xorg-server: CVE-2015-3164: unauthorised local client access in XWayland

Debian Bug report logs - #788410
xorg-server: CVE-2015-3164: unauthorised local client access in XWayland

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: xorg-server: CVE-2015-3164: unauthorised local client access in XWayland

Date: Thu, 11 Jun 2015 07:43:13 +0200

Source: xorg-server
Version: 2:1.16.4-1
Severity: grave
Tags: security upstream fixed-upstream

Hi Debian X Strike Force,

the following vulnerability was published for xorg-server. Note, not
sure on the severity here, so please feel free to downgrade lesser
severity if you disagree.

CVE-2015-3164[0]:
Unauthorised local client access in XWayland

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-3164
[1] http://lists.freedesktop.org/archives/wayland-devel/2015-June/022548.html

Regards,
Salvatore

Message #10 received at 788410@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 788410@bugs.debian.org

Subject: Re: Bug#788410: xorg-server: CVE-2015-3164: unauthorised local client access in XWayland

Date: Sun, 14 Jun 2015 12:11:56 +1000

[Message part 1 (text/plain, inline)]

Control: severity -1 important

On Thu, Jun 11, 2015 at 07:43:13 +0200, Salvatore Bonaccorso wrote:

> Source: xorg-server
> Version: 2:1.16.4-1
> Severity: grave
> Tags: security upstream fixed-upstream
> 
> Hi Debian X Strike Force,
> 
> the following vulnerability was published for xorg-server. Note, not
> sure on the severity here, so please feel free to downgrade lesser
> severity if you disagree.
> 
As this only affects Xwayland I think important is good enough.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 788410-close@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: 788410-close@bugs.debian.org

