Debian Bug report logs -
#378464
xserver-xorg: CVE-2006-1526
Reported by: Helge Kreutzmann <debian@helgefjell.de>
Date: Sun, 16 Jul 2006 14:48:26 UTC
Severity: important
Tags: patch, security
Found in version xorg/1:7.0.22
Done: Denis Barbier <barbier@linuxfr.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#378464; Package xserver-xorg.
(full text, mbox, link).
Acknowledgement sent to Helge Kreutzmann <debian@helgefjell.de>:
New Bug report received and forwarded. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: xserver-xorg
Version: 1:7.0.22
Severity: important
Tags: security patch
Back in may CVE-2006-1526 was reported [1] and fixed [2]. I looked at my
current testing output:
helge@remaxp:/usr/share/doc/xserver-xorg$ Xorg -version
X Window System Version 7.0.0
Release Date: 21 December 2005
X Protocol Version 11, Revision 0, Release 7.0
Build Operating System:Linux 2.6.16-1-vserver-amd64-k8 x86_64
Current Operating System: Linux remaxp 2.6.14.6-grsec-cz02 #1 Sun Jun 18 09:35:5
4 CEST 2006 x86_64
Build Date: 16 March 2006
Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
Module Loader present
and see that my server was build *before* the date of the report. Since I did
not see a bug report [3] on this nor did I find anything in
/usr/share/doc/xserver-xorg, I report this here to track this for Etch.
Possibly a fix can be taken from the Ubuntu USN[4].
I am not sure about the severity, please coordinate if an update Etch
security is necessary.
Furthermore I did not see an DSA for Sarge[5], if Sarge is not vulnerable
then please remember to update the appropriate list[6] accordingly.
[1] http://lwn.net/Articles/182316/
[2] http://lwn.net/Articles/182310/
[3] http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=xserver-xorg
[4] http://lwn.net/Alerts/182541/
[5] http://www.debian.org/security/nonvulns-sarge
[6] http://www.debian.org/security/2006/
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14.6-grsec-cz02
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)
Versions of packages xserver-xorg depends on:
ii debconf 1.5.2 Debian configuration management sy
ii x11-common 1:7.0.22 X Window System (X.Org) infrastruc
ii xbase-clients 1:7.1.ds-2 miscellaneous X clients
ii xkb-data 0.8-5 X Keyboard Extension (XKB) configu
ii xserver-xorg-core 1:1.0.2-9 X.Org X server -- core server
ii xserver-xorg-input-evdev [xs 1:1.0.0.5-2 X.Org X server -- evdev input driv
ii xserver-xorg-input-kbd [xser 1:1.0.1.3-2 X.Org X server -- keyboard input d
ii xserver-xorg-input-mouse [xs 1:1.0.4-3 X.Org X server -- mouse input driv
ii xserver-xorg-video-ati [xser 1:6.5.8.0-1 X.Org X server -- ATI display driv
ii xserver-xorg-video-dummy [xs 1:0.1.0.5-2 X.Org X server -- dummy display dr
ii xserver-xorg-video-fbdev [xs 1:0.1.0.5-2 X.Org X server -- fbdev display dr
ii xserver-xorg-video-glint [xs 1:1.0.1.3-3 X.Org X server -- Glint display dr
ii xserver-xorg-video-v4l [xser 0.0.1.5-1 X.Org X server -- Video 4 Linux di
ii xserver-xorg-video-vesa [xse 1:1.0.1.3-2 X.Org X server -- VESA display dri
ii xserver-xorg-video-vga [xser 1:4.0.0.5-2 X.Org X server -- VGA display driv
Versions of packages xserver-xorg recommends:
ii discover1 1.7.18 hardware identification system
pn laptop-detect <none> (no description available)
ii mdetect 0.5.2.1 mouse device autodetection tool
pn xresprobe <none> (no description available)
-- debconf-show failed
--
Dr. Helge Kreutzmann debian@helgefjell.de
Dipl.-Phys. http://www.helgefjell.de/debian.php
64bit GNU powered gpg signed mail preferred
Help keep free software "libre": http://www.ffii.de/
Reply sent to Denis Barbier <barbier@linuxfr.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Helge Kreutzmann <debian@helgefjell.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 378464-done@bugs.debian.org (full text, mbox, reply):
[Cc'ing team@security.d.o about the sarge status]
On Sun, Jul 16, 2006 at 04:31:41PM +0200, Helge Kreutzmann wrote:
> Package: xserver-xorg
> Version: 1:7.0.22
> Severity: important
> Tags: security patch
>
> Back in may CVE-2006-1526 was reported [1] and fixed [2]. I looked at my
> current testing output:
> helge@remaxp:/usr/share/doc/xserver-xorg$ Xorg -version
>
> X Window System Version 7.0.0
> Release Date: 21 December 2005
> X Protocol Version 11, Revision 0, Release 7.0
> Build Operating System:Linux 2.6.16-1-vserver-amd64-k8 x86_64
> Current Operating System: Linux remaxp 2.6.14.6-grsec-cz02 #1 Sun Jun 18 09:35:5
> 4 CEST 2006 x86_64
> Build Date: 16 March 2006
> Before reporting problems, check http://wiki.x.org
> to make sure that you have the latest version.
