Bugzilla – Bug 853846
VUL-0: CVE-2013-6424: xorg-x11-server: integer underflow when handling trapezoids
Last modified: 2014-06-02 20:08:24 UTC
CVE-2013-6424 An integer underflow flaw was found in the X.Org server when handling trapezoids. A malicious, authorized client could use this flaw to crash the X.Org server. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6424 https://bugzilla.redhat.com/show_bug.cgi?id=1037984
The SWAMPID for this issue is 55341. This issue was rated as moderate. Please submit fixed packages until 2013-12-19. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Seems there is a patch against xorg-server (exa extension) and an additional patch against pixman (also affected).
pixman is handled in bnc#853824.
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (853846) was mentioned in https://build.opensuse.org/request/show/210822 Factory / xorg-x11-server
Opensuse 13.1, 12.3, 12.2: https://build.opensuse.org/request/show/211427 SLE11 SP2: https://build.suse.de/request/show/30333 SLE11 SP3: https://build.suse.de/request/show/30335
openSUSE-SU-2013:1965-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 853846 CVE References: CVE-2013-6424 Sources used: openSUSE 13.1 (src): xorg-x11-server-7.6_1.14.3.901-4.1 openSUSE 12.3 (src): xorg-x11-server-7.6_1.13.2-1.21.1 openSUSE 12.2 (src): xorg-x11-server-7.6_1.12.3-1.41.1
Update released for: xorg-x11-Xvnc, xorg-x11-server, xorg-x11-server-debuginfo, xorg-x11-server-debugsource, xorg-x11-server-extra, xorg-x11-server-sdk Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: xorg-x11-Xvnc, xorg-x11-server, xorg-x11-server-debuginfo, xorg-x11-server-debugsource, xorg-x11-server-extra, xorg-x11-server-sdk Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
Update released for: xorg-x11-Xvnc, xorg-x11-server, xorg-x11-server-debuginfo, xorg-x11-server-debugsource, xorg-x11-server-extra, xorg-x11-server-sdk Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
(In reply to comment #11) > I am afraid we should fix it. Is this difficult to do? It's not. I made I made equivalent patches for SLE10 and SLE9. Interestingly SLE9 code was closest to the correct form. SLE10: https://build.suse.de/request/show/30604 SLE9: https://build.suse.de/request/show/30607
Update released for: xorg-x11, xorg-x11-Xnest, xorg-x11-Xprt, xorg-x11-Xvfb, xorg-x11-Xvnc, xorg-x11-debuginfo, xorg-x11-devel, xorg-x11-doc, xorg-x11-driver-options, xorg-x11-fonts-100dpi, xorg-x11-fonts-75dpi, xorg-x11-fonts-cyrillic, xorg-x11-fonts-scalable, xorg-x11-fonts-syriac, xorg-x11-libs, xorg-x11-man, xorg-x11-sdk, xorg-x11-server, xorg-x11-server-glx Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
SUSE-SU-2014:0051-2: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 853846 CVE References: CVE-2013-6424 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP2 (src): xorg-x11-server-7.4-27.70.76.1 SUSE Linux Enterprise Server 11 SP2 for VMware (src): xorg-x11-server-7.4-27.70.76.1 SUSE Linux Enterprise Server 11 SP2 (src): xorg-x11-server-7.4-27.70.76.1 SUSE Linux Enterprise Desktop 11 SP2 (src): xorg-x11-server-7.4-27.70.76.1
done
Update released for: XFree86, XFree86-Mesa, XFree86-Mesa-devel, XFree86-Xnest, XFree86-Xprt, XFree86-Xvfb, XFree86-Xvnc, XFree86-devel, XFree86-doc, XFree86-driver-options, XFree86-fonts-100dpi, XFree86-fonts-75dpi, XFree86-fonts-cyrillic, XFree86-fonts-scalable, XFree86-fonts-syriac, XFree86-libs, XFree86-man, XFree86-server, XFree86-server-glx, km_drm Products: SUSE-CORE 9-SP3-TERADATA (x86_64)
Update released for: xorg-x11-Xvnc, xorg-x11-server, xorg-x11-server-debuginfo, xorg-x11-server-debugsource, xorg-x11-server-extra, xorg-x11-server-sdk Products: SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64) SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
SUSE-SU-2014:0744-1: An update that solves three vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 813178,813683,814653,816813,843652,853846 CVE References: CVE-2013-1940,CVE-2013-4396,CVE-2013-6424 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): xorg-x11-server-7.4-27.40.70.1