oss-sec mailing list archives
Re: [security () suse de] Re: [oss-security] Question about CVE for X!! DoS
From: Marcus Meissner <meissner () suse de>
Date: Tue, 9 Jul 2013 13:18:09 +0200
On Fri, Jul 05, 2013 at 11:12:22PM -0600, Kurt Seifried wrote:
On 07/05/2013 09:22 PM, Alan Coopersmith wrote:On 07/ 5/13 01:50 PM, Kurt Seifried wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://lists.opensuse.org/opensuse-updates/2013-07/msg00023.html https://bugzilla.novell.com/show_bug.cgi?id=815583 Lists no CVE? I assume it needs one, or did upstream handle this?Upstream discussion, including reps from both Red Hat & SuSE, determined it didn't need a CVE, since it can only be triggered by a client authorized to connect to the Xserver (via xauth, xhost, etc.) and such a client, by design, can lock all other clients out from the server, kill clients, etc. It would be like wanting a CVE for the fact that another process running under your UID can kill your process. Not sure why SuSE decided to go ahead and release it as a security fix anyway - it's certainly a bug fix though.Yeah that's what had me confused. I would classify this as security hardening (good to fix, but no trust boundary gets crossed), not a security vulnerability. Was wondering if it had been found to be worse or something.
I checked this and we had opened a security bug as the bug initially arrived at xorg_security... We did not untag it for security so it went to our process with the incorrect tagging and no CVE. I see that we missed to record the follow up discussion which was probably the reason for that. Sorry for the confusion. Ciao, Marcus
Current thread:
- Question about CVE for X!! DoS Kurt Seifried (Jul 05)
- Re: Question about CVE for X!! DoS Julien Cristau (Jul 05)
- Re: Question about CVE for X!! DoS Alan Coopersmith (Jul 05)
- Re: Question about CVE for X!! DoS Kurt Seifried (Jul 05)
- Re: [security () suse de] Re: [oss-security] Question about CVE for X!! DoS Marcus Meissner (Jul 09)
- Re: Question about CVE for X!! DoS Kurt Seifried (Jul 05)