Date: Thu, 11 Jan 2007 10:56:16 +0300 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: Remko Lodder <remko@elvandar.org> Cc: freebsd-security@freebsd.org, cperciva@freebsd.org Subject: Re: Recent vulnerabilities in xorg-server Message-ID: <20070111075616.GB20642@codelabs.ru> In-Reply-To: <20070111072235.GA79783@elvandar.org> References: <20070111064156.GM14822@codelabs.ru> <20070111072235.GA79783@elvandar.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--H1spWtNR+x+ondvy Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Remko, good day! > Thanks for the notification! We are kinda busy at the > moment, so if you could spare a minute and write a > VuXML entry (a draft would also suffice), we can > more easily add it. If you are unable to do so, no > probs, but it is likely to take a bit longer to > get the things incorporated. Attached. The discovery date is given by the date of the original posts in Securityfocus bugtraq list: http://www.securityfocus.com/archive/1/456437/30/0/threaded http://www.securityfocus.com/archive/1/456434/30/0/threaded http://www.securityfocus.com/archive/1/456434/30/0/threaded The disclosure timeline is different (the same for all three posts): ----- VIII. DISCLOSURE TIMELINE 12/04/2006 Initial vendor notification 12/05/2006 Initial vendor response 01/09/2007 Coordinated public disclosure ----- > Thanks for using FreeBSD and your willingness to improve > the product! It is being appriciated. You're welcome ;)) -- Eygene --H1spWtNR+x+ondvy Content-Type: text/plain; charset=koi8-r Content-Disposition: attachment; filename="vuxml.log" <vuln vid="yet-unknown"> <topic>xorg-server -- multiple vulnerabilities.</topic> <affects> <package> <name>xorg-server</name> <range><le>6.9.0_5</le></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <blockquote cite="http://xorg.freedesktop.org/releases/X11R6.9.0/patches/index.html">; <h1>x11r6.9.0-dbe-render.diff</h1> <p>CVE-2006-6101 CVE-2006-6102 CVE-2006-6103: The ProcDbeGetVisualInfo(), ProcDbeSwapBuffer() and ProcRenderAddGlyphs() functions in the X server, implementing requests for the dbe and render extensions, may be used to overwrite data on the stack or in other parts of the X server memory.</p> <h1>x11r6.9.0-cidfonts.diff</h1> <p>CVE-2006-2006-3739 and CVE 2006-3740: It may be possible for a user with the ability to set the X server font path, by making it point to a malicious font, to cause arbitrary code execution or denial of service on the X server.</p> </blockquote> </body> </description> <references> <freebsdpr>ports/107733</freebsdpr> <cvename>CVE-2006-3739</cvename> <cvename>CVE-2006-3740</cvename> <cvename>CVE-2006-6101</cvename> <cvename>CVE-2006-6102</cvename> <cvename>CVE-2006-6103</cvename> <url>http://xorg.freedesktop.org/releases/X11R6.9.0/patches/index.html</url>; </references> <dates> <discovery>2007-01-09</discovery> <entry>2007-01-11</entry> </dates> </vuln> --H1spWtNR+x+ondvy--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070111075616.GB20642>