Re: [security () suse de] Re: [oss-security] Question about CVE for X!! DoS

[Marcus Meissner <meissner () suse de>]

On Fri, Jul 05, 2013 at 11:12:22PM -0600, Kurt Seifried wrote:
> On 07/05/2013 09:22 PM, Alan Coopersmith wrote:
> > On 07/ 5/13 01:50 PM, Kurt Seifried wrote:
> > > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> > >
> > > http://lists.opensuse.org/opensuse-updates/2013-07/msg00023.html 
> > > https://bugzilla.novell.com/show_bug.cgi?id=815583
> > >
> > > Lists no CVE? I assume it needs one, or did upstream handle
> > > this?
> >
> > Upstream discussion, including reps from both Red Hat & SuSE,
> > determined it didn't need a CVE, since it can only be triggered by
> > a client authorized to connect to the Xserver (via xauth, xhost,
> > etc.) and such a client, by design, can lock all other clients out
> > from the server, kill clients, etc.
> >
> > It would be like wanting a CVE for the fact that another process
> > running under your UID can kill your process.
> >
> > Not sure why SuSE decided to go ahead and release it as a security
> > fix anyway - it's certainly a bug fix though.
>
> Yeah that's what had me confused. I would classify this as security
> hardening (good to fix, but no trust boundary gets crossed), not a
> security vulnerability. Was wondering if it had been found to be worse
> or something.

I checked this and we had opened a security bug as the bug initially
arrived at xorg_security... We did not untag it for security so
it went to our process with the incorrect tagging and no CVE.

I see that we missed to record the follow up discussion which was
probably the reason for that.

Sorry for the confusion.

Ciao, Marcus