ESB-2018.3282 - [Linux][BSD][Debian] xorg-server: Root compromise - Existing account 2018-10-26

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3282
                        xorg-server security update
                              26 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           xorg-server
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   Linux variants
                   BSD variants
Impact/Access:     Root Compromise           -- Existing Account
                   Overwrite Arbitrary Files -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-14665  

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4328

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running xorg-server check for an updated version of the software for
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4328-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 25, 2018                      https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : xorg-server
CVE ID         : CVE-2018-14665

Narendra Shinde discovered that incorrect command-line parameter
validation in the Xorg X server may result in arbitary file overwrite,
which can result in privilege escalation.

For the stable distribution (stretch), this problem has been fixed in
version 2:1.19.2-1+deb9u4.

We recommend that you upgrade your xorg-server packages.

For the detailed security status of xorg-server please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xorg-server

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlvSM2UACgkQEMKTtsN8
Tja9eA/6AoinY8OvykOs6ao2Wp2tsFBJWSZRaKf17oqN0xpGWhpPZwOIMAflroZB
i0q6GNXp5Nd3OLI3VEjlZ5BQZuX4UTCkFCdKQs/9g1PZ55tvZSPBbhvsBI74BjZl
XfQsTXiyZ/a32OZvVIPFbSVD8fudtav5yKkQf87/3gUSDP6yyqZ1cO1yIz4Cn1kF
EPXhBz8Ki/Zh2OzkTohuJrQnHyUqnloSMWtcYszwoXrSr60LOTrNY5Q6lOpY/GNR
qqAlBlp1l/4u+iOmoqg8k7EDj+QF54DlawJv8mkYEpJBdmkcGJb8HfkOEnJTq4h/
kvV3yVqdEbjxag6hwLl16Ziv0+NKnUrpFQgurftJ/y0ih5e0BU1cAWFG21HlORbS
X2riz9vrtC3aR5VHYUnVODwWmRnjL13DjPI1/w4SPN/Rewo8SNpLPbMM9WyP2dul
zXYNwzyexMaxG0TGer70Lnb5jh2kOhy/IE9YoyOw1sGYvCIkUu5Gmra4FGHTA8kT
EPRK1wQJjdJKVHO0TkC2lktdISH0vW04QUkneVcU7/MAueGBh7I8OHedFXFhOpPz
Ed/T40JRhOkeHU/3ICA12o4kgDImXKgb0FR34+bPBZZpjJF9MM42STXJ2KhI7PXl
rzteqmjIpE0gCKdSJ4C+q4NmBz0SWUK8WkZEyZbEUQS2z7nwkTQ=
=Q65S
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW9JfnWaOgq3Tt24GAQhf0w//VWC76qaR4Fyk9yPsC9FKM+OFac6GnOJ1
o3WhsYLCWH8Zn6owpl7wuFDOY5eFLjyumX7qDqTqgX5LvkGAMji4ed8NGN7yVKA+
paXTKegbxlAMX3AOd235npLi+4Pi7/e/TLcVT2zc4+ro8iKGj56qpJXAcbSE1I4u
6K+aKWkoPzuTaCFO2ADNgbij0501UQ25C2fYYHPILHbcTCfyfqnaMu7gks5LbnAx
v2bkjKojPM3h+BqqExFGQ8NWLGolqBTeo29AukXJkkpstWFoDabb5gY5rU59QRwv
D1tbY6kwfYNDGHgyedGvmIU0a5SfktMxqIRitsa3MVep1TEm0ag3iFW7jE/pqTIw
o+qpUs3ozFvqb/0m+bCFuiyC2revt528YzHIWMVkOg9TmZNQJyDhTrycSnvt0o9z
FYdIU/tr85Ci/ZsbW7On+y8bGwcIwcLeKTwf4/XozCL+i/WJ7IBWHZHF118vKF7i
E/tghzpdCAS5qE3Iy9NM3S1nAqED3QPmsnByVPTLHmDn0J2rEzl87ki3L2Jim4UE
rCyocT+mM1K/3PAN5UoNMD+ZuVTbGUryIubddI2MciJooThTQV1qQxDjcaQAiGgv
7YVZQGkrPDSrRlIMJGMT8JRej02dY/osFXUP31W6NHAJPZOt5vNV1sY2UczwQhHw
Grl33hETYAs=
=6Rgu
-----END PGP SIGNATURE-----

« Back to bulletins