SUSE-SU-2014:0744-1: moderate: Security update for xorg-x11-server
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Mon Jun 2 14:07:14 MDT 2014
SUSE Security Update: Security update for xorg-x11-server
______________________________________________________________________________
Announcement ID: SUSE-SU-2014:0744-1
Rating: moderate
References: #813178 #813683 #814653 #816813 #843652 #853846
Cross-References: CVE-2013-1940 CVE-2013-4396 CVE-2013-6424
Affected Products:
SUSE Linux Enterprise Server 11 SP1 LTSS
______________________________________________________________________________
An update that solves three vulnerabilities and has three
fixes is now available.
Description:
This is a SLES 11 SP1 LTSS rollup update for the X.Org Server package.
The following security issues have been fixed:
* CVE-2013-6424: Integer underflow in the xTrapezoidValid macro in
render/picture.h in X.Org allowed context-dependent attackers to
cause a denial of service (crash) via a negative bottom value.
* CVE-2013-4396: Use-after-free vulnerability in the doImageText
function in dix/dixfonts.c in the xorg-server module before 1.14.4
in X.Org X11 allowed remote authenticated users to cause a denial of
service (daemon crash) or possibly execute arbitrary code via a
crafted ImageText request that triggers memory-allocation failure.
* CVE-2013-1940: X.Org X server did not properly restrict access to
input events when adding a new hot-plug device, which might have
allowed physically proximate attackers to obtain sensitive
information, as demonstrated by reading passwords from a tty.
The following non-security issues have been fixed:
* rfbAuthReenable is accessing rfbClient structure that was in most
cases already freed. It actually needs only ScreenPtr, so pass it
directly. (bnc#816813)
* Memory leaks in ARGB cursor handling. (bnc#813178, bnc#813683)
Security Issues:
* CVE-2013-1940
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1940>
* CVE-2013-4396
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4396>
* CVE-2013-6424
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6424>
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 11 SP1 LTSS:
zypper in -t patch slessp1-xorg-x11-Xvnc-9126
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64):
xorg-x11-Xvnc-7.4-27.40.70.1
xorg-x11-server-7.4-27.40.70.1
xorg-x11-server-extra-7.4-27.40.70.1
References:
http://support.novell.com/security/cve/CVE-2013-1940.html
http://support.novell.com/security/cve/CVE-2013-4396.html
http://support.novell.com/security/cve/CVE-2013-6424.html
https://bugzilla.novell.com/813178
https://bugzilla.novell.com/813683
https://bugzilla.novell.com/814653
https://bugzilla.novell.com/816813
https://bugzilla.novell.com/843652
https://bugzilla.novell.com/853846
http://download.suse.com/patch/finder/?keywords=ba40d48b0976dd6e6e280de949ecbe09
More information about the sle-security-updates
mailing list