Bugzilla – Bug 1035283
VUL-0: CVE-2017-10971 CVE-2017-10972: xorg-x11-server: various overflows in event processor
Last modified: 2018-06-21 21:45:36 UTC
Created attachment 727708 [details] Patches to fix the issues The patches I sent to xorg-security@lists.x.org are in the attachment. Projects are prepared with them backported in IBS: home:michalsrb:branches:bnc1035283:SUSE:SLE-11-SP3:Update/xorg-x11-server home:michalsrb:branches:bnc1035283:SUSE:SLE-12-SP1:Update/xorg-x11-server home:michalsrb:branches:bnc1035283:SUSE:SLE-12-SP2:Update/xorg-x11-server home:michalsrb:branches:bnc1035283:SUSE:SLE-12:Update/xorg-x11-server The code didn't change in a while, so only backporting necessary were whitespace fixes.
Update from the security mailing list: Peter Hutterer <peter.hutterer@who-t.net>: > doh, sorry that one got swamped out. IMO we don't need a CVE here and > I'm happy to push this directly. I'll let this sit for a few days for > anyone to convince the list to do the CVE happy dance.
The patches have been (silently) pushed to X server's upstream. So we are free to release the update.
making bug public. the x team has decided these are not security problems.
(In reply to Marcus Meissner from comment #16) > making bug public. > > the x team has decided these are not security problems. Do we still consider it a security problem? So now when the submissions are done, should I close the bug or reassign to security team?
(In reply to Marcus Meissner from comment #23) > I requested a CVE (stack overflow) for: > > https://cgit.freedesktop.org/xorg/xserver/commit/ > ?id=ba336b24052122b136486961c82deac76bbde455 > https://cgit.freedesktop.org/xorg/xserver/commit/ > ?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d > https://cgit.freedesktop.org/xorg/xserver/commit/ > ?id=215f894965df5fb0bb45b107d84524e700d2073c CVE-2017-10971. > And one CVE (information leak) for: > > https://cgit.freedesktop.org/xorg/xserver/commit/ > ?id=05442de962d3dc624f79fc1a00eca3ffc5489ced CVE-2017-10972.
so yes .. handling as security issue. if you can add the CVE ids to factory that would be great.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2017-07-14. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63759
This is an autogenerated message for OBS integration: This bug (1035283) was mentioned in https://build.opensuse.org/request/show/508731 Factory / xorg-x11-server https://build.opensuse.org/request/show/508736 42.2 / xorg-x11-server
This is an autogenerated message for OBS integration: This bug (1035283) was mentioned in https://build.opensuse.org/request/show/509178 42.3 / xorg-x11-server
This is an autogenerated message for OBS integration: This bug (1035283) was mentioned in https://build.opensuse.org/request/show/509658 42.3 / xorg-x11-server
SUSE-SU-2017:1850-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1035283 CVE References: CVE-2017-10971,CVE-2017-10972 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): xorg-x11-server-7.4-27.121.2 SUSE Linux Enterprise Server 11-SP4 (src): xorg-x11-server-7.4-27.121.2 SUSE Linux Enterprise Server 11-SP3-LTSS (src): xorg-x11-server-7.4-27.121.2 SUSE Linux Enterprise Point of Sale 11-SP3 (src): xorg-x11-server-7.4-27.121.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): xorg-x11-server-7.4-27.121.2 SUSE Linux Enterprise Debuginfo 11-SP3 (src): xorg-x11-server-7.4-27.121.2
SUSE-SU-2017:1859-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1035283 CVE References: CVE-2017-10971,CVE-2017-10972 Sources used: SUSE OpenStack Cloud 6 (src): xorg-x11-server-7.6_1.15.2-53.3.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): xorg-x11-server-7.6_1.15.2-53.3.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): xorg-x11-server-7.6_1.15.2-53.3.1
SUSE-SU-2017:1860-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1035283 CVE References: CVE-2017-10971,CVE-2017-10972 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): xorg-x11-server-7.6_1.18.3-74.2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): xorg-x11-server-7.6_1.18.3-74.2 SUSE Linux Enterprise Server 12-SP2 (src): xorg-x11-server-7.6_1.18.3-74.2 SUSE Linux Enterprise Desktop 12-SP2 (src): xorg-x11-server-7.6_1.18.3-74.2
SUSE-SU-2017:1861-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1035283 CVE References: CVE-2017-10971,CVE-2017-10972 Sources used: SUSE Linux Enterprise Server for SAP 12 (src): xorg-x11-server-7.6_1.15.2-30.22.1 SUSE Linux Enterprise Server 12-LTSS (src): xorg-x11-server-7.6_1.15.2-30.22.1
openSUSE-SU-2017:1885-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1025084,1035283 CVE References: CVE-2017-10971,CVE-2017-10972 Sources used: openSUSE Leap 42.2 (src): xorg-x11-server-7.6_1.18.3-12.20.1
released