CVE-2017-2624

Published: 01 March 2017

It was found that xorg-x11-server before 1.19.0 including uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations return after an invalid byte is seen, this causes a time difference between a valid and invalid byte, which could allow an efficient brute force attack.

Priority

Negligible

CVSS 3 base score: 7.0

Status

Package Release Status
xorg-server
Launchpad, Ubuntu, Debian
Upstream
Released (2:1.19.2-1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (2:1.18.4-0ubuntu0.3)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2:1.15.1-0ubuntu2.9)
Patches:
Upstream: https://cgit.freedesktop.org/xorg/xserver/commit/?id=d7ac755f0b618eb1259d93c8a16ec6e39a18627c
Upstream: https://cgit.freedesktop.org/xorg/xserver/commit/?id=e9dbecf7c259f7e8b610fa93f97ea55f5dafa7af
xorg-server-hwe-16.04
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus)
Released (2:1.18.4-1ubuntu6.1~16.04.2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

xorg-server-lts-quantal
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

xorg-server-lts-raring
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

xorg-server-lts-saucy
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

xorg-server-lts-trusty
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

xorg-server-lts-utopic
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [reached end-of-life])
xorg-server-lts-vivid
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [reached end-of-life])
xorg-server-lts-wily
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [reached end-of-life])
xorg-server-lts-xenial
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [2:1.18.3-1ubuntu2.3~trusty2])