CVE-2012-2118
Published: 18 May 2012
Format string vulnerability in the LogVHdrMessageVerb function in os/log.c in X.Org X11 1.11 allows attackers to cause a denial of service or possibly execute arbitrary code via format string specifiers in an input device name.
Notes
| Author | Note |
|---|---|
| jdstrand | Reducing priority because we build with -D_FORTIFY_SOURCE=2 and as of USN-1396-1, Ubuntu's glibc is patched to fix (CVE-2012-0864), so this is reduced to a denial of service. per upstream, only 1.10 and higher are affected: http://lists.x.org/pipermail/xorg-devel/2012-May/031411.html |
| sbeattie | with experimentation, was not able to cause the 1.10 server to crash in natty and oneiric, marking those not-affected |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
xorg-server Launchpad, Ubuntu, Debian |
hardy |
Not vulnerable
|
| lucid |
Not vulnerable
(2:1.7.6-2ubuntu7.11)
|
|
| natty |
Not vulnerable
(see note)
|
|
| oneiric |
Not vulnerable
(see note)
|
|
| precise |
Released
(2:1.11.4-0ubuntu10.5)
|
|
| quantal |
Not vulnerable
(2:1.13.0-0ubuntu6.1)
|
|
| upstream |
Needs triage
|
|
|
Patches: other: http://patchwork.freedesktop.org/patch/10000/ other: http://patchwork.freedesktop.org/patch/9998/ other: http://patchwork.freedesktop.org/patch/9999/ other: http://patchwork.freedesktop.org/patch/10001/ |
||
| This vulnerability is mitigated in part by the use of -D_FORTIFY_SOURCE=2 in Ubuntu. | ||