[RHSA-2012:0303-03] Low: xorg-x11-server security and bug fix update

[news 28]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Low: xorg-x11-server security and bug fix update

Advisory ID: RHSA-2012:0303-03

Product: Red Hat Enterprise Linux

Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0303.html

Issue date: 2012-02-21

Keywords: fbdev installer

CVE Names: CVE-2011-4028

=====================================================================

 

1. Summary:

 

Updated xorg-x11-server packages that fix one security issue and various

bugs are now available for Red Hat Enterprise Linux 5.

 

The Red Hat Security Response Team has rated this update as having low

security impact. A Common Vulnerability Scoring System (CVSS) base score,

which gives a detailed severity rating, is available from the CVE link in

the References section.

 

2. Relevant releases/architectures:

 

RHEL Desktop Workstation (v. 5 client) - i386, x86_64

Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

 

3. Description:

 

X.Org is an open source implementation of the X Window System. It provides

the basic low-level functionality that full-fledged graphical user

interfaces are designed upon.

 

A flaw was found in the way the X.Org server handled lock files. A local

user with access to the system console could use this flaw to determine the

existence of a file in a directory not accessible to the user, via a

symbolic link attack. (CVE-2011-4028)

 

Red Hat would like to thank the researcher with the nickname vladz for

reporting this issue.

 

This update also fixes the following bugs:

 

* In rare cases, if the front and back buffer of the miDbePositionWindow()

function were not both allocated in video memory, or were both allocated in

system memory, the X Window System sometimes terminated unexpectedly. A

patch has been provided to address this issue and X no longer crashes in

the described scenario. (BZ#596899)

 

* Previously, when the miSetShape() function called the miRegionDestroy()

function with a NULL region, X terminated unexpectedly if the backing store

was enabled. Now, X no longer crashes in the described scenario.

(BZ#676270)

 

* On certain workstations running in 32-bit mode, the X11 mouse cursor

occasionally became stuck near the left edge of the X11 screen. A patch has

been provided to address this issue and the mouse cursor no longer becomes

stuck in the described scenario. (BZ#529717)

 

* On certain workstations with a dual-head graphics adapter using the r500

driver in Zaphod mode, the mouse pointer was confined to one monitor screen

and could not move to the other screen. A patch has been provided to

address this issue and the mouse cursor works properly across both screens.

(BZ#559964)

 

* Due to a double free operation, Xvfb (X virtual framebuffer) terminated

unexpectedly with a segmentation fault randomly when the last client

disconnected, that is when the server reset. This bug has been fixed in the

miDCCloseScreen() function and Xvfb no longer crashes. (BZ#674741)

 

* Starting the Xephyr server on an AMD64 or Intel 64 architecture with an

integrated graphics adapter caused the server to terminate unexpectedly.

This bug has been fixed in the code and Xephyr no longer crashes in the

described scenario. (BZ#454409)

 

* Previously, when a client made a request bigger than 1/4th of the limit

advertised in the BigRequestsEnable reply, the X server closed the

connection unexpectedly. With this update, the maxBigRequestSize variable

has been added to the code to check the size of client requests, thus

fixing this bug. (BZ#555000)

 

* When an X client running on a big-endian system called the

XineramaQueryScreens() function, the X server terminated unexpectedly. This

bug has been fixed in the xf86Xinerama module and the X server no longer

crashes in the described scenario. (BZ#588346)

 

* When installing Red Hat Enterprise Linux 5 on an IBM eServer System p

blade server, the installer did not set the correct mode on the built-in

KVM (Keyboard-Video-Mouse). Consequently, the graphical installer took a

very long time to appear and then was displayed incorrectly. A patch has

been provided to address this issue and the graphical installer now works

as expected in the described scenario. Note that this fix requires the

Red Hat Enterprise Linux 5.8 kernel update. (BZ#740497)

 

* Lines longer than 46,340 pixels can be drawn with one of the coordinates

being negative. However, for dashed lines, the miPolyBuildPoly() function

overflowed the "int" type when setting up edges for a section of a dashed

line. Consequently, dashed segments were not drawn at all. An upstream

patch has been applied to address this issue and dashed lines are now drawn

correctly. (BZ#649810)

 

All users of xorg-x11-server are advised to upgrade to these updated

packages, which correct these issues. All running X.Org server instances

must be restarted for this update to take effect.

 

4. Solution:

 

Before applying this update, make sure all previously-released errata

relevant to your system have been applied.

 

This update is available via the Red Hat Network. Details on how to

use the Red Hat Network to apply this update are available at

https://access.redhat.com/kb/docs/DOC-11259

 

5. Bugs fixed (http://bugzilla.redhat.com/):

 

454409 - Xephyr ends with Segmentation fault

529717 - [RHEL5] HP DC5850: mice get stuck on left edge (X11 acceleration overflow?)

