Security update for xorg-x11-server SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:2823-1 Final 1 1 2017-10-20T17:47:28Z current 2017-10-20T17:47:28Z 2017-10-20T17:47:28Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xorg-x11-server This update for xorg-x11-server fixes the following vulnerabilities: * CVE-2017-12176: Unvalidated extra length in ProcEstablishConnection (bsc#1063041) * CVE-2017-12177: dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo (bsc#1063040) * CVE-2017-12178: Xi: fix wrong extra length check in ProcXIChangeHierarchy (bsc#1063039) * CVE-2017-12179: Xi: integer overflow and unvalidated length in (S)ProcXIBarrierReleasePointer (bsc#1063038) * CVE-2017-12180,CVE-2017-12181,CVE-2017-12182: Unvalidated lengths in XFree86-VidMode/XFree86-DGA/XFree86-DRI extension (bsc#1063037) * CVE-2017-12183: Unvalidated lengths in XFIXES extension (bsc#1063035) * CVE-2017-12184,CVE-2017-12185,CVE-2017-12186,CVE-2017-12187: Unvalidated lengths in multiple extensions (bsc#1063034) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-10/msg00074.html E-Mail link for openSUSE-SU-2017:2823-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 xorg-x11-server-7.6_1.18.3-28.1 xorg-x11-server-extra-7.6_1.18.3-28.1 xorg-x11-server-sdk-7.6_1.18.3-28.1 xorg-x11-server-source-7.6_1.18.3-28.1 xorg-x11-server-7.6_1.18.3-28.1 as a component of openSUSE Leap 42.2 xorg-x11-server-extra-7.6_1.18.3-28.1 as a component of openSUSE Leap 42.2 xorg-x11-server-sdk-7.6_1.18.3-28.1 as a component of openSUSE Leap 42.2 xorg-x11-server-source-7.6_1.18.3-28.1 as a component of openSUSE Leap 42.2 xorg-x11-server-7.6_1.18.3-28.1 as a component of openSUSE Leap 42.3 xorg-x11-server-extra-7.6_1.18.3-28.1 as a component of openSUSE Leap 42.3 xorg-x11-server-sdk-7.6_1.18.3-28.1 as a component of openSUSE Leap 42.3 xorg-x11-server-source-7.6_1.18.3-28.1 as a component of openSUSE Leap 42.3 xorg-x11-server before 1.19.5 was missing extra length validation in ProcEstablishConnection function allowing malicious X client to cause X server to crash or possibly execute arbitrary code. CVE-2017-12176 openSUSE Leap 42.2:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-source-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-source-7.6_1.18.3-28.1 moderate 4.6 AV:N/AC:H/Au:S/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-10/msg00074.html https://www.suse.com/security/cve/CVE-2017-12176.html CVE-2017-12176 https://bugzilla.suse.com/1063041 SUSE Bug 1063041 xorg-x11-server before 1.19.5 was vulnerable to integer overflow in ProcDbeGetVisualInfo function allowing malicious X client to cause X server to crash or possibly execute arbitrary code. CVE-2017-12177 openSUSE Leap 42.2:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-source-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-source-7.6_1.18.3-28.1 moderate 4.6 AV:N/AC:H/Au:S/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-10/msg00074.html https://www.suse.com/security/cve/CVE-2017-12177.html CVE-2017-12177 https://bugzilla.suse.com/1063040 SUSE Bug 1063040 xorg-x11-server before 1.19.5 had wrong extra length check in ProcXIChangeHierarchy function allowing malicious X client to cause X server to crash or possibly execute arbitrary code. CVE-2017-12178 openSUSE Leap 42.2:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-source-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-source-7.6_1.18.3-28.1 moderate 4.6 AV:N/AC:H/Au:S/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-10/msg00074.html https://www.suse.com/security/cve/CVE-2017-12178.html CVE-2017-12178 https://bugzilla.suse.com/1063039 SUSE Bug 1063039 xorg-x11-server before 1.19.5 was vulnerable to integer overflow in (S)ProcXIBarrierReleasePointer functions allowing malicious X client to cause X server to crash or possibly execute arbitrary code. CVE-2017-12179 openSUSE Leap 42.2:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-source-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-source-7.6_1.18.3-28.1 moderate 4.6 AV:N/AC:H/Au:S/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-10/msg00074.html https://www.suse.com/security/cve/CVE-2017-12179.html CVE-2017-12179 https://bugzilla.suse.com/1063038 SUSE Bug 1063038 xorg-x11-server before 1.19.5 was missing length validation in XFree86 VidModeExtension allowing malicious X client to cause X server to crash or possibly execute arbitrary code. CVE-2017-12180 openSUSE Leap 42.2:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-source-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-source-7.6_1.18.3-28.1 moderate 4.6 AV:N/AC:H/Au:S/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-10/msg00074.html https://www.suse.com/security/cve/CVE-2017-12180.html CVE-2017-12180 https://bugzilla.suse.com/1063037 SUSE Bug 1063037 xorg-x11-server before 1.19.5 was missing length validation in XFree86 DGA extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code. CVE-2017-12181 openSUSE Leap 42.2:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-source-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-source-7.6_1.18.3-28.1 moderate 4.6 AV:N/AC:H/Au:S/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-10/msg00074.html https://www.suse.com/security/cve/CVE-2017-12181.html CVE-2017-12181 https://bugzilla.suse.com/1063037 SUSE Bug 1063037 xorg-x11-server before 1.19.5 was missing length validation in XFree86 DRI extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code. CVE-2017-12182 openSUSE Leap 42.2:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-source-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-source-7.6_1.18.3-28.1 moderate 4.6 AV:N/AC:H/Au:S/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-10/msg00074.html https://www.suse.com/security/cve/CVE-2017-12182.html CVE-2017-12182 https://bugzilla.suse.com/1063037 SUSE Bug 1063037 xorg-x11-server before 1.19.5 was missing length validation in XFIXES extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code. CVE-2017-12183 openSUSE Leap 42.2:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-source-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-source-7.6_1.18.3-28.1 moderate 4.6 AV:N/AC:H/Au:S/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-10/msg00074.html https://www.suse.com/security/cve/CVE-2017-12183.html CVE-2017-12183 https://bugzilla.suse.com/1063035 SUSE Bug 1063035 xorg-x11-server before 1.19.5 was missing length validation in XINERAMA extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code. CVE-2017-12184 openSUSE Leap 42.2:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-source-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-source-7.6_1.18.3-28.1 moderate 4.6 AV:N/AC:H/Au:S/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-10/msg00074.html https://www.suse.com/security/cve/CVE-2017-12184.html CVE-2017-12184 https://bugzilla.suse.com/1063034 SUSE Bug 1063034 xorg-x11-server before 1.19.5 was missing length validation in MIT-SCREEN-SAVER extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code. CVE-2017-12185 openSUSE Leap 42.2:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-source-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-source-7.6_1.18.3-28.1 moderate 4.6 AV:N/AC:H/Au:S/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-10/msg00074.html https://www.suse.com/security/cve/CVE-2017-12185.html CVE-2017-12185 https://bugzilla.suse.com/1063034 SUSE Bug 1063034 xorg-x11-server before 1.19.5 was missing length validation in X-Resource extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code. CVE-2017-12186 openSUSE Leap 42.2:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-source-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-source-7.6_1.18.3-28.1 moderate 4.6 AV:N/AC:H/Au:S/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-10/msg00074.html https://www.suse.com/security/cve/CVE-2017-12186.html CVE-2017-12186 https://bugzilla.suse.com/1063034 SUSE Bug 1063034 xorg-x11-server before 1.19.5 was missing length validation in RENDER extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code. CVE-2017-12187 openSUSE Leap 42.2:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.2:xorg-x11-server-source-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-extra-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-sdk-7.6_1.18.3-28.1 openSUSE Leap 42.3:xorg-x11-server-source-7.6_1.18.3-28.1 moderate 4.6 AV:N/AC:H/Au:S/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-10/msg00074.html https://www.suse.com/security/cve/CVE-2017-12187.html CVE-2017-12187 https://bugzilla.suse.com/1063034 SUSE Bug 1063034