Debian Bug report logs -
#673148
CVE-2012-2118
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Wed, 16 May 2012 13:12:02 UTC
Severity: important
Tags: security
Found in version 2:1.9.99.902-1
Fixed in version xorg-server/2:1.12.1.902-1
Done: Cyril Brulebois <kibi@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian X Strike Force <debian-x@lists.debian.org>
:
Bug#673148
; Package xorg-server
.
(Wed, 16 May 2012 13:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian X Strike Force <debian-x@lists.debian.org>
.
(Wed, 16 May 2012 13:12:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: xorg-server
Severity: important
Tags: security
Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2118 for more
details and links to upstream patches.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>
:
Bug#673148
; Package xorg-server
.
(Thu, 17 May 2012 06:03:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Cyril Brulebois <kibi@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>
.
(Thu, 17 May 2012 06:03:07 GMT) (full text, mbox, link).
Message #10 received at 673148@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Moritz Muehlenhoff <muehlenhoff@univention.de> (16/05/2012):
> Package: xorg-server
> Severity: important
> Tags: security
>
> Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2118
> for more details and links to upstream patches.
ACK. Will probably process this thursday.
Mraw,
KiBi.
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Cyril Brulebois <kibi@debian.org>
:
You have taken responsibility.
(Sun, 20 May 2012 10:12:10 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
Bug acknowledged by developer.
(Sun, 20 May 2012 10:12:14 GMT) (full text, mbox, link).
Message #15 received at 673148-close@bugs.debian.org (full text, mbox, reply):
Source: xorg-server
Source-Version: 2:1.12.1.902-1
We believe that the bug you reported is fixed in the latest version of
xorg-server, which is due to be installed in the Debian FTP archive:
xdmx-tools_1.12.1.902-1_amd64.deb
to main/x/xorg-server/xdmx-tools_1.12.1.902-1_amd64.deb
xdmx_1.12.1.902-1_amd64.deb
to main/x/xorg-server/xdmx_1.12.1.902-1_amd64.deb
xnest_1.12.1.902-1_amd64.deb
to main/x/xorg-server/xnest_1.12.1.902-1_amd64.deb
xorg-server_1.12.1.902-1.diff.gz
to main/x/xorg-server/xorg-server_1.12.1.902-1.diff.gz
xorg-server_1.12.1.902-1.dsc
to main/x/xorg-server/xorg-server_1.12.1.902-1.dsc
xorg-server_1.12.1.902.orig.tar.gz
to main/x/xorg-server/xorg-server_1.12.1.902.orig.tar.gz
xserver-common_1.12.1.902-1_all.deb
to main/x/xorg-server/xserver-common_1.12.1.902-1_all.deb
xserver-xephyr_1.12.1.902-1_amd64.deb
to main/x/xorg-server/xserver-xephyr_1.12.1.902-1_amd64.deb
xserver-xfbdev_1.12.1.902-1_amd64.deb
to main/x/xorg-server/xserver-xfbdev_1.12.1.902-1_amd64.deb
xserver-xorg-core-dbg_1.12.1.902-1_amd64.deb
to main/x/xorg-server/xserver-xorg-core-dbg_1.12.1.902-1_amd64.deb
xserver-xorg-core-udeb_1.12.1.902-1_amd64.udeb
to main/x/xorg-server/xserver-xorg-core-udeb_1.12.1.902-1_amd64.udeb
xserver-xorg-core_1.12.1.902-1_amd64.deb
to main/x/xorg-server/xserver-xorg-core_1.12.1.902-1_amd64.deb
xserver-xorg-dev_1.12.1.902-1_amd64.deb
to main/x/xorg-server/xserver-xorg-dev_1.12.1.902-1_amd64.deb
xvfb_1.12.1.902-1_amd64.deb
to main/x/xorg-server/xvfb_1.12.1.902-1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 673148@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Cyril Brulebois <kibi@debian.org> (supplier of updated xorg-server package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 20 May 2012 10:52:52 +0200
Source: xorg-server
Binary: xserver-xorg-core xserver-xorg-core-udeb xserver-xorg-dev xdmx xdmx-tools xnest xvfb xserver-xephyr xserver-xfbdev xserver-xorg-core-dbg xserver-common
Architecture: source all amd64
Version: 2:1.12.1.902-1
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Cyril Brulebois <kibi@debian.org>
Description:
xdmx - distributed multihead X server
xdmx-tools - Distributed Multihead X tools
xnest - Nested X server
xserver-common - common files used by various X servers
xserver-xephyr - nested X server
xserver-xfbdev - Linux framebuffer device tiny X server
xserver-xorg-core - Xorg X server - core server
xserver-xorg-core-dbg - Xorg - the X.Org X server (debugging symbols)
xserver-xorg-core-udeb - Xorg X server - core server (udeb)
xserver-xorg-dev - Xorg X server - development files
xvfb - Virtual Framebuffer 'fake' X server
Closes: 671812 673148
Changes:
xorg-server (2:1.12.1.902-1) unstable; urgency=medium
.
