PublicDateAtUSN: 2017-03-01
Candidate: CVE-2017-2624
PublicDate: 2018-07-27 18:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2624
 https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/
 http://openwall.com/lists/oss-security/2017/03/01/1
 https://ubuntu.com/security/notices/USN-3362-1
Description:
 It was found that xorg-x11-server before 1.19.0 including uses memcmp() to
 check the received MIT cookie against a series of valid cookies. If the
 cookie is correct, it is allowed to attach to the Xorg session. Since most
 memcmp() implementations return after an invalid byte is seen, this causes
 a time difference between a valid and invalid byte, which could allow an
 efficient brute force attack.
Ubuntu-Description:
Notes:
 tyhicks> 1.19.0 and lower are affected
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856398
Priority: negligible
Discovered-by: Eric Sesterhenn
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H [7.0 HIGH]

Patches_xorg-server:
 upstream: https://cgit.freedesktop.org/xorg/xserver/commit/?id=d7ac755f0b618eb1259d93c8a16ec6e39a18627c
 upstream: https://cgit.freedesktop.org/xorg/xserver/commit/?id=e9dbecf7c259f7e8b610fa93f97ea55f5dafa7af
upstream_xorg-server: released (2:1.19.2-1)
precise_xorg-server: ignored (reached end-of-life)
precise/esm_xorg-server: DNE (precise was needed)
trusty_xorg-server: released (2:1.15.1-0ubuntu2.9)
trusty/esm_xorg-server: released (2:1.15.1-0ubuntu2.9)
vivid/ubuntu-core_xorg-server: DNE
vivid/stable-phone-overlay_xorg-server: ignored (reached end-of-life)
xenial_xorg-server: released (2:1.18.4-0ubuntu0.3)
esm-infra/xenial_xorg-server: released (2:1.18.4-0ubuntu0.3)
yakkety_xorg-server: ignored (reached end-of-life)
zesty_xorg-server: not-affected (2:1.19.3-1ubuntu1)
devel_xorg-server: not-affected (2:1.19.3-1ubuntu1)

Patches_xorg-server-lts-quantal:
upstream_xorg-server-lts-quantal: needs-triage
precise_xorg-server-lts-quantal: ignored (reached end-of-life)
precise/esm_xorg-server-lts-quantal: DNE (precise was ignored [reached end-of-life])
trusty_xorg-server-lts-quantal: DNE
trusty/esm_xorg-server-lts-quantal: DNE
vivid/ubuntu-core_xorg-server-lts-quantal: DNE
vivid/stable-phone-overlay_xorg-server-lts-quantal: DNE
xenial_xorg-server-lts-quantal: DNE
yakkety_xorg-server-lts-quantal: DNE
zesty_xorg-server-lts-quantal: DNE
devel_xorg-server-lts-quantal: DNE

Patches_xorg-server-lts-raring:
upstream_xorg-server-lts-raring: needs-triage
precise_xorg-server-lts-raring: ignored (reached end-of-life)
precise/esm_xorg-server-lts-raring: DNE (precise was ignored [reached end-of-life])
trusty_xorg-server-lts-raring: DNE
trusty/esm_xorg-server-lts-raring: DNE
vivid/ubuntu-core_xorg-server-lts-raring: DNE
vivid/stable-phone-overlay_xorg-server-lts-raring: DNE
xenial_xorg-server-lts-raring: DNE
yakkety_xorg-server-lts-raring: DNE
zesty_xorg-server-lts-raring: DNE
devel_xorg-server-lts-raring: DNE

Patches_xorg-server-lts-saucy:
upstream_xorg-server-lts-saucy: needs-triage
precise_xorg-server-lts-saucy: ignored (reached end-of-life)
precise/esm_xorg-server-lts-saucy: DNE (precise was ignored [reached end-of-life])
trusty_xorg-server-lts-saucy: DNE
trusty/esm_xorg-server-lts-saucy: DNE
vivid/ubuntu-core_xorg-server-lts-saucy: DNE
vivid/stable-phone-overlay_xorg-server-lts-saucy: DNE
xenial_xorg-server-lts-saucy: DNE
yakkety_xorg-server-lts-saucy: DNE
zesty_xorg-server-lts-saucy: DNE
devel_xorg-server-lts-saucy: DNE

