USN-939-1: vulnerabilities

18 May 2010

xorg-server vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 9.10
  • Ubuntu 9.04
  • Ubuntu 8.04 LTS


A remote attacker could trigger a crash in In addition, the xvfb-run tool left the session cookie visible when launching

Software Description

  • xorg-server - The core windowing server


Loïc Minier discovered that xvfb-run did not correctly keep the session cookie private. A local attacker could gain access to any local sessions started by xvfb-run. Ubuntu 9.10 was not affected. (CVE-2009-1573)

It was discovered that the server did not correctly handle certain calculations. A remote attacker could exploit this to crash the session or possibly run arbitrary code with root privileges. (CVE-2010-1166)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.10
xserver-xorg-core - 2:1.6.4-2ubuntu4.3
Ubuntu 9.04
xserver-xorg-core - 2:1.6.0-0ubuntu14.2
xvfb - 2:1.6.0-0ubuntu14.2
Ubuntu 8.04 LTS
xserver-xorg-core - 2:1.4.1~git20080131-1ubuntu9.3
xvfb - 2:1.4.1~git20080131-1ubuntu9.3

To update your system, please follow these instructions:

After a standard system update you need to restart your session to make all the necessary changes.