[ Julien Cristau ]
* xvfb-run: kill Xvfb when the script dies.
* xvfb-run: instead of waiting 3 seconds and hoping that's enough for Xvfb
to come up (and waiting 2.9 seconds too many in the general case), tell it
to send us SIGUSR1 when it's ready to accept connections. This reduces
"xvfb-run -- xterm -e true" from ~3.2s to ~0.4s on a quick test.
* xvfb-run: fix xauth handling; setting XAUTHORITY when starting an X server
isn't actually useful, we need to use the -auth command-line parameter
instead. Somehow this seems to have been broken all these years and
nobody noticed...
.
[ Cyril Brulebois ]
* New upstream release candidate for the 1.12 stable branch:
- Bring the usual lot of stability fixes.
- Fix segfault on server shutdown (Closes: #671812).
- Refactor logging, fixing a format string vulnerability which could lead
to a denial of service (âonlyâ, thanks to the fortified sources). This
is CVE-2012-2118 (Closes: #673148).
* Bump severity to âmediumâ for those two important fixes.
Checksums-Sha1:
e436ade0c8ab3520bb83fe70d7516de43e36cb08 3483 xorg-server_1.12.1.902-1.dsc
c5fc232decc3eaa18283ffb313dde8b0b73e48b3 7519286 xorg-server_1.12.1.902.orig.tar.gz
0853d551ad9adecb35263f93475e6dcb776630b2 82673 xorg-server_1.12.1.902-1.diff.gz
196183c1173afffd198e40cddc94d596285549cf 1382164 xserver-common_1.12.1.902-1_all.deb
745583aca5e06ee592ed0995e1f64a1106eac4f0 1759884 xserver-xorg-core_1.12.1.902-1_amd64.deb
e708b819bde3cb7ce00b938c7b5623d5a0aaf2b2 866594 xserver-xorg-core-udeb_1.12.1.902-1_amd64.udeb
a031aa7685dc8924d8fd3ce980b71e355ecc4981 317372 xserver-xorg-dev_1.12.1.902-1_amd64.deb
9e1eee75ccc180f4ecc74f93f7c1d1d12c2d8115 921586 xdmx_1.12.1.902-1_amd64.deb
5e957c61cdbaebbac8037a8935950ee6417c98f8 125112 xdmx-tools_1.12.1.902-1_amd64.deb
23ef80468960a1eb219b404fc7f7427c20ae69bf 820114 xnest_1.12.1.902-1_amd64.deb
f6b6a3f0aabc0116e1b0e74291886a3695a84626 923910 xvfb_1.12.1.902-1_amd64.deb
72272d9214a3fed149e37cf696291d9a43748196 1015106 xserver-xephyr_1.12.1.902-1_amd64.deb
3125067976eb8a57abb92e15e4f5f05f9f4da87e 937310 xserver-xfbdev_1.12.1.902-1_amd64.deb
3a4d4c092ea2fdfb18bd95731900825ce86c37b5 7284050 xserver-xorg-core-dbg_1.12.1.902-1_amd64.deb
Checksums-Sha256:
df1d72eba93fdccdc0e95c0230a4d94f08163967c05e6d4a731be7f154ce28ee 3483 xorg-server_1.12.1.902-1.dsc
aabeaf68ef7885ad2bc33a4a6ac2abb3c5c12ee563b53744932093a15a17d499 7519286 xorg-server_1.12.1.902.orig.tar.gz
711a80e81c8d3b23023b762bdbbf6b2cc3642b822770f90b4a7bcfd8c73e57bf 82673 xorg-server_1.12.1.902-1.diff.gz
7c06f5387dc46a80e6151277c545547201d9bb8fe985acdf0f057c195d4aad19 1382164 xserver-common_1.12.1.902-1_all.deb
35bd4f64622f8e40d952b454bc2c682fe6f9b1cc90d559e4766dd68e53fd1719 1759884 xserver-xorg-core_1.12.1.902-1_amd64.deb
