========================================================================== Ubuntu Security Notice USN-1232-3 October 20, 2011 xorg-server vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 10.10 - Ubuntu 10.04 LTS Summary: The X server could be made to crash or run programs as an administrator. Software Description: - xorg-server: X.Org X server Details: USN-1232-1 fixed vulnerabilities in the X.Org X server. A regression was found on Ubuntu 10.04 LTS that affected GLX support, and USN-1232-2 was released to temporarily disable the problematic security fix. This update includes a revised fix for CVE-2010-4818. We apologize for the inconvenience. Original advisory details: It was discovered that the X server incorrectly handled certain malformed input. An authorized attacker could exploit this to cause the X server to crash, leading to a denial or service, or possibly execute arbitrary code with root privileges. This issue only affected Ubuntu 10.04 LTS and 10.10. (CVE-2010-4818) It was discovered that the X server incorrectly handled certain malformed input. An authorized attacker could exploit this to cause the X server to crash, leading to a denial or service, or possibly read arbitrary data from the X server process. This issue only affected Ubuntu 10.04 LTS. (CVE-2010-4819) Vladz discovered that the X server incorrectly handled lock files. A local attacker could use this flaw to determine if a file existed or not. (CVE-2011-4028) Vladz discovered that the X server incorrectly handled setting lock file permissions. A local attacker could use this flaw to gain read permissions on arbitrary files and view sensitive information. (CVE-2011-4029) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 10.10: xserver-xorg-core 2:1.9.0-0ubuntu7.6 Ubuntu 10.04 LTS: xserver-xorg-core 2:1.7.6-2ubuntu7.10 After a standard system update you need to restart your session to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1232-3 http://www.ubuntu.com/usn/usn-1232-1 CVE-2010-4818 Package Information: https://launchpad.net/ubuntu/+source/xorg-server/2:1.9.0-0ubuntu7.6 https://launchpad.net/ubuntu/+source/xorg-server/2:1.7.6-2ubuntu7.10