Security update for xorg-x11-server

Announcement ID:	SUSE-SU-2017:3047-1
Rating:	moderate
References:	bsc#1022727 bsc#1051150 bsc#1052984 bsc#1061107 bsc#1063034 bsc#1063035 bsc#1063037 bsc#1063038 bsc#1063039 bsc#1063040 bsc#1063041
Cross-References:	CVE-2017-12176 CVE-2017-12177 CVE-2017-12178 CVE-2017-12179 CVE-2017-12180 CVE-2017-12181 CVE-2017-12182 CVE-2017-12183 CVE-2017-12184 CVE-2017-12185 CVE-2017-12186 CVE-2017-12187 CVE-2017-13721 CVE-2017-13723
CVSS scores:	CVE-2017-12176 ( SUSE ): 5.0 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2017-12176 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-12177 ( SUSE ): 5.6 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2017-12177 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-12178 ( SUSE ): 5.0 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2017-12178 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-12179 ( SUSE ): 5.0 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2017-12179 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-12180 ( SUSE ): 5.0 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2017-12180 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-12181 ( SUSE ): 5.0 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2017-12181 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-12182 ( SUSE ): 5.0 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2017-12182 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-12183 ( SUSE ): 5.0 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2017-12183 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-12184 ( SUSE ): 5.0 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2017-12184 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-12185 ( SUSE ): 5.0 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2017-12185 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-12186 ( SUSE ): 5.0 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2017-12186 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-12187 ( SUSE ): 5.0 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2017-12187 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-13721 ( SUSE ): 6.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H CVE-2017-13721 ( NVD ): 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-13723 ( SUSE ): 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-13723 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2 SUSE Linux Enterprise Software Development Kit 12 12-SP2 SUSE Linux Enterprise Software Development Kit 12 SP3

An update that solves 14 vulnerabilities can now be installed.

Description:

This update for xorg-x11-server fixes several issues.

These security issues were fixed:

• CVE-2017-13721: Missing validation of shmseg resource id in Xext/XShm could lead to shared memory segments of other users beeing freed (bnc#1052984)
• CVE-2017-13723: A local denial of service via unusual characters in XkbAtomText and XkbStringText was fixed (bnc#1051150)
• CVE-2017-12184,CVE-2017-12185,CVE-2017-12186,CVE-2017-12187: Fixed unvalidated lengths in multiple extensions (bsc#1063034)
• CVE-2017-12183: Fixed some unvalidated lengths in the XFIXES extension. (bsc#1063035)
• CVE-2017-12180,CVE-2017-12181,CVE-2017-12182: Fixed various unvalidated lengths in the XFree86-VidMode/XFree86-DGA/XFree86-DRI extensions (bsc#1063037)
• CVE-2017-12179: Fixed an integer overflow and unvalidated length in (S)ProcXIBarrierReleasePointer in Xi (bsc#1063038)
• CVE-2017-12178: Fixed a wrong extra length check in ProcXIChangeHierarchy in Xi (bsc#1063039)
• CVE-2017-12177: Fixed an unvalidated variable-length request in ProcDbeGetVisualInfo (bsc#1063040)
• CVE-2017-12176: Fixed an unvalidated extra length in ProcEstablishConnection (bsc#1063041)

These non-security issues were fixed:

• Make colormap/gamma glue code work with the RandR extension disabled. This prevents it from crashing and showing wrong colors. (bsc#1061107)
• Recognize ssh as a remote client to fix launching applications remotely when using DRI3. (bsc#1022727)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Desktop 12 SP2
  zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2017-1884=1
• SUSE Linux Enterprise Desktop 12 SP3
  zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2017-1884=1
• SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2
  zypper in -t patch SUSE-SLE-RPI-12-SP2-2017-1884=1
• SUSE Linux Enterprise Software Development Kit 12 12-SP2
  zypper in -t patch SUSE-SLE-SDK-12-SP2-2017-1884=1
• SUSE Linux Enterprise Software Development Kit 12 SP3
  zypper in -t patch SUSE-SLE-SDK-12-SP3-2017-1884=1
• SUSE Linux Enterprise High Performance Computing 12 SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-1884=1
• SUSE Linux Enterprise Server 12 SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-1884=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-1884=1
• SUSE Linux Enterprise Server 12 SP3
  zypper in -t patch SUSE-SLE-SERVER-12-SP3-2017-1884=1
• SUSE Linux Enterprise High Performance Computing 12 SP3
  zypper in -t patch SUSE-SLE-SERVER-12-SP3-2017-1884=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP3
  zypper in -t patch SUSE-SLE-SERVER-12-SP3-2017-1884=1

Package List:

