Main Vulnerability Database SB2011120204

SB2011120204 - SUSE Linux update for xorg-x11-server

Published: December 2, 2011

Security Bulletin ID SB2011120204

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Local access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Link following (CVE-ID: CVE-2011-4028)

The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

The LockServer function in os/utils.c in X.Org xserver before 1.11.2 allows local users to determine the existence of arbitrary files via a symlink attack on a temporary lock file, which is handled differently if the file exists.

2) Race condition (CVE-ID: CVE-2011-4029)

The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

The LockServer function in os/utils.c in X.Org xserver before 1.11.2 allows local users to change the permissions of arbitrary files to 444, read those files, and possibly cause a denial of service (removed execution permission) via a symlink attack on a temporary lock file.

Remediation

Install update from vendor's website.

References

https://lists.opensuse.org/opensuse-security-announce/2011-12/msg00002.html