X.Org: Multiple vulnerabilities — GLSA 201704-03

Multiple vulnerabilities have been found in X.Org server and libraries, the worse of which allowing local attackers to execute arbitrary code.

Affected Packages

x11-base/xorg-server on all architectures
Affected versions < 1.19.2
Unaffected versions >= 1.19.2
x11-libs/libICE on all architectures
Affected versions < 1.0.9-r1
Unaffected versions >= 1.0.9-r1
x11-libs/libXdmcp on all architectures
Affected versions < 1.1.2-r1
Unaffected versions >= 1.1.2-r1
x11-libs/libXrender on all architectures
Affected versions < 0.9.10
Unaffected versions >= 0.9.10
x11-libs/libXi on all architectures
Affected versions < 1.7.7
Unaffected versions >= 1.7.7
x11-libs/libXrandr on all architectures
Affected versions < 1.5.1
Unaffected versions >= 1.5.1
x11-libs/libXfixes on all architectures
Affected versions < 5.0.3
Unaffected versions >= 5.0.3
x11-libs/libXv on all architectures
Affected versions < 1.0.11
Unaffected versions >= 1.0.11

Background

X.Org X servers

Description

Multiple vulnerabilities have been discovered in X.Org server and libraries. Please review the CVE identifiers referenced below for details.

Impact

A local or remote users can utilize the vulnerabilities to attach to the X.Org session as a user and execute arbitrary code.

Workaround

There is no known workaround at this time.

Resolution

All X.Org-server users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=x11-base/xorg-server-1.19.2"
 

All libICE users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=x11-libs/libICE-1.0.9-r1"
 

All libXdmcp users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=x11-libs/libXdmcp-1.1.2-r1"
 

All libXrender users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=x11-libs/libXrender-0.9.10"
 

All libXi users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=x11-libs/libXi-1.7.7"
 

All libXrandr users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=x11-libs/libXrandr-1.5.1"
 

All libXfixes users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=x11-libs/libXfixes-5.0.3"
 

All libXv users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=x11-libs/libXv-1.0.11"
 

References

Release Date
April 10, 2017

Latest Revision
April 10, 2017: 1

Severity
high

Exploitable
local, remote

Bugzilla entries