CVE-2017-2624

Priority
Description
It was found that xorg-x11-server before 1.19.0 including uses memcmp() to
check the received MIT cookie against a series of valid cookies. If the
cookie is correct, it is allowed to attach to the Xorg session. Since most
memcmp() implementations return after an invalid byte is seen, this causes
a time difference between a valid and invalid byte, which could allow an
efficient brute force attack.
Notes
tyhicks1.19.0 and lower are affected
Package
Upstream:released (2:1.19.2-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 ESM (Trusty Tahr):released ([2:1.15.1-0ubuntu2.9])
Ubuntu 16.04 LTS (Xenial Xerus):released (2:1.18.4-0ubuntu0.3)
Patches:
Upstream:https://cgit.freedesktop.org/xorg/xserver/commit/?id=d7ac755f0b618eb1259d93c8a16ec6e39a18627c
Upstream:https://cgit.freedesktop.org/xorg/xserver/commit/?id=e9dbecf7c259f7e8b610fa93f97ea55f5dafa7af
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (2:1.18.4-1ubuntu6.1~16.04.2)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was ignored [reached end-of-life])
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was ignored [reached end-of-life])
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was ignored [reached end-of-life])
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was ignored [reached end-of-life])
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was ignored [reached end-of-life])
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was ignored [reached end-of-life])
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was released [2:1.18.3-1ubuntu2.3~trusty2])
Ubuntu 16.04 LTS (Xenial Xerus):DNE
More Information

Updated: 2020-01-29 19:58:57 UTC (commit 768ceb2fdee6790d707d0f681e1b54916744af1e)