Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 09 Dec 2014 13:15:44 -0800
From: Alan Coopersmith <>
CC: Ilja Van Sprundel <>,
        "X.Org Security Team" <>
Subject: Re: Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol
 handling issues in X servers

On 12/ 9/14 08:04 AM, Alan Coopersmith wrote:
> Fixes
> =====
> Fixes are available in git commits and patches which will be listed
> on
> when this advisory is released.
> Fixes are also planned to be included in the xorg-server-1.17.0 and
> xorg-server-1.16.3 releases

Fixes are now available in the X.Org master git repositories for the Xserver
1.17 development branch ("master") & 1.16 stable branch ("server-1.16-branch").

Additionally they are included in today's release of xorg-server
(Release Candidate 1 for 1.16.3):

For those who either used the patches mailed to the distros list during embargo
or pulled changes from my personal git repository earlier today, please note
there are some additional changes that were made due to issues raised when the
patches were on final approach this morning.  These fixes mostly silence
compiler warnings, but also fix at least one bug in calculating buffer sizes
that could result in false failures or allowing overflows.  These added patches

dbe: Call to DDX SwapBuffers requires address of int, not unsigned int 
[CVE-2014-8097 pt. 2]

glx: Can't mix declarations and code in sources [CVE-2014-8098 pt. 9]

Missing parens in REQUEST_FIXED_SIZE macro [CVE-2014-8092 pt. 5]

dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6]

They are also included with all the earlier patches in the list now posted to:

Since these additional commits went into the X.Org master repo as part of the
same pull request as the earlier fixes, X.Org considers them to be part of the
fix for the CVE's in this advisory and does not believe new CVE id's are
warranted as X.Org distributed no version of its code in which only part of
these fixes were present.

	-Alan Coopersmith-    
	 Oracle Solaris Engineering -

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.