6.9 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
5.1%
CentOS Errata and Security Advisory CESA-2013:0502
The Core X11 clients packages provide the xorg-x11-utils,
xorg-x11-server-utils, and xorg-x11-apps clients that ship with the X
Window System.
It was found that the x11perfcomp utility included the current working
directory in its PATH environment variable. Running x11perfcomp in an
attacker-controlled directory would cause arbitrary code execution with
the privileges of the user running x11perfcomp. (CVE-2011-2504)
Also with this update, the xorg-x11-utils and xorg-x11-server-utils
packages have been upgraded to upstream version 7.5, and the xorg-x11-apps
package to upstream version 7.6, which provides a number of bug fixes and
enhancements over the previous versions. (BZ#835277, BZ#835278, BZ#835281)
All users of xorg-x11-utils, xorg-x11-server-utils, and xorg-x11-apps are
advised to upgrade to these updated packages, which fix these issues and
add these enhancements.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2013-March/081715.html
https://lists.centos.org/pipermail/centos-announce/2013-March/081766.html
https://lists.centos.org/pipermail/centos-announce/2013-March/081768.html
https://lists.centos.org/pipermail/centos-cr-announce/2013-February/027016.html
https://lists.centos.org/pipermail/centos-cr-announce/2013-February/027067.html
https://lists.centos.org/pipermail/centos-cr-announce/2013-February/027069.html
Affected packages:
xorg-x11-apps
xorg-x11-server-utils
xorg-x11-utils
Upstream details at:
https://access.redhat.com/errata/RHSA-2013:0502