CVE-2014-8095

10.12.2014, 15:59

The XInput extension in X.Org X Window System (aka X11 or X) X11R4 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) SProcXChangeDeviceControl, (2) ProcXChangeDeviceControl, (3) ProcXChangeFeedbackControl, (4) ProcXSendExtensionEvent, (5) SProcXIAllowEvents, (6) SProcXIChangeCursor, (7) ProcXIChangeHierarchy, (8) SProcXIGetClientPointer, (9) SProcXIGrabDevice, (10) SProcXIUngrabDevice, (11) ProcXIUngrabDevice, (12) SProcXIPassiveGrabDevice, (13) ProcXIPassiveGrabDevice, (14) SProcXIPassiveUngrabDevice, (15) ProcXIPassiveUngrabDevice, (16) SProcXListDeviceProperties, (17) SProcXDeleteDeviceProperty, (18) SProcXIListProperties, (19) SProcXIDeleteProperty, (20) SProcXIGetProperty, (21) SProcXIQueryDevice, (22) SProcXIQueryPointer, (23) SProcXISelectEvents, (24) SProcXISetClientPointer, (25) SProcXISetFocus, (26) SProcXIGetFocus, or (27) SProcXIWarpPointer function.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 UNKNOWN	NETWORK	LOW		AV:N/AC:L/Au:S/C:P/I:P/A:P

Base Score

CVSS 3.x

EPSS Score

Percentile: 78%

Affected Products (NVD)

Vendor	Product	Version
debian	debian_linux	7.0
x.org	x11	4.0
x.org	x_server	𝑥 ≤ 1.16.2.99.901

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

xorg-server

bookworm	2:21.1.7-3+deb12u7 fixed
bookworm (security)	2:21.1.7-3+deb12u8 fixed
bullseye	2:1.20.11-1+deb11u13 fixed
bullseye (security)	2:1.20.11-1+deb11u14 fixed
sid	2:21.1.14-1 fixed
trixie	2:21.1.14-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

xorg-server

lucid	ignored
precise	Fixed 2:1.11.4-0ubuntu10.15 released
trusty	Fixed 2:1.15.1-0ubuntu2.4 released
utopic	Fixed 2:1.16.0-1ubuntu1.1 released

xorg-server-lts-trusty

lucid	dne
precise	Fixed 2:1.15.1-0ubuntu2~precise3 released
trusty	dne
utopic	dne

openSUSE / SLES Releases

openSUSE Product

Release

xorg-x11-server

suse enterprise sap 12 SP5	1.19.6-8.18 fixed
suse enterprise server 12 SP5	1.19.6-8.18 fixed

xorg-x11-server-extra

suse enterprise sap 12 SP5	1.19.6-8.18 fixed
suse enterprise server 12 SP5	1.19.6-8.18 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

xorg-x11-server-Xdmx

RHEL 6	0:1.15.0-25.el6_6 fixed
RHEL 7	0:1.15.0-7.el7_0.3 fixed

xorg-x11-server-Xephyr

RHEL 6	0:1.15.0-25.el6_6 fixed
RHEL 7	0:1.15.0-7.el7_0.3 fixed

xorg-x11-server-Xnest

RHEL 6	0:1.15.0-25.el6_6 fixed
RHEL 7	0:1.15.0-7.el7_0.3 fixed

xorg-x11-server-Xorg

RHEL 6	0:1.15.0-25.el6_6 fixed
RHEL 7	0:1.15.0-7.el7_0.3 fixed

xorg-x11-server-Xvfb

RHEL 6	0:1.15.0-25.el6_6 fixed
RHEL 7	0:1.15.0-7.el7_0.3 fixed

xorg-x11-server-common

RHEL 6	0:1.15.0-25.el6_6 fixed
RHEL 7	0:1.15.0-7.el7_0.3 fixed

xorg-x11-server-devel

RHEL 6	0:1.15.0-25.el6_6 fixed
RHEL 7	0:1.15.0-7.el7_0.3 fixed

xorg-x11-server-source

RHEL 6	0:1.15.0-25.el6_6 fixed
RHEL 7	0:1.15.0-7.el7_0.3 fixed

Common Weakness Enumeration

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

References

http://advisories.mageia.org/MGASA-2014-0532.html

http://secunia.com/advisories/61947

http://secunia.com/advisories/62292

http://www.debian.org/security/2014/dsa-3095

http://www.mandriva.com/security/advisories?name=MDVSA-2015:119

http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html

http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

http://www.securityfocus.com/bid/71599

http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/

https://security.gentoo.org/glsa/201504-06