Univention Bugzilla – Bug 29132
xorg-server: DoS/Information Disclosure (3.1)
Last modified: 2013-11-19 06:43:34 CET
+++ This bug was initially created as a clone of Bug #25583 +++ \item In der Render-Erweiterung wurden mehrere Kommandos unzureichend bereinigt. Das erlaubt Denial of Service oder das Auslesen von Speicher (CVE-2010-4819)
CVE-2013-1940 David Airlie and Peter Hutterer of Red Hat discovered that xorg-server, the Xorg X server was vulnerable to an information disclosure flaw related to input handling and devices hotplug. When an X server is running but not on front (for example because of a VT switch), a newly plugged input device would still be recognized and handled by the X server, which would actually transmit input events to its clients on the background. This could allow an attacker to recover some input events not intended for the X clients, including sensitive information.
(In reply to Moritz Muehlenhoff from comment #0) > +++ This bug was initially created as a clone of Bug #25583 +++ > > \item In der Render-Erweiterung wurden mehrere Kommandos unzureichend > bereinigt. Das erlaubt Denial of Service oder das Auslesen von Speicher > (CVE-2010-4819) This has already been fixed in 3.0-1 with the import of 2:1.7.7-14
Fixed in 3.2 through the import of Debian 6.0.8. The QA should ideally be made by the same person as for Bug 31956.
(In reply to Moritz Muehlenhoff from comment #2) > This has already been fixed in 3.0-1 with the import of 2:1.7.7-14 Correct (In reply to Moritz Muehlenhoff from comment #3) > Fixed in 3.2 through the import of Debian 6.0.8. Correct
UCS 3.2 has been released: http://docs.univention.de/release-notes-3.2-en.html http://docs.univention.de/release-notes-3.2-de.html If this error occurs again, please use "Clone This Bug".