Ubuntu Security Notice USN-939-1
18th May, 2010
xorg-server vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 9.10
- Ubuntu 9.04
- Ubuntu 8.04 LTS
Summary
A remote attacker could trigger a crash in X.org. In addition, the xvfb-run tool left the session cookie visible when launching X.org.
Software description
- xorg-server - The core X.org windowing server
Details
Loïc Minier discovered that xvfb-run did not correctly keep the
X.org session cookie private. A local attacker could gain access
to any local sessions started by xvfb-run. Ubuntu 9.10 was not
affected. (CVE-2009-1573)
It was discovered that the X.org server did not correctly handle
certain calculations. A remote attacker could exploit this to
crash the X.org session or possibly run arbitrary code with root
privileges. (CVE-2010-1166)
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 9.10:
- xserver-xorg-core 2:1.6.4-2ubuntu4.3
- Ubuntu 9.04:
- xserver-xorg-core 2:1.6.0-0ubuntu14.2
- xvfb 2:1.6.0-0ubuntu14.2
- Ubuntu 8.04 LTS:
- xserver-xorg-core 2:1.4.1~git20080131-1ubuntu9.3
- xvfb 2:1.4.1~git20080131-1ubuntu9.3
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to restart your session to make
all the necessary changes.