CVE-2011-4613

Published: 15 December 2011

The X.Org X wrapper (xserver-wrapper.c) in Debian GNU/Linux and Ubuntu Linux does not properly verify the TTY of a user who is starting X, which allows local users to bypass intended access restrictions by associating stdin with a file that is misinterpreted as the console TTY.

Priority

Medium

Status

Package Release Status
xorg
Launchpad, Ubuntu, Debian
Upstream
Released (1:7.6+10)

Notes

AuthorNote
jdstrand
requires pty access. In combination with CVE-2011-4029 this becomes
more important, but that CVE is fixed in Ubuntu.
mdeslaur
Debian fixed this by dropping support for alternate TTY devices,
which we need for upstart support. See changelog for
(1:7.4~2ubuntu2) and (1:7.4~4).

References

Bugs