14 UTC
SUSE-SU-2017:1861-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1035283
CVE References: CVE-2017-10971,CVE-2017-10972
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    xorg-x11-server-7.6_1.15.2-30.22.1
SUSE Linux Enterprise Server 12-LTSS (src):    xorg-x11-server-7.6_1.15.2-30.22.1
Comment 42 Swamp Workflow Management 2017-07-15 13:09:34 UTC
openSUSE-SU-2017:1885-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1025084,1035283
CVE References: CVE-2017-10971,CVE-2017-10972
Sources used:
openSUSE Leap 42.2 (src):    xorg-x11-server-7.6_1.18.3-12.20.1
Comment 44 Marcus Meissner 2017-10-25 19:40:36 UTC
released