Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
archlinuxArchLinuxASA-201710-29
HistoryOct 21, 2017 - 12:00 a.m.

[ASA-201710-29] xorg-server: arbitrary code execution

2017-10-2100:00:00
security.archlinux.org
11

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.011 Low

EPSS

Percentile

84.7%

JSON

Arch Linux Security Advisory ASA-201710-29

Severity: High
Date : 2017-10-21
CVE-ID : CVE-2017-12176 CVE-2017-12177 CVE-2017-12178 CVE-2017-12183
Package : xorg-server
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-443

Summary

The package xorg-server before version 1.19.5-1 is vulnerable to
arbitrary code execution.

Resolution

Upgrade to 1.19.5-1.

pacman -Syu “xorg-server>=1.19.5-1”

The problems have been fixed upstream in version 1.19.5.

Workaround

None.

Description

  • CVE-2017-12176 (arbitrary code execution)

A security issue has been found in xorg-server, due to a missing
validation of the extra length in ProcEstablishConnection().

  • CVE-2017-12177 (arbitrary code execution)

A security issue has been found in the double buffer extension
component of xorg-server, due to a missing validation of the length of
a variable-length request in ProcDbeGetVisualInfo().

  • CVE-2017-12178 (arbitrary code execution)

A security issue has been found in the Xi component of xorg-server, due
to an invalid length check in ProcXIChangeHierarchy.

  • CVE-2017-12183 (arbitrary code execution)

A security issue has been found in the xfixes component of xorg-server,
where buffer lengths were not correctly validated.

Impact

An attacker able to connect to an X server, either locally or remotely,
can cause a denial of service by crashing the server, or execute
arbitrary code on the affected host.

References

https://lists.x.org/archives/xorg-devel/2017-October/054871.html
https://cgit.freedesktop.org/xorg/xserver/commit/?id=b747da5e25be944337a9cd1415506fc06b70aa81
https://cgit.freedesktop.org/xorg/xserver/commit/?id=4ca68b878e851e2136c234f40a25008297d8d831
https://cgit.freedesktop.org/xorg/xserver/commit/?id=859b08d523307eebde7724fd1a0789c44813e821
https://cgit.freedesktop.org/xorg/xserver/commit/?id=55caa8b08c84af2b50fbc936cf334a5a93dd7db5
https://security.archlinux.org/CVE-2017-12176
https://security.archlinux.org/CVE-2017-12177
https://security.archlinux.org/CVE-2017-12178
https://security.archlinux.org/CVE-2017-12183

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanyxorg-server< 1.19.5-1UNKNOWN

Related

gentoo 1
nessus 11
openvas 9
debian 2
osv 6
ubuntu 1
freebsd 1
mageia 1
slackware 1
redhatcve 4
debiancve 4
cve 4
ubuntucve 4
alpinelinux 4
prion 4
gentoo
gentoo
X.Org Server: Multiple vulnerabilities
2017-11-10 00:00:00
nessus
nessus
GLSA-201711-05 : X.Org Server: Multiple vulnerabilities
2017-11-13 00:00:00
Debian DLA-1186-1 : xorg-server security update
2017-11-27 00:00:00
FreeBSD : xorg-server -- multiple vulnabilities (7274e0cc-575f-41bc-8619-14a41b3c2ad0)
2017-10-16 00:00:00
openvas
openvas
Debian: Security Advisory (DLA-1186-1)
2023-03-08 00:00:00
Ubuntu: Security Advisory (USN-3456-1)
2017-10-18 00:00:00
Mageia: Security Advisory (MGASA-2017-0401)
2022-01-28 00:00:00
debian
debian
[SECURITY] [DLA 1186-1] xorg-server security update
2017-11-22 23:28:30
[SECURITY] [DSA 4000-1] xorg-server security update
2017-10-17 21:17:20
osv
osv
xorg-server - security update
2017-11-23 00:00:00
CVE-2017-12177
2018-01-24 15:29:00
CVE-2017-12176
2018-01-24 15:29:00
ubuntu
ubuntu
X.Org X server vulnerabilities
2017-10-17 00:00:00
freebsd
freebsd
xorg-server -- multiple vulnerabilities
2017-10-12 00:00:00
mageia
mageia
Updated x11-server packages fix security vulnerabilities & bugs
2017-11-06 11:22:52
slackware
slackware
[slackware-security] xorg-server
2017-10-18 19:36:24
redhatcve
redhatcve
CVE-2017-12177
2017-11-03 11:21:00
CVE-2017-12176
2017-11-03 11:21:15
CVE-2017-12183
2017-11-03 11:20:00
debiancve
debiancve
CVE-2017-12176
2018-01-24 15:29:00
CVE-2017-12183
2018-01-24 15:29:00
CVE-2017-12177
2018-01-24 15:29:00
cve
cve
CVE-2017-12177
2018-01-24 15:29:00
CVE-2017-12176
2018-01-24 15:29:00
CVE-2017-12183
2018-01-24 15:29:00
ubuntucve
ubuntucve
CVE-2017-12176
2017-10-12 00:00:00
CVE-2017-12178
2017-10-12 00:00:00
CVE-2017-12177
2017-10-12 00:00:00
alpinelinux
alpinelinux
CVE-2017-12176
2018-01-24 15:29:00
CVE-2017-12177
2018-01-24 15:29:00
CVE-2017-12183
2018-01-24 15:29:00
prion
prion
Input validation
2018-01-24 15:29:00
Code injection
2018-01-24 15:29:00
Integer overflow
2018-01-24 15:29:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.011 Low

EPSS

Percentile

84.7%

JSON
Related for ASA-201710-29
gentoo1nessus11openvas9debian2osv6ubuntu1freebsd1mageia1slackware1redhatcve4debiancve4cve4ubuntucve4alpinelinux4prion4