xorg-x11-server-7.6_1.18.4-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10518-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z xorg-x11-server-7.6_1.18.4-2.1 on GA media These are all security issues fixed in the xorg-x11-server-7.6_1.18.4-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10518 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2010-2240/ SUSE CVE CVE-2010-2240 page https://www.suse.com/security/cve/CVE-2013-1940/ SUSE CVE CVE-2013-1940 page https://www.suse.com/security/cve/CVE-2013-4396/ SUSE CVE CVE-2013-4396 page https://www.suse.com/security/cve/CVE-2013-6424/ SUSE CVE CVE-2013-6424 page https://www.suse.com/security/cve/CVE-2015-3164/ SUSE CVE CVE-2015-3164 page openSUSE Tumbleweed xorg-x11-server-7.6_1.18.4-2.1 xorg-x11-server-extra-7.6_1.18.4-2.1 xorg-x11-server-sdk-7.6_1.18.4-2.1 xorg-x11-server-source-7.6_1.18.4-2.1 xorg-x11-server-wayland-7.6_1.18.4-2.1 xorg-x11-server-7.6_1.18.4-2.1 as a component of openSUSE Tumbleweed xorg-x11-server-extra-7.6_1.18.4-2.1 as a component of openSUSE Tumbleweed xorg-x11-server-sdk-7.6_1.18.4-2.1 as a component of openSUSE Tumbleweed xorg-x11-server-source-7.6_1.18.4-2.1 as a component of openSUSE Tumbleweed xorg-x11-server-wayland-7.6_1.18.4-2.1 as a component of openSUSE Tumbleweed The do_anonymous_page function in mm/memory.c in the Linux kernel before 2.6.27.52, 2.6.32.x before 2.6.32.19, 2.6.34.x before 2.6.34.4, and 2.6.35.x before 2.6.35.2 does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X.Org X server. CVE-2010-2240 openSUSE Tumbleweed:xorg-x11-server-7.6_1.18.4-2.1 openSUSE Tumbleweed:xorg-x11-server-extra-7.6_1.18.4-2.1 openSUSE Tumbleweed:xorg-x11-server-sdk-7.6_1.18.4-2.1 openSUSE Tumbleweed:xorg-x11-server-source-7.6_1.18.4-2.1 openSUSE Tumbleweed:xorg-x11-server-wayland-7.6_1.18.4-2.1 moderate 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-2240.html CVE-2010-2240 https://bugzilla.suse.com/1039348 SUSE Bug 1039348 https://bugzilla.suse.com/211997 SUSE Bug 211997 https://bugzilla.suse.com/546062 SUSE Bug 546062 https://bugzilla.suse.com/59807 SUSE Bug 59807 https://bugzilla.suse.com/615929 SUSE Bug 615929 https://bugzilla.suse.com/618152 SUSE Bug 618152 https://bugzilla.suse.com/632737 SUSE Bug 632737 https://bugzilla.suse.com/643986 SUSE Bug 643986 https://bugzilla.suse.com/746947 SUSE Bug 746947 https://bugzilla.suse.com/746949 SUSE Bug 746949 X.Org X server before 1.13.4 and 1.4.x before 1.14.1 does not properly restrict access to input events when adding a new hot-plug device, which might allow physically proximate attackers to obtain sensitive information, as demonstrated by reading passwords from a tty. CVE-2013-1940 openSUSE Tumbleweed:xorg-x11-server-7.6_1.18.4-2.1 openSUSE Tumbleweed:xorg-x11-server-extra-7.6_1.18.4-2.1 openSUSE Tumbleweed:xorg-x11-server-sdk-7.6_1.18.4-2.1 openSUSE Tumbleweed:xorg-x11-server-source-7.6_1.18.4-2.1 openSUSE Tumbleweed:xorg-x11-server-wayland-7.6_1.18.4-2.1 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-1940.html CVE-2013-1940 https://bugzilla.suse.com/814653 SUSE Bug 814653 https://bugzilla.suse.com/815870 SUSE Bug 815870 Use-after-free vulnerability in the doImageText function in dix/dixfonts.c in the xorg-server module before 1.14.4 in X.Org X11 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted ImageText request that triggers memory-allocation failure. CVE-2013-4396 openSUSE Tumbleweed:xorg-x11-server-7.6_1.18.4-2.1 openSUSE Tumbleweed:xorg-x11-server-extra-7.6_1.18.4-2.1 openSUSE Tumbleweed:xorg-x11-server-sdk-7.6_1.18.4-2.1 openSUSE Tumbleweed:xorg-x11-server-source-7.6_1.18.4-2.1 openSUSE Tumbleweed:xorg-x11-server-wayland-7.6_1.18.4-2.1 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4396.html CVE-2013-4396 https://bugzilla.suse.com/843652 SUSE Bug 843652 Integer underflow in the xTrapezoidValid macro in render/picture.h in X.Org allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value. CVE-2013-6424 openSUSE Tumbleweed:xorg-x11-server-7.6_1.18.4-2.1 openSUSE Tumbleweed:xorg-x11-server-extra-7.6_1.18.4-2.1 openSUSE Tumbleweed:xorg-x11-server-sdk-7.6_1.18.4-2.1 openSUSE Tumbleweed:xorg-x11-server-source-7.6_1.18.4-2.1 openSUSE Tumbleweed:xorg-x11-server-wayland-7.6_1.18.4-2.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-6424.html CVE-2013-6424 https://bugzilla.suse.com/853846 SUSE Bug 853846 The authentication setup in XWayland 1.16.x and 1.17.x before 1.17.2 starts the server in non-authenticating mode, which allows local users to read from or send information to arbitrary X11 clients via vectors involving a UNIX socket. CVE-2015-3164 openSUSE Tumbleweed:xorg-x11-server-7.6_1.18.4-2.1 openSUSE Tumbleweed:xorg-x11-server-extra-7.6_1.18.4-2.1 openSUSE Tumbleweed:xorg-x11-server-sdk-7.6_1.18.4-2.1 openSUSE Tumbleweed:xorg-x11-server-source-7.6_1.18.4-2.1 openSUSE Tumbleweed:xorg-x11-server-wayland-7.6_1.18.4-2.1 moderate 3.6 AV:L/AC:L/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-3164.html CVE-2015-3164 https://bugzilla.suse.com/1177201 SUSE Bug 1177201 https://bugzilla.suse.com/934102 SUSE Bug 934102