important: xorg-x11-server/e2fsprogs security update
important
An update for xorg-x11-server/e2fsprogs is now available for NewStart CGSL MAIN 5.05/CGSL CORE 5.05.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
xorg-x11-server: Xserver source code needed to build VNC server (Xvnc)
e2fsprogs: E2fsprogs-static contains all static libraries built from e2fsprogs, including libext2fs, libcom_err, libe2p, and libss. These libraries are used to directly acccess ext2/3/4 filesystems from userspace, and perform other useful functions.
Security Fix(es):
xorg-x11-server: A flaw was found in the way the Xserver memory was not properly initialized. This issue leak parts of server memory to the X client. In cases where the Xorg server runs with elevated privileges, this flaw results in a possible ASLR bypass.(CVE-2020-14347)
xorg-x11-server: A flaw was found in the X.Org Server. An out-of-bounds access in the XkbSetMap function may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-14360)
xorg-x11-server: A flaw was found in xorg-x11-server. A heap-buffer overflow in XkbSetDeviceInfo may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25712)
xorg-x11-server: A flaw was found in X.Org Server. An Out-Of-Bounds access in XkbSetNames function may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-14345)
xorg-x11-server: A flaw was found in xorg-x11-server. A integer underflow in the X input extension protocol decoding in the X server may lead to arbitrary access of memory contents. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-14346)
xorg-x11-server: A flaw was found in X.Org Server. An Integer underflow leading to heap-buffer overflow may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-14361)
xorg-x11-server: A flaw was found in X.Org Server. An Integer underflow leading to heap-buffer overflow may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-14362)
xorg-x11-server: bugfix
e2fsprogs: A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.(CVE-2019-5188)
e2fsprogs: An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.(CVE-2019-5094)
e2fsprogs: bugfix
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.05.F11B5.