FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  480683
Date:      2018-09-25
Time:      16:09:39Z
Committer: sunpoet

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
27b9b2f0-8081-11e4-b4ca-bcaec565249cxserver -- multiple issue with X client request handling

Alan Coopersmith reports:

Ilja van Sprundel, a security researcher with IOActive, has discovered a large number of issues in the way the X server code base handles requests from X clients, and has worked with X.Org's security team to analyze, confirm, and fix these issues.

The vulnerabilities could be exploited to cause the X server to access uninitialized memory or overwrite arbitrary memory in the X server process. This can cause a denial of service (e.g., an X server segmentation fault), or could be exploited to achieve arbitrary code execution.

The GLX extension to the X Window System allows an X client to send X protocol to the X server, to request that the X server perform OpenGL rendering on behalf of the X client. This is known as "GLX indirect rendering", as opposed to "GLX direct rendering" where the X client submits OpenGL rendering commands directly to the GPU, bypassing the X server and avoiding the X server code for GLX protocol handling.

Most GLX indirect rendering implementations share some common ancestry, dating back to "Sample Implementation" code from Silicon Graphics, Inc (SGI), which SGI originally commercially licensed to other Unix workstation and graphics vendors, and later released as open source, so those vulnerabilities may affect other licensees of SGI's code base beyond those running code from the X.Org Foundation or the XFree86 Project.


Discovery 2014-12-09
Entry 2014-12-10
xorg-server
lt 1.12.4_10,1

http://lists.x.org/archives/xorg-announce/2014-December/002500.html
CVE-2014-8091
CVE-2014-8092
CVE-2014-8093
CVE-2014-8094
CVE-2014-8095
CVE-2014-8096
CVE-2014-8097
CVE-2014-8098
CVE-2014-8099
CVE-2014-8100
CVE-2014-8101
CVE-2014-8102
ab881a74-c016-4e6d-9f7d-68c8e7cedafbxorg-server -- Multiple Issues

xorg-server developers reports:

In the X.Org X server before 2017-06-19, a user authenticated to an X Session could crash or execute code in the context of the X Server by exploiting a stack overflow in the endianness conversion of X Events.

Uninitialized data in endianness conversion in the XEvent handling of the X.Org X Server before 2017-06-19 allowed authenticated malicious users to access potentially privileged data from the X server.


Discovery 2017-07-06
Entry 2017-10-17
Modified 2018-05-20
xorg-server
le 1.18.4_6,1

ge 1.19.0,1 le 1.19.3,1

http://www.securityfocus.com/bid/99546
https://bugzilla.suse.com/show_bug.cgi?id=1035283
https://cgit.freedesktop.org/xorg/xserver/commit/?id=215f894965df5fb0bb45b107d84524e700d2073c
https://cgit.freedesktop.org/xorg/xserver/commit/?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d
https://cgit.freedesktop.org/xorg/xserver/commit/?id=ba336b24052122b136486961c82deac76bbde455
http://www.securityfocus.com/bid/99543
https://bugzilla.suse.com/show_bug.cgi?id=1035283
https://cgit.freedesktop.org/xorg/xserver/commit/?id=05442de962d3dc624f79fc1a00eca3ffc5489ced
CVE-2017-10971
CVE-2017-10972
7274e0cc-575f-41bc-8619-14a41b3c2ad0xorg-server -- multiple vulnabilities

Adam Jackson reports:

One regression fix since 1.19.4 (mea culpa), and fixes for CVEs 2017-12176 through 2017-12187.


Discovery 2017-10-12
Entry 2017-10-13
xephyr
lt 1.18.4_5,1

xorg-dmx
lt 1.18.4_5,1

xorg-nestserver
lt 1.19.1_2,2

xorg-server
lt 1.18.4_5,1

xorg-vfbserver
lt 1.19.1_2,1

xwayland
lt 1.19.1_2

https://lists.x.org/archives/xorg-announce/2017-October/002814.html
CVE-2017-12176
CVE-2017-12177
CVE-2017-12178
CVE-2017-12179
CVE-2017-12180
CVE-2017-12181
CVE-2017-12182
CVE-2017-12183
CVE-2017-12184
CVE-2017-12185
CVE-2017-12186
CVE-2017-12187
4f8ffb9c-f388-4fbd-b90f-b3131559d888xorg-server -- multiple vulnabilities

Alan Coopersmith reports:

X.Org thanks Michal Srb of SuSE for finding these issues and bringing them to our attention, Julien Cristau of Debian for getting the fixes integrated, and Adam Jackson of Red Hat for publishing the release.


Discovery 2017-10-04
Entry 2017-10-09
xephyr
lt 1.18.4_4,1

xorg-dmx
lt 1.18.4_4,1

xorg-nestserver
lt 1.19.1_1,2

xorg-server
lt 1.18.4_4,1

xorg-vfbserver
lt 1.19.1_1,1

xwayland
lt 1.19.1_1

https://lists.x.org/archives/xorg-announce/2017-October/002809.html
CVE-2017-13721
CVE-2017-13723
54a69cf7-b2ef-11e4-b1f1-bcaec565249cxorg-server -- Information leak in the XkbSetGeometry request of X servers.

Peter Hutterer reports:

Olivier Fourdan from Red Hat has discovered a protocol handling issue in the way the X server code base handles the XkbSetGeometry request.

The issue stems from the server trusting the client to send valid string lengths in the request data. A malicious client with string lengths exceeding the request length can cause the server to copy adjacent memory data into the XKB structs. This data is then available to the client via the XkbGetGeometry request. The data length is at least up to 64k, it is possible to obtain more data by chaining strings, each string length is then determined by whatever happens to be in that 16-bit region of memory.

A similarly crafted request can likely cause the X server to crash.


Discovery 2015-02-10
Entry 2015-02-12
xorg-server
lt 1.14.7_2,1

xorg-server
ge 1.15.0,1 lt 1.16.4,1

CVE-2015-0255
http://lists.freedesktop.org/archives/xorg/2015-February/057158.html