Security Information / 2011 / Security Information -- DSA-2213-1 x11-xserver-utils

Debian Security Advisory

DSA-2213-1 x11-xserver-utils -- missing input sanitization

Date Reported:

08 Apr 2011

Affected Packages:

x11-xserver-utils

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 621423.
In Mitre's CVE dictionary: CVE-2011-0465.

More information:

Sebastian Krahmer discovered that the xrdb utility of x11-xserver-utils, a X server resource database utility, is not properly filtering crafted hostnames. This allows a remote attacker to execute arbitrary code with root privileges given that either remote logins via xdmcp are allowed or the attacker is able to place a rogue DHCP server into the victims network.

For the oldstable distribution (lenny), this problem has been fixed in version 7.3+6.

For the stable distribution (squeeze), this problem has been fixed in version 7.5+3.

For the testing distribution (wheezy), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in version 7.6+2.

We recommend that you upgrade your x11-xserver-utils packages.