Subject: Bug#788410: fixed in xorg-server 2:1.17.2-1

Date: Wed, 01 Jul 2015 17:04:31 +0000

Source: xorg-server
Source-Version: 2:1.17.2-1

We believe that the bug you reported is fixed in the latest version of
xorg-server, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 788410@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated xorg-server package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 01 Jul 2015 18:07:40 +0200
Source: xorg-server
Binary: xserver-xorg-core xserver-xorg-core-udeb xserver-xorg-dev xdmx xdmx-tools xnest xvfb xserver-xephyr xserver-xorg-core-dbg xserver-common xorg-server-source xwayland
Architecture: source all
Version: 2:1.17.2-1
Distribution: sid
Urgency: medium
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Description:
 xdmx       - distributed multihead X server
 xdmx-tools - Distributed Multihead X tools
 xnest      - Nested X server
 xorg-server-source - Xorg X server - source files
 xserver-common - common files used by various X servers
 xserver-xephyr - nested X server
 xserver-xorg-core - Xorg X server - core server
 xserver-xorg-core-dbg - Xorg - the X.Org X server (debugging symbols)
 xserver-xorg-core-udeb - Xorg X server - core server (udeb)
 xserver-xorg-dev - Xorg X server - development files
 xvfb       - Virtual Framebuffer 'fake' X server
 xwayland   - Xwayland X server
Closes: 775205 778187 784687 785474 787144 788410 789646 789823
Changes:
 xorg-server (2:1.17.2-1) unstable; urgency=medium
 .
   [ Sven Joachim ]
   * New upstream release.
     + symbols: Fix sdksyms.sh to cope with gcc5 (Closes: #778187)
     + os/access: fix regression in server interpreted auth (Closes: #784687)
     + dix: Fix image byte order on big endian hardware (Closes: #785474)
     + int10: Fix error check for pci_device_map_legacy (Closes: #787144)
     + modesetting: Include dix-config.h from dumb_bo.c (Closes: #789823)
     + unauthorised local client access in XWayland [CVE-2015-3164]
       (Closes: #788410)
   * Install the modesetting.4 manpage into xserver-xorg-core (Closes: #789646)
   * Build xserver-xorg-core-udeb on all architectures again (Closes: #775205)
   * Update debian/upstream/signing-key.asc.
Checksums-Sha1:
 932e6d9eea487a628521dda2eb7161fe82f726f6 4625 xorg-server_1.17.2-1.dsc
 e71f5634ab1adf6b5017e21d1432d50f70e6c405 8116257 xorg-server_1.17.2.orig.tar.gz
 4d94d1d1611a5fb8f6f1d08051640c9d4b585b11 120730 xorg-server_1.17.2-1.diff.gz
 a785cf3740d5db99896c49306f609881d7314ac2 6563472 xorg-server-source_1.17.2-1_all.deb
 0d35a67305aed2fd8cb559fb6716ca75e59693ff 1837886 xserver-common_1.17.2-1_all.deb
Checksums-Sha256:
 6bbe6c464551e8c788e6deb62a63eca42d9f055756c0d8aa69cf053381e98d64 4625 xorg-server_1.17.2-1.dsc
 fc568544920e9872fa615db3e32c8930e739dbef8b20366e775dee42db8ff5d1 8116257 xorg-server_1.17.2.orig.tar.gz
 da9216a6e6df68b1271b792d4a20c609efcfc865f13e7d5762f7c3c0ceaf7133 120730 xorg-server_1.17.2-1.diff.gz
 637607dfe22b8af6c4766b3ad65abf14d151c6f6100ce7224590d2c4f57fe9a0 6563472 xorg-server-source_1.17.2-1_all.deb
 7f1df0c853f6de8ff05af751b35055ad75de43b7254b2d4237cfdb73212c0677 1837886 xserver-common_1.17.2-1_all.deb
Files:
 8f28bc04bf5a58457f4c4939e34018fa 4625 x11 optional xorg-server_1.17.2-1.dsc
 01012da00e2d76a305bd3e522c9583cf 8116257 x11 optional xorg-server_1.17.2.orig.tar.gz
 adbd081da737864dfd912c38f443c9e7 120730 x11 optional xorg-server_1.17.2-1.diff.gz
 516c98db9acf4bc086f25dd204d3bf8c 6563472 x11 optional xorg-server-source_1.17.2-1_all.deb
 153fa965f6632ca41d641d0ed18877c8 1837886 x11 optional xserver-common_1.17.2-1_all.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVlBnFAAoJEDEBgAUJBeQM69MQAPDtIaCPS70DQMRunkusbJHP
4Lu03rmuCl2jI1PuDxrY6A4AI5rVEuWuM2ZDD8A/Hh/njpbkxTGZTPeqO7BgYKf7
yvrtePKJBYpALJH2e5hcV80lS2FPkX30RtsE7qTpK+UoGy0+CP9KU418wOn0DsrF
giFdiGRH0C/ohnAU883O8cwNYg6in6jyIT8ibwJBpZEdu+S8G4XMPt7E1s69NOE3
iEBzCDcMRY+XedECYjvw8+snFPpPHU/hVn5JaDXWkR3loQa3cIm0Qr8nZNQxw7sr
y1fAdHqpN9QTUN2U5w0rMUAXuDtI5OMTRgXl6zjAvGPwRJvKWbcXMDI9RFRcLVaH
tkURdbeJUD8hU7xxP59rr6cWr+7KK7GNNaAdeUJv7pbD555scSm6shkFdWF89oCc
HaZcio/h58PXD3AmJlUVD21vHunFznAOSXrbwnIFY8WyK6fpP8yqSUjeagqYBgVV
5qJUicmiREymIPOXkfKBogAZnpaNT+2gRlTZENe0w3SxJLJaYELNO/QiM+o121jn
LurclcKbQhBZXjff7rL2bVtHMLrIOlQTEyjnU0ohMjM9mJcurhnYHPnhhLGEqzyN
vLWbwJ5IRXEXHAhe4IMhb3nz5VBtsIdgJAti4LZ5w7/gifC7Z8/sisuRd5cE0ZQi
ZgsTcg6p565Gd/FeGL70
=+KA8
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.