OpenBSD Journal

Errata for X Server Infoleak

Contributed by jj on from the x-window-of-opportunity dept.

As reported by Ted Unangst (tedu@) on tech:

Patches are now available to fix an information leak in the XkbSetGeometry request of X servers. For more information, see the X.org advisory.

We experienced a slight delay getting patches out, as you can see from the date in the patch. This is a comparatively minor issue so we didn't rush things until correctly signed patches were available.

http://www.x.org/wiki/Development/Security/Advisory-2015-02-10/

http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/021_xserver.patch.sig

http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/016_xserver.patch.sig

untrusted comment: signature from openbsd 5.6 base private key RWR0EANmo9nqholgu2GQCCaaJuP9HvfU/V5+SgCtPaxbMZfHJRNbbCXzdsIWAL0Dfr9kMeNbiOs21lUgA4Ej3AFsptAdQsB9JQk=

OpenBSD 5.6 errata 16, February 20, 2015:

Information leak in the XkbSetGeometry request of X servers

Olivier Fourdan from Red Hat has discovered a protocol handling issue in the way the X server code base handles the XkbSetGeometry request.

Apply patch using: 

    signify -Vep /etc/signify/openbsd-56-base.pub -x 016_xserver.patch.sig \
        -m - | (cd /usr/xenocara && patch -p0)

Then build and install a new xserver: 

    cd /usr/xenocara/xserver
    make -f Makefile.bsd-wrapper obj
    make -f Makefile.bsd-wrapper build

(Comments are closed)

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]