555000 - Using BIG-REQUESTS cause XIO and connection close

559964 - Pointer confined to one monitor with r500 in zaphod mode

588346 - XineramaQueryScreens() from an X client on a big endian machine cause the Xserver to crash

649810 - Integer overflow for dashed lines longer than 46340

676270 - Xserver segfaults in miwindow.c when backing store is enabled

745755 - CVE-2011-4028 xorg-x11, xorg-x11-server: File existence disclosure vulnerability

 

6. Package List:

 

Red Hat Enterprise Linux Desktop (v. 5 client):

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xorg-x11-server-1.1.1-48.90.el5.src.rpm

 

i386:

xorg-x11-server-Xdmx-1.1.1-48.90.el5.i386.rpm

xorg-x11-server-Xephyr-1.1.1-48.90.el5.i386.rpm

xorg-x11-server-Xnest-1.1.1-48.90.el5.i386.rpm

xorg-x11-server-Xorg-1.1.1-48.90.el5.i386.rpm

xorg-x11-server-Xvfb-1.1.1-48.90.el5.i386.rpm

xorg-x11-server-Xvnc-source-1.1.1-48.90.el5.i386.rpm

xorg-x11-server-debuginfo-1.1.1-48.90.el5.i386.rpm

 

x86_64:

xorg-x11-server-Xdmx-1.1.1-48.90.el5.x86_64.rpm

xorg-x11-server-Xephyr-1.1.1-48.90.el5.x86_64.rpm

xorg-x11-server-Xnest-1.1.1-48.90.el5.x86_64.rpm

xorg-x11-server-Xorg-1.1.1-48.90.el5.x86_64.rpm

xorg-x11-server-Xvfb-1.1.1-48.90.el5.x86_64.rpm

xorg-x11-server-Xvnc-source-1.1.1-48.90.el5.x86_64.rpm

xorg-x11-server-debuginfo-1.1.1-48.90.el5.x86_64.rpm

 

RHEL Desktop Workstation (v. 5 client):

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xorg-x11-server-1.1.1-48.90.el5.src.rpm

 

i386:

xorg-x11-server-debuginfo-1.1.1-48.90.el5.i386.rpm

xorg-x11-server-sdk-1.1.1-48.90.el5.i386.rpm

 

x86_64:

xorg-x11-server-debuginfo-1.1.1-48.90.el5.x86_64.rpm

xorg-x11-server-sdk-1.1.1-48.90.el5.x86_64.rpm

 

Red Hat Enterprise Linux (v. 5 server):

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xorg-x11-server-1.1.1-48.90.el5.src.rpm

 

i386:

xorg-x11-server-Xdmx-1.1.1-48.90.el5.i386.rpm

xorg-x11-server-Xephyr-1.1.1-48.90.el5.i386.rpm

xorg-x11-server-Xnest-1.1.1-48.90.el5.i386.rpm

xorg-x11-server-Xorg-1.1.1-48.90.el5.i386.rpm

xorg-x11-server-Xvfb-1.1.1-48.90.el5.i386.rpm

xorg-x11-server-Xvnc-source-1.1.1-48.90.el5.i386.rpm

xorg-x11-server-debuginfo-1.1.1-48.90.el5.i386.rpm

xorg-x11-server-sdk-1.1.1-48.90.el5.i386.rpm

 

ia64:

xorg-x11-server-Xdmx-1.1.1-48.90.el5.ia64.rpm

xorg-x11-server-Xephyr-1.1.1-48.90.el5.ia64.rpm

xorg-x11-server-Xnest-1.1.1-48.90.el5.ia64.rpm

xorg-x11-server-Xorg-1.1.1-48.90.el5.ia64.rpm

xorg-x11-server-Xvfb-1.1.1-48.90.el5.ia64.rpm

xorg-x11-server-Xvnc-source-1.1.1-48.90.el5.ia64.rpm

xorg-x11-server-debuginfo-1.1.1-48.90.el5.ia64.rpm

xorg-x11-server-sdk-1.1.1-48.90.el5.ia64.rpm

 

ppc:

xorg-x11-server-Xdmx-1.1.1-48.90.el5.ppc.rpm

xorg-x11-server-Xephyr-1.1.1-48.90.el5.ppc.rpm

xorg-x11-server-Xnest-1.1.1-48.90.el5.ppc.rpm

xorg-x11-server-Xorg-1.1.1-48.90.el5.ppc.rpm

xorg-x11-server-Xvfb-1.1.1-48.90.el5.ppc.rpm

xorg-x11-server-Xvnc-source-1.1.1-48.90.el5.ppc.rpm

xorg-x11-server-debuginfo-1.1.1-48.90.el5.ppc.rpm

xorg-x11-server-sdk-1.1.1-48.90.el5.ppc.rpm

 

s390x:

xorg-x11-server-Xephyr-1.1.1-48.90.el5.s390x.rpm

xorg-x11-server-Xnest-1.1.1-48.90.el5.s390x.rpm

xorg-x11-server-Xvfb-1.1.1-48.90.el5.s390x.rpm

xorg-x11-server-Xvnc-source-1.1.1-48.90.el5.s390x.rpm

xorg-x11-server-debuginfo-1.1.1-48.90.el5.s390x.rpm

 

x86_64:

xorg-x11-server-Xdmx-1.1.1-48.90.el5.x86_64.rpm

xorg-x11-server-Xephyr-1.1.1-48.90.el5.x86_64.rpm

xorg-x11-server-Xnest-1.1.1-48.90.el5.x86_64.rpm

xorg-x11-server-Xorg-1.1.1-48.90.el5.x86_64.rpm

xorg-x11-server-Xvfb-1.1.1-48.90.el5.x86_64.rpm

xorg-x11-server-Xvnc-source-1.1.1-48.90.el5.x86_64.rpm

xorg-x11-server-debuginfo-1.1.1-48.90.el5.x86_64.rpm

xorg-x11-server-sdk-1.1.1-48.90.el5.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/#package

 

7. References:

 

https://www.redhat.com/security/data/cve/CVE-2011-4028.html

https://access.redhat.com/security/updates/classification/#low

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2012 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.4 (GNU/Linux)

 

iD8DBQFPQyUCXlSAg2UNWIIRAv0eAJ9f7w2ltsugubo8T1UxHbrR0yhIXwCeNboK

pObvvcc4xLEOcsfD68/cTRM=

=zrCM

-----END PGP SIGNATURE-----

 

 

--