CVE-2012-2118
Published: 18 May 2012
Format string vulnerability in the LogVHdrMessageVerb function in os/log.c in X.Org X11 1.11 allows attackers to cause a denial of service or possibly execute arbitrary code via format string specifiers in an input device name.
Notes
Author | Note |
---|---|
jdstrand | Reducing priority because we build with -D_FORTIFY_SOURCE=2 and as of USN-1396-1, Ubuntu's glibc is patched to fix (CVE-2012-0864), so this is reduced to a denial of service. per upstream, only 1.10 and higher are affected: http://lists.x.org/pipermail/xorg-devel/2012-May/031411.html |
sbeattie | with experimentation, was not able to cause the 1.10 server to crash in natty and oneiric, marking those not-affected |
Priority
Status
Package | Release | Status |
---|---|---|
xorg-server Launchpad, Ubuntu, Debian |
hardy |
Not vulnerable
|
lucid |
Not vulnerable
(2:1.7.6-2ubuntu7.11)
|
|
natty |
Not vulnerable
(see note)
|
|
oneiric |
Not vulnerable
(see note)
|
|
precise |
Released
(2:1.11.4-0ubuntu10.5)
|
|
quantal |
Not vulnerable
(2:1.13.0-0ubuntu6.1)
|
|
upstream |
Needs triage
|
|
Patches: other: http://patchwork.freedesktop.org/patch/10000/ other: http://patchwork.freedesktop.org/patch/9998/ other: http://patchwork.freedesktop.org/patch/9999/ other: http://patchwork.freedesktop.org/patch/10001/ |
||
This vulnerability is mitigated in part by the use of -D_FORTIFY_SOURCE=2 in Ubuntu. |