Debian Security Advisory DSA 1466-2 (xorg-server, libxfont, xfree86)

The remote host is missing an update to xorg-server, libxfont, xfree86 announced via advisory DSA 1466-2.

The X.org fix for CVE-2007-6429 introduced a regression in the MIT-SHM extension, which prevented the start of a few applications. This update fixes this problem and also references the patch for CVE-2008-0006, which was included in the previous update, but not mentioned in the advisory text. Several local vulnerabilities have been discovered in the X.Org X server. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-5760 regenrecht discovered that missing input sanitising within the XFree86-Misc extension may lead to local privilege escalation. CVE-2007-5958 It was discovered that error messages of security policy file handling may lead to a minor information leak disclosing the existence of files otherwise unaccessible to the user. CVE-2007-6427 regenrecht discovered that missing input sanitising within the XInput-Misc extension may lead to local privilege escalation. CVE-2007-6428 regenrecht discovered that missing input sanitising within the TOG-CUP extension may lead to disclosure of memory contents. CVE-2007-6429 regenrecht discovered that integer overflows in the EVI and MIT-SHM extensions may lead to local privilege escalation. CVE-2008-0006 It was discovered that insufficient validation of PCF fonts could lead to local privilege escalation. For the unstable distribution (sid), this problem has been fixed in version 2:1.4.1~git20080118-1 of xorg-server and version 1:1.3.1-2 of libxfont. For the stable distribution (etch), this problem has been fixed in version 1.1.1-21etch3 or xorg-server and 1.2.2-2.etch1 of libxfont. For the oldstable distribution (etch), this problem has been fixed in version 4.3.0.dfsg.1-14sarge6 of xfree86. We recommend that you upgrade your libxfont abd xorg-server packages.

https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201466-2