ec69d3661a354cb1b92b8151eaa951a14fd3397d316d7fe4df348e99127ae522 866594 xserver-xorg-core-udeb_1.12.1.902-1_amd64.udeb
366a53c66452adce194a80b8afcaf8f6e6763f67333f61425ea6d43d15e4725b 317372 xserver-xorg-dev_1.12.1.902-1_amd64.deb
27eaed0a1b152c71f61b0951be504504ffd927ad9ed45d113da0429fe031b6d1 921586 xdmx_1.12.1.902-1_amd64.deb
24b40e263c0991560a64ee474b8fd06372ca18d60a7684ad59f39eb93442d749 125112 xdmx-tools_1.12.1.902-1_amd64.deb
a164af4a04ae3d47ac6b2000310d287bb97fa9fcc2b0f50f751d91d1db8cb119 820114 xnest_1.12.1.902-1_amd64.deb
1b76a853b25603ffbda86783b736cc291dcddde65fc2ca8f42b45beb3084a29e 923910 xvfb_1.12.1.902-1_amd64.deb
02f8f9f6d78ef5be8299a9d9b2d8decc51d7985067f543ba0b2b1ff1beb6a83d 1015106 xserver-xephyr_1.12.1.902-1_amd64.deb
9b7816a242be6bbb9ad95b4236339972423cb9470ac565a66b12126c43a6d044 937310 xserver-xfbdev_1.12.1.902-1_amd64.deb
8fe49d128cc9cbd7d9d0bfdae12234a678d2973daf779775dada82731b90bd89 7284050 xserver-xorg-core-dbg_1.12.1.902-1_amd64.deb
Files:
9cd5c46cc89966be7b2e00944c873679 3483 x11 optional xorg-server_1.12.1.902-1.dsc
40b0de8c8fad46357ba2bf5b1bc18377 7519286 x11 optional xorg-server_1.12.1.902.orig.tar.gz
a021bee80ff4a08d62ae5d05810738b3 82673 x11 optional xorg-server_1.12.1.902-1.diff.gz
1f29d54b0ad768f49d8589c7ce86c1de 1382164 x11 optional xserver-common_1.12.1.902-1_all.deb
5ee09dd99193e3c787ad942ac286b090 1759884 x11 optional xserver-xorg-core_1.12.1.902-1_amd64.deb
77a03654e6cf9fc8fdd3120c2a67dd9c 866594 debian-installer optional xserver-xorg-core-udeb_1.12.1.902-1_amd64.udeb
c420ce5f17e7a040bae01963e5fa3976 317372 x11 optional xserver-xorg-dev_1.12.1.902-1_amd64.deb
ad4755c27d6e2477a70ada03f312db15 921586 x11 optional xdmx_1.12.1.902-1_amd64.deb
39fdf92322e9ec29c55492582a51c489 125112 x11 optional xdmx-tools_1.12.1.902-1_amd64.deb
ac2a1dbc8b2d5f8a75fc4807c16a0239 820114 x11 optional xnest_1.12.1.902-1_amd64.deb
7efa873ea7a6d38c1b6d6bfcfec22c88 923910 x11 optional xvfb_1.12.1.902-1_amd64.deb
7e68089951fc3f85482fa6092d97f09c 1015106 x11 optional xserver-xephyr_1.12.1.902-1_amd64.deb
b83ef6c2a908a96689a3ee3b54675e94 937310 x11 optional xserver-xfbdev_1.12.1.902-1_amd64.deb
cfc7225e952a42148ca20173d14d0b42 7284050 debug extra xserver-xorg-core-dbg_1.12.1.902-1_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAk+4vkoACgkQeGfVPHR5Nd3Y6QCeKoTVETyJNvCCa3kWIofaJmcm
D/wAn3gpA92+hn9SHYT2iXe3OuPctQp8
=+7dn
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 23 Jun 2012 07:43:16 GMT) (full text, mbox, link).
Bug unarchived.
Request was from jmw@debian.org
to control@bugs.debian.org
.
(Sun, 08 Jul 2012 16:22:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>
:
Bug#673148
; Package xorg-server
.
(Mon, 09 Jul 2012 07:57:18 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>
