oss-sec mailing list archives

Re: Question about CVE for X!! DoS

From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 05 Jul 2013 23:12:22 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/05/2013 09:22 PM, Alan Coopersmith wrote:

On 07/ 5/13 01:50 PM, Kurt Seifried wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

http://lists.opensuse.org/opensuse-updates/2013-07/msg00023.html 
https://bugzilla.novell.com/show_bug.cgi?id=815583

Lists no CVE? I assume it needs one, or did upstream handle
this?


Upstream discussion, including reps from both Red Hat & SuSE,
determined it didn't need a CVE, since it can only be triggered by
a client authorized to connect to the Xserver (via xauth, xhost,
etc.) and such a client, by design, can lock all other clients out
from the server, kill clients, etc.

It would be like wanting a CVE for the fact that another process
running under your UID can kill your process.

Not sure why SuSE decided to go ahead and release it as a security
fix anyway - it's certainly a bug fix though.


Yeah that's what had me confused. I would classify this as security
hardening (good to fix, but no trust boundary gets crossed), not a
security vulnerability. Was wondering if it had been found to be worse
or something.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR16c1AAoJEBYNRVNeJnmTGBwP/2uN26UIKrLsSxF7qCNaRmK0
szTvWKDq4Q2Bqm3S6lAmsNItS4Sjilx7HEEjUW52NmJysdNvJwpO9v03bYUtMLqn
8/PLVGh998BWDtby1kqZOb2VEhLDnAyfFMp3HsNjm+kwAgBv3NDgFgTI6sIhNdkA
TVHP4jSoD1rAfSJzJqpB8saLeqR1T0wF5n6jDA+0Ghkv6R+C97EMUfz6wJnjlXRi
eAXftO86GJVce4XunLxnS3hhGqTxzNlZ1nfo16UphkV36nQ5720SC+AzmnOWFsBp
6JNF42H/JdHKdXOIa6WQa/CkpyTw2INOEmgzz2Pz2qjn12vR2GE4YzvsqZuoj/H3
XGT1l8D3wj4I9CPeYOqAWC+6YgcgMU68Hx+kueiDIS7dMn+KpT/96im8ochbSM1v
ay+wFLY6m6N3JaZo+ZsXmy3Hri74TMyXyAvo2wl0cZwE21tMKHDTJWa55lEKY/xr
MdTSaKh9vhO9G7XHwAHiWI+zNwqK685HPV8JRq8kTvRa7b8hcbVem77n1zui2wJZ
fXYXL5FtyZIFqd72da7coRzWK0h3GQUVfGysMSRZ0fxkvw2gB/euLF638al/b/1x
JTsldj8LdkAFwGxGYE/iM1zFeB3bt2XOTi3g3d0XHD5j4D1hYKj8JvIYs+2d/QVe
qzs1o9U7ocA5xHfNzMqq
=9vM2
-----END PGP SIGNATURE-----

Current thread:

Question about CVE for X!! DoS Kurt Seifried (Jul 05)
- Re: Question about CVE for X!! DoS Julien Cristau (Jul 05)
- Re: Question about CVE for X!! DoS Alan Coopersmith (Jul 05)
  - Re: Question about CVE for X!! DoS Kurt Seifried (Jul 05)
    - Re: [security () suse de] Re: [oss-security] Question about CVE for X!! DoS Marcus Meissner (Jul 09)