Date: Sun, 20 May 2018 13:14:18 +0000 (UTC) From: Niclas Zeising <zeising@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r470453 - head/security/vuxml Message-ID: <201805201314.w4KDEI39033103@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: zeising Date: Sun May 20 13:14:18 2018 New Revision: 470453 URL: https://svnweb.freebsd.org/changeset/ports/470453 Log: Update VuXML entry for xorg-server issues Update VuXML entry for xorg-server issues related to CVE-2017-10971 and CVE-2017-10972. The version check was wrong missing the portepoch which meant that the entry never matched anything. It was also only added for xorg-server 1.19, while we have 1.18 in base. Fix formatting and edit the overly long lines. Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sun May 20 13:06:51 2018 (r470452) +++ head/security/vuxml/vuln.xml Sun May 20 13:14:18 2018 (r470453) @@ -8529,15 +8529,22 @@ Using a handcrafted message, remote code execution see <affects> <package> <name>xorg-server</name> - <range><le>1.19.3</le></range> + <range><le>1.18.4_6,1</le></range> + <range><ge>1.19.0,1</ge><le>1.19.3,1</le></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>xorg-server developers reports:</p> <blockquote cite="http://www.securityfocus.com/bid/99546"> - <p>In the X.Org X server before 2017-06-19, a user authenticated to an X Session could crash or execute code in the context of the X Server by exploiting a stack overflow in the endianness conversion of X Events.</p> - <p>Uninitialized data in endianness conversion in the XEvent handling of the X.Org X Server before 2017-06-19 allowed authenticated malicious users to access potentially privileged data from the X server.</p> + <p>In the X.Org X server before 2017-06-19, a user authenticated to + an X Session could crash or execute code in the context of the X + Server by exploiting a stack overflow in the endianness conversion + of X Events.</p> + <p>Uninitialized data in endianness conversion in the XEvent handling + of the X.Org X Server before 2017-06-19 allowed authenticated + malicious users to access potentially privileged data from the X + server.</p> </blockquote> </body> </description> @@ -8556,6 +8563,7 @@ Using a handcrafted message, remote code execution see <dates> <discovery>2017-07-06</discovery> <entry>2017-10-17</entry> + <modified>2018-05-20</modified> </dates> </vuln>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201805201314.w4KDEI39033103>