oss-sec mailing list archives
Re: Question about CVE for X!! DoS
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 05 Jul 2013 23:12:22 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/05/2013 09:22 PM, Alan Coopersmith wrote:
On 07/ 5/13 01:50 PM, Kurt Seifried wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://lists.opensuse.org/opensuse-updates/2013-07/msg00023.html https://bugzilla.novell.com/show_bug.cgi?id=815583 Lists no CVE? I assume it needs one, or did upstream handle this?Upstream discussion, including reps from both Red Hat & SuSE, determined it didn't need a CVE, since it can only be triggered by a client authorized to connect to the Xserver (via xauth, xhost, etc.) and such a client, by design, can lock all other clients out from the server, kill clients, etc. It would be like wanting a CVE for the fact that another process running under your UID can kill your process. Not sure why SuSE decided to go ahead and release it as a security fix anyway - it's certainly a bug fix though.
Yeah that's what had me confused. I would classify this as security hardening (good to fix, but no trust boundary gets crossed), not a security vulnerability. Was wondering if it had been found to be worse or something. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR16c1AAoJEBYNRVNeJnmTGBwP/2uN26UIKrLsSxF7qCNaRmK0 szTvWKDq4Q2Bqm3S6lAmsNItS4Sjilx7HEEjUW52NmJysdNvJwpO9v03bYUtMLqn 8/PLVGh998BWDtby1kqZOb2VEhLDnAyfFMp3HsNjm+kwAgBv3NDgFgTI6sIhNdkA TVHP4jSoD1rAfSJzJqpB8saLeqR1T0wF5n6jDA+0Ghkv6R+C97EMUfz6wJnjlXRi eAXftO86GJVce4XunLxnS3hhGqTxzNlZ1nfo16UphkV36nQ5720SC+AzmnOWFsBp 6JNF42H/JdHKdXOIa6WQa/CkpyTw2INOEmgzz2Pz2qjn12vR2GE4YzvsqZuoj/H3 XGT1l8D3wj4I9CPeYOqAWC+6YgcgMU68Hx+kueiDIS7dMn+KpT/96im8ochbSM1v ay+wFLY6m6N3JaZo+ZsXmy3Hri74TMyXyAvo2wl0cZwE21tMKHDTJWa55lEKY/xr MdTSaKh9vhO9G7XHwAHiWI+zNwqK685HPV8JRq8kTvRa7b8hcbVem77n1zui2wJZ fXYXL5FtyZIFqd72da7coRzWK0h3GQUVfGysMSRZ0fxkvw2gB/euLF638al/b/1x JTsldj8LdkAFwGxGYE/iM1zFeB3bt2XOTi3g3d0XHD5j4D1hYKj8JvIYs+2d/QVe qzs1o9U7ocA5xHfNzMqq =9vM2 -----END PGP SIGNATURE-----
Current thread:
- Question about CVE for X!! DoS Kurt Seifried (Jul 05)
- Re: Question about CVE for X!! DoS Julien Cristau (Jul 05)
- Re: Question about CVE for X!! DoS Alan Coopersmith (Jul 05)
- Re: Question about CVE for X!! DoS Kurt Seifried (Jul 05)
- Re: [security () suse de] Re: [oss-security] Question about CVE for X!! DoS Marcus Meissner (Jul 09)
- Re: Question about CVE for X!! DoS Kurt Seifried (Jul 05)