.
(Mon, 09 Jul 2012 07:57:18 GMT) (full text, mbox, link).
Message #24 received at 673148@bugs.debian.org (full text, mbox, reply):
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.6) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/673148/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>
:
Bug#673148
; Package xorg-server
.
(Thu, 12 Jul 2012 10:24:18 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Cristau <jcristau@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>
.
(Thu, 12 Jul 2012 10:24:23 GMT) (full text, mbox, link).
Message #29 received at 673148@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, Jul 9, 2012 at 07:23:40 -0000, Jonathan Wiltshire wrote:
> Dear maintainer,
>
> Recently you fixed one or more security problems and as a result you closed
> this bug. These problems were not serious enough for a Debian Security
> Advisory, so they are now on my radar for fixing in the following suites
> through point releases:
>
> squeeze (6.0.6) - use target "stable"
>
> Please prepare a minimal-changes upload targetting each of these suites,
> and submit a debdiff to the Release Team [0] for consideration. They will
> offer additional guidance or instruct you to upload your package.
>
NAK, squeeze is not affected.
Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>
:
Bug#673148
; Package xorg-server
.
(Thu, 12 Jul 2012 10:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>
.
(Thu, 12 Jul 2012 10:30:07 GMT) (full text, mbox, link).
Message #34 received at 673148@bugs.debian.org (full text, mbox, reply):
On 2012-07-12 11:21, Julien Cristau wrote:
> On Mon, Jul 9, 2012 at 07:23:40 -0000, Jonathan Wiltshire wrote:
>
>> Dear maintainer,
>>
>> Recently you fixed one or more security problems and as a result you
>> closed
>> this bug. These problems were not serious enough for a Debian
>> Security
>> Advisory, so they are now on my radar for fixing in the following
>> suites
>> through point releases:
>>
>> squeeze (6.0.6) - use target "stable"
>>
>> Please prepare a minimal-changes upload targetting each of these
>> suites,
>> and submit a debdiff to the Release Team [0] for consideration. They
>> will
>> offer additional guidance or instruct you to upload your package.
>>
> NAK, squeeze is not affected.
Thanks, tracking updated.
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Marked as found in versions 2:1.9.99.902-1.
Request was from Julien Cristau <jcristau@debian.org>
to control@bugs.debian.org
.
(Fri, 03 Aug 2012 18:33:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 01 Sep 2012 07:28:52 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:33:32 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.