• SUSE Linux Enterprise Desktop 12 SP2 (x86_64)
  • xorg-x11-server-debugsource-7.6_1.18.3-76.15.2
  • xorg-x11-server-extra-7.6_1.18.3-76.15.2
  • xorg-x11-server-7.6_1.18.3-76.15.2
  • xorg-x11-server-extra-debuginfo-7.6_1.18.3-76.15.2
  • xorg-x11-server-debuginfo-7.6_1.18.3-76.15.2
• SUSE Linux Enterprise Desktop 12 SP3 (x86_64)
  • xorg-x11-server-debugsource-7.6_1.18.3-76.15.2
  • xorg-x11-server-extra-7.6_1.18.3-76.15.2
  • xorg-x11-server-7.6_1.18.3-76.15.2
  • xorg-x11-server-extra-debuginfo-7.6_1.18.3-76.15.2
  • xorg-x11-server-debuginfo-7.6_1.18.3-76.15.2
• SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2 (aarch64)
  • xorg-x11-server-debugsource-7.6_1.18.3-76.15.2
  • xorg-x11-server-extra-7.6_1.18.3-76.15.2
  • xorg-x11-server-7.6_1.18.3-76.15.2
  • xorg-x11-server-extra-debuginfo-7.6_1.18.3-76.15.2
  • xorg-x11-server-debuginfo-7.6_1.18.3-76.15.2
• SUSE Linux Enterprise Software Development Kit 12 12-SP2 (aarch64 ppc64le s390x x86_64)
  • xorg-x11-server-debugsource-7.6_1.18.3-76.15.2
  • xorg-x11-server-sdk-7.6_1.18.3-76.15.2
  • xorg-x11-server-debuginfo-7.6_1.18.3-76.15.2
• SUSE Linux Enterprise Software Development Kit 12 SP3 (aarch64 ppc64le s390x x86_64)
  • xorg-x11-server-debugsource-7.6_1.18.3-76.15.2
  • xorg-x11-server-sdk-7.6_1.18.3-76.15.2
  • xorg-x11-server-debuginfo-7.6_1.18.3-76.15.2
• SUSE Linux Enterprise High Performance Computing 12 SP2 (aarch64 x86_64)
  • xorg-x11-server-debugsource-7.6_1.18.3-76.15.2
  • xorg-x11-server-extra-7.6_1.18.3-76.15.2
  • xorg-x11-server-7.6_1.18.3-76.15.2
  • xorg-x11-server-extra-debuginfo-7.6_1.18.3-76.15.2
  • xorg-x11-server-debuginfo-7.6_1.18.3-76.15.2
• SUSE Linux Enterprise Server 12 SP2 (aarch64 ppc64le s390x x86_64)
  • xorg-x11-server-debugsource-7.6_1.18.3-76.15.2
  • xorg-x11-server-extra-7.6_1.18.3-76.15.2
  • xorg-x11-server-7.6_1.18.3-76.15.2
  • xorg-x11-server-extra-debuginfo-7.6_1.18.3-76.15.2
  • xorg-x11-server-debuginfo-7.6_1.18.3-76.15.2
• SUSE Linux Enterprise Server for SAP Applications 12 SP2 (ppc64le x86_64)
  • xorg-x11-server-debugsource-7.6_1.18.3-76.15.2
  • xorg-x11-server-extra-7.6_1.18.3-76.15.2
  • xorg-x11-server-7.6_1.18.3-76.15.2
  • xorg-x11-server-extra-debuginfo-7.6_1.18.3-76.15.2
  • xorg-x11-server-debuginfo-7.6_1.18.3-76.15.2
• SUSE Linux Enterprise Server 12 SP3 (aarch64 ppc64le s390x x86_64)
  • xorg-x11-server-debugsource-7.6_1.18.3-76.15.2
  • xorg-x11-server-extra-7.6_1.18.3-76.15.2
  • xorg-x11-server-7.6_1.18.3-76.15.2
  • xorg-x11-server-extra-debuginfo-7.6_1.18.3-76.15.2
  • xorg-x11-server-debuginfo-7.6_1.18.3-76.15.2
• SUSE Linux Enterprise High Performance Computing 12 SP3 (aarch64 x86_64)
  • xorg-x11-server-debugsource-7.6_1.18.3-76.15.2
  • xorg-x11-server-extra-7.6_1.18.3-76.15.2
  • xorg-x11-server-7.6_1.18.3-76.15.2
  • xorg-x11-server-extra-debuginfo-7.6_1.18.3-76.15.2
  • xorg-x11-server-debuginfo-7.6_1.18.3-76.15.2
• SUSE Linux Enterprise Server for SAP Applications 12 SP3 (ppc64le x86_64)
  • xorg-x11-server-debugsource-7.6_1.18.3-76.15.2
  • xorg-x11-server-extra-7.6_1.18.3-76.15.2
  • xorg-x11-server-7.6_1.18.3-76.15.2
  • xorg-x11-server-extra-debuginfo-7.6_1.18.3-76.15.2
  • xorg-x11-server-debuginfo-7.6_1.18.3-76.15.2

References:

• https://www.suse.com/security/cve/CVE-2017-12176.html
• https://www.suse.com/security/cve/CVE-2017-12177.html
• https://www.suse.com/security/cve/CVE-2017-12178.html
• https://www.suse.com/security/cve/CVE-2017-12179.html
• https://www.suse.com/security/cve/CVE-2017-12180.html
• https://www.suse.com/security/cve/CVE-2017-12181.html
• https://www.suse.com/security/cve/CVE-2017-12182.html
• https://www.suse.com/security/cve/CVE-2017-12183.html
• https://www.suse.com/security/cve/CVE-2017-12184.html
• https://www.suse.com/security/cve/CVE-2017-12185.html
• https://www.suse.com/security/cve/CVE-2017-12186.html
• https://www.suse.com/security/cve/CVE-2017-12187.html
• https://www.suse.com/security/cve/CVE-2017-13721.html
• https://www.suse.com/security/cve/CVE-2017-13723.html
• https://bugzilla.suse.com/show_bug.cgi?id=1022727
• https://bugzilla.suse.com/show_bug.cgi?id=1051150
• https://bugzilla.suse.com/show_bug.cgi?id=1052984
• https://bugzilla.suse.com/show_bug.cgi?id=1061107
• https://bugzilla.suse.com/show_bug.cgi?id=1063034
• https://bugzilla.suse.com/show_bug.cgi?id=1063035
• https://bugzilla.suse.com/show_bug.cgi?id=1063037
• https://bugzilla.suse.com/show_bug.cgi?id=1063038
• https://bugzilla.suse.com/show_bug.cgi?id=1063039
• https://bugzilla.suse.com/show_bug.cgi?id=1063040
• https://bugzilla.suse.com/show_bug.cgi?id=1063041