CVE-2012-2118

2012-05-18T00:00:00
ID UB:CVE-2012-2118
Type ubuntucve
Reporter ubuntu.com
Modified 2012-05-18T00:00:00

Description

Format string vulnerability in the LogVHdrMessageVerb function in os/log.c in X.Org X11 1.11 allows attackers to cause a denial of service or possibly execute arbitrary code via format string specifiers in an input device name.

Bugs

  • <https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/996250>
  • <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673148>
  • <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2118>

Notes

Author| Note
---|---
jdstrand | Reducing priority because we build with -D_FORTIFY_SOURCE=2 and as of USN-1396-1, Ubuntu's glibc is patched to fix (CVE-2012-0864), so this is reduced to a denial of service. per upstream, only 1.10 and higher are affected: http://lists.x.org/pipermail/xorg-devel/2012-May/031411.html
sbeattie | with experimentation, was not able to cause the 1.10 server to crash in natty and oneiric, marking those not-affected