SUSE-SU-2014:0744-1: moderate: Security update for xorg-x11-server

sle-security-updates at sle-security-updates at
Mon Jun 2 14:07:14 MDT 2014

   SUSE Security Update: Security update for xorg-x11-server

Announcement ID:    SUSE-SU-2014:0744-1
Rating:             moderate
References:         #813178 #813683 #814653 #816813 #843652 #853846 
Cross-References:   CVE-2013-1940 CVE-2013-4396 CVE-2013-6424
Affected Products:
                    SUSE Linux Enterprise Server 11 SP1 LTSS

   An update that solves three vulnerabilities and has three
   fixes is now available.


   This is a SLES 11 SP1 LTSS rollup update for the X.Org Server package.

   The following security issues have been fixed:

       * CVE-2013-6424: Integer underflow in the xTrapezoidValid macro in
         render/picture.h in X.Org allowed context-dependent attackers to
         cause a denial of service (crash) via a negative bottom value.
       * CVE-2013-4396: Use-after-free vulnerability in the doImageText
         function in dix/dixfonts.c in the xorg-server module before 1.14.4
         in X.Org X11 allowed remote authenticated users to cause a denial of
         service (daemon crash) or possibly execute arbitrary code via a
         crafted ImageText request that triggers memory-allocation failure.
       * CVE-2013-1940: X.Org X server did not properly restrict access to
         input events when adding a new hot-plug device, which might have
         allowed physically proximate attackers to obtain sensitive
         information, as demonstrated by reading passwords from a tty.

   The following non-security issues have been fixed:

       * rfbAuthReenable is accessing rfbClient structure that was in most
         cases already freed. It actually needs only ScreenPtr, so pass it
         directly. (bnc#816813)
       * Memory leaks in ARGB cursor handling. (bnc#813178, bnc#813683)

   Security Issues:

       * CVE-2013-1940
       * CVE-2013-4396
       * CVE-2013-6424

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 11 SP1 LTSS:

      zypper in -t patch slessp1-xorg-x11-Xvnc-9126

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64):



More information about the sle-security-updates mailing list