> Module Loader present
>
> and see that my server was build *before* the date of the report.
I do not know where this date comes from, but here is the relevant entry
from /usr/share/doc/xserver-xorg-core/changelog.Debian.gz:
xorg-server (1:1.0.2-8) unstable; urgency=low
* Move xserverrc back to xbase-clients. Thanks Benjamin Mesing.
* Add 15_security_allocate_local.diff. This fixes Bug fd.o bug #6642.
Fix buffer overflow in Render. (CVE 2006-1526). Patch by Eric Anholt.
-- David Nusinow <dnusinow@debian.org> Tue, 2 May 2006 21:47:17 -0400
Unstable and testing have been fixed.
[...]
> Furthermore I did not see an DSA for Sarge[5], if Sarge is not vulnerable
> then please remember to update the appropriate list[6] accordingly.
I had a look at 4.3.0 sources; routines miTriFan and miTriStrip have a
different algorithm and are not vulnerable in sarge.
Denis
Message #11 received at 378464-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello Denis,
On Mon, Aug 14, 2006 at 12:50:06PM +0200, Denis Barbier wrote:
> On Sun, Jul 16, 2006 at 04:31:41PM +0200, Helge Kreutzmann wrote:
> > X Window System Version 7.0.0
> > Release Date: 21 December 2005
> > X Protocol Version 11, Revision 0, Release 7.0
> > Build Operating System:Linux 2.6.16-1-vserver-amd64-k8 x86_64
> > Current Operating System: Linux remaxp 2.6.14.6-grsec-cz02 #1 Sun Jun 18 09:35:5
> > 4 CEST 2006 x86_64
> > Build Date: 16 March 2006
> > Before reporting problems, check http://wiki.x.org
> > to make sure that you have the latest version.
> > Module Loader present
> >
> > and see that my server was build *before* the date of the report.
>
> I do not know where this date comes from, but here is the relevant entry
Well, this is the date shown (even as of today) when I type in
"startx".
> from /usr/share/doc/xserver-xorg-core/changelog.Debian.gz:
>
> xorg-server (1:1.0.2-8) unstable; urgency=low
>
> * Move xserverrc back to xbase-clients. Thanks Benjamin Mesing.
> * Add 15_security_allocate_local.diff. This fixes Bug fd.o bug #6642.
> Fix buffer overflow in Render. (CVE 2006-1526). Patch by Eric Anholt.
>
> -- David Nusinow <dnusinow@debian.org> Tue, 2 May 2006 21:47:17 -0400
Thanks, somehow I missed this entry. I guess the server build date
refers to some other build date not relevant for this bug?
> [...]
> > Furthermore I did not see an DSA for Sarge[5], if Sarge is not vulnerable
> > then please remember to update the appropriate list[6] accordingly.
>
> I had a look at 4.3.0 sources; routines miTriFan and miTriStrip have a
> different algorithm and are not vulnerable in sarge.
Are you taking care of updating the non-vuln list, or should I do this
(I have web access privileges)?
Greetings
Helge
--
Dr. Helge Kreutzmann debian@helgefjell.de
Dipl.-Phys. http://www.helgefjell.de/debian.php
64bit GNU powered gpg signed mail preferred
Help keep free software "libre": http://www.ffii.de/
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 18 Jun 2007 12:54:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:28:01 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon