Date: Fri, 26 Oct 2018 09:05:36 +0200 From: Niclas Zeising <zeising@freebsd.org> To: Pete Wright <pete@nomadlogic.org>, Gladiola <gladiola@protonmail.com>, x11 <x11@freebsd.org> Subject: Re: Check your xorg version number. Message-ID: <cc0286ce-93da-b834-d31b-eac91733e145@freebsd.org> In-Reply-To: <d8853953-2c4e-bc3c-6f70-a126906acaef@nomadlogic.org> References: <tkKSQm498efG8O5w78ERg822u4apuOmH2uHejnLalnre_pUgfCF3UTZJk0FSyz4TBbqH-6JLFz2iFnbdHmYD1V8_wYhRKVKilJ7J4owVhC0=@protonmail.com> <d8853953-2c4e-bc3c-6f70-a126906acaef@nomadlogic.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/26/18 5:47 AM, Pete Wright wrote: > > On 10/25/18 7:19 PM, Gladiola via freebsd-x11 wrote: >> Maintainers: >> >> https://twitter.com/hackerfantastic/status/1055555359060807680?s=19 >> >> https://nvd.nist.gov/vuln/detail/CVE-2018-14685 > > that CVE entry seems to correspond to a PHP issue unless i'm missing > something. > > perhaps this is what you are referring to: > https://lists.x.org/archives/xorg-announce/2018-October/002927.html > > yea this is really not a good thing, although i believe we are > accidentally OK since we are not running xorg-1.19.x yet in the ports tree: > > "Privilege escalation and file overwrite in X.Org X server 1.19 and later" > > regardless of that line I believe others on this list are looking > closely into this regardless. > Hi! The freeBSD Xorg X server is not vulnerable. We are running a version from before the code n question was introduced. I did a simple test and was not able to exploit it (the exploit is fairly easy to set up). More information and a PoC can be found here, so that you can test for yourselves. https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html Regards -- Niclas Zeising FreeBSD X11/Graphics team
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cc0286ce-93da-b834-d31b-eac91733e145>