Patches_xorg-server-lts-trusty:
upstream_xorg-server-lts-trusty: needs-triage
precise_xorg-server-lts-trusty: ignored (reached end-of-life)
precise/esm_xorg-server-lts-trusty: DNE (precise was needed)
trusty_xorg-server-lts-trusty: DNE
trusty/esm_xorg-server-lts-trusty: DNE
vivid/ubuntu-core_xorg-server-lts-trusty: DNE
vivid/stable-phone-overlay_xorg-server-lts-trusty: DNE
xenial_xorg-server-lts-trusty: DNE
yakkety_xorg-server-lts-trusty: DNE
zesty_xorg-server-lts-trusty: DNE
devel_xorg-server-lts-trusty: DNE

Patches_xorg-server-lts-utopic:
upstream_xorg-server-lts-utopic: needs-triage
precise_xorg-server-lts-utopic: DNE
precise/esm_xorg-server-lts-utopic: DNE
trusty_xorg-server-lts-utopic: ignored (reached end-of-life)
trusty/esm_xorg-server-lts-utopic: DNE (trusty was ignored [reached end-of-life])
vivid/ubuntu-core_xorg-server-lts-utopic: DNE
vivid/stable-phone-overlay_xorg-server-lts-utopic: DNE
xenial_xorg-server-lts-utopic: DNE
yakkety_xorg-server-lts-utopic: DNE
zesty_xorg-server-lts-utopic: DNE
devel_xorg-server-lts-utopic: DNE

Patches_xorg-server-lts-vivid:
upstream_xorg-server-lts-vivid: needs-triage
precise_xorg-server-lts-vivid: DNE
precise/esm_xorg-server-lts-vivid: DNE
trusty_xorg-server-lts-vivid: ignored (reached end-of-life)
trusty/esm_xorg-server-lts-vivid: DNE (trusty was ignored [reached end-of-life])
vivid/ubuntu-core_xorg-server-lts-vivid: DNE
vivid/stable-phone-overlay_xorg-server-lts-vivid: DNE
xenial_xorg-server-lts-vivid: DNE
yakkety_xorg-server-lts-vivid: DNE
zesty_xorg-server-lts-vivid: DNE
devel_xorg-server-lts-vivid: DNE

Patches_xorg-server-lts-wily:
upstream_xorg-server-lts-wily: needs-triage
precise_xorg-server-lts-wily: DNE
precise/esm_xorg-server-lts-wily: DNE
trusty_xorg-server-lts-wily: ignored (reached end-of-life)
trusty/esm_xorg-server-lts-wily: DNE (trusty was ignored [reached end-of-life])
vivid/ubuntu-core_xorg-server-lts-wily: DNE
vivid/stable-phone-overlay_xorg-server-lts-wily: DNE
xenial_xorg-server-lts-wily: DNE
yakkety_xorg-server-lts-wily: DNE
zesty_xorg-server-lts-wily: DNE
devel_xorg-server-lts-wily: DNE

Patches_xorg-server-lts-xenial:
upstream_xorg-server-lts-xenial: needs-triage
precise_xorg-server-lts-xenial: DNE
precise/esm_xorg-server-lts-xenial: DNE
trusty_xorg-server-lts-xenial: released (2:1.18.3-1ubuntu2.3~trusty2)
trusty/esm_xorg-server-lts-xenial: DNE (trusty was released [2:1.18.3-1ubuntu2.3~trusty2])
vivid/ubuntu-core_xorg-server-lts-xenial: DNE
vivid/stable-phone-overlay_xorg-server-lts-xenial: DNE
xenial_xorg-server-lts-xenial: DNE
yakkety_xorg-server-lts-xenial: DNE
zesty_xorg-server-lts-xenial: DNE
devel_xorg-server-lts-xenial: DNE

Patches_xorg-server-hwe-16.04:
upstream_xorg-server-hwe-16.04: needs-triage
precise_xorg-server-hwe-16.04: DNE
precise/esm_xorg-server-hwe-16.04: DNE
trusty_xorg-server-hwe-16.04: DNE
trusty/esm_xorg-server-hwe-16.04: DNE
vivid/ubuntu-core_xorg-server-hwe-16.04: DNE
vivid/stable-phone-overlay_xorg-server-hwe-16.04: DNE
xenial_xorg-server-hwe-16.04: released (2:1.18.4-1ubuntu6.1~16.04.2)
esm-infra/xenial_xorg-server-hwe-16.04: released (2:1.18.4-1ubuntu6.1~16.04.2)
yakkety_xorg-server-hwe-16.04: DNE
zesty_xorg-server-hwe-16.04: DNE
devel_xorg-server-hwe-16.04: DNE