6.5 - CVE-2014-8103

Executive Summary

Informations
Name	CVE-2014-8103	First vendor Publication	2014-12-10
Vendor	Cve	Last vendor Modification	2023-02-13

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Cvss Base Score	6.5	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	8	Authentication	Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

X.Org Server (aka xserver and xorg-server) 1.15.0 through 1.16.x before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) sproc_dri3_query_version, (2) sproc_dri3_open, (3) sproc_dri3_pixmap_from_buffer, (4) sproc_dri3_buffer_from_pixmap, (5) sproc_dri3_fence_from_fd, (6) sproc_dri3_fd_from_fence, (7) proc_present_query_capabilities, (8) sproc_present_query_version, (9) sproc_present_pixmap, (10) sproc_present_notify_msc, (11) sproc_present_select_input, or (12) sproc_present_query_capabilities function in the (a) DRI3 or (b) Present extension.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8103

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-119	Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:28543

Oval ID:	oval:org.mitre.oval:def:28543
Title:	ELSA-2014-1983 -- xorg-x11-server security update (important)
Description:	[1.15.0-7.0.1.el7_0.3] - Invalid BUG_RETURN_VAL fix, upstream patch (orabug 18896390) [1.15.0-7.3] - CVE fixes for: CVE-2014-8099, CVE-2014-8098, CVE-2014-8097, CVE-2014-8096, CVE-2014-8095, CVE-2014-8094, CVE-2014-8093, CVE-2014-8092, CVE-2014-8091, CVE-2014-8101, CVE-2014-8100, CVE-2014-8103, CVE-2014-8102
Family:	unix	Class:	patch
Reference(s):	ELSA-2014-1983 CVE-2014-8091 CVE-2014-8092 CVE-2014-8093 CVE-2014-8094 CVE-2014-8095 CVE-2014-8096 CVE-2014-8097 CVE-2014-8098 CVE-2014-8099 CVE-2014-8100 CVE-2014-8101 CVE-2014-8102 CVE-2014-8103	Version:	3
Platform(s):	Oracle Linux 6 Oracle Linux 7	Product(s):	xorg-x11-server
Definition Synopsis:
Oracle Linux 6 release section Oracle Linux 6.x Packages match section xorg-x11-server is earlier than 0:1.15.0-25.el6_6 AND xorg-x11-server-Xdmx is earlier than 0:1.15.0-25.el6_6 AND xorg-x11-server-Xephyr is earlier than 0:1.15.0-25.el6_6 AND xorg-x11-server-Xnest is earlier than 0:1.15.0-25.el6_6 AND xorg-x11-server-Xorg is earlier than 0:1.15.0-25.el6_6 AND xorg-x11-server-Xvfb is earlier than 0:1.15.0-25.el6_6 AND xorg-x11-server-common is earlier than 0:1.15.0-25.el6_6 AND xorg-x11-server-devel is earlier than 0:1.15.0-25.el6_6 AND xorg-x11-server-source is earlier than 0:1.15.0-25.el6_6 AND Oracle Linux 7 release section Oracle Linux 7.x Packages match section xorg-x11-server is earlier than 0:1.15.0-7.0.1.el7_0.3 AND xorg-x11-server-Xdmx is earlier than 0:1.15.0-7.0.1.el7_0.3 AND xorg-x11-server-Xephyr is earlier than 0:1.15.0-7.0.1.el7_0.3 AND xorg-x11-server-Xnest is earlier than 0:1.15.0-7.0.1.el7_0.3 AND xorg-x11-server-Xorg is earlier than 0:1.15.0-7.0.1.el7_0.3 AND xorg-x11-server-Xvfb is earlier than 0:1.15.0-7.0.1.el7_0.3 AND xorg-x11-server-common is earlier than 0:1.15.0-7.0.1.el7_0.3 AND xorg-x11-server-devel is earlier than 0:1.15.0-7.0.1.el7_0.3 AND xorg-x11-server-source is earlier than 0:1.15.0-7.0.1.el7_0.3

Definition Id: oval:org.mitre.oval:def:28613

Oval ID:	oval:org.mitre.oval:def:28613
Title:	RHSA-2014:1983 -- xorg-x11-server security update (Important)
Description:	X.Org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Multiple integer overflow flaws and out-of-bounds write flaws were found in the way the X.Org server calculated memory requirements for certain X11 core protocol and GLX extension requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server or, potentially, execute arbitrary code with root privileges. (CVE-2014-8092, CVE-2014-8093, CVE-2014-8098) It was found that the X.Org server did not properly handle SUN-DES-1 (Secure RPC) authentication credentials. A malicious, unauthenticated client could use this flaw to crash the X.Org server by submitting a specially crafted authentication request. (CVE-2014-8091) Multiple out-of-bounds access flaws were found in the way the X.Org server calculated memory requirements for certain requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server, or leak memory contents to the client. (CVE-2014-8097) An integer overflow flaw was found in the way the X.Org server calculated memory requirements for certain DRI2 extension requests. A malicious, authenticated client could use this flaw to crash the X.Org server. (CVE-2014-8094) Multiple out-of-bounds access flaws were found in the way the X.Org server calculated memory requirements for certain requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server. (CVE-2014-8095, CVE-2014-8096, CVE-2014-8099, CVE-2014-8100, CVE-2014-8101, CVE-2014-8102, CVE-2014-8103) All xorg-x11-server users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
Family:	unix	Class:	patch
Reference(s):	RHSA-2014:1983 CESA-2014:1983-CentOS 7 CESA-2014:1983-CentOS 6 CVE-2014-8091 CVE-2014-8092 CVE-2014-8093 CVE-2014-8094 CVE-2014-8095 CVE-2014-8096 CVE-2014-8097 CVE-2014-8098 CVE-2014-8099 CVE-2014-8100 CVE-2014-8101 CVE-2014-8102 CVE-2014-8103	Version:	3
Platform(s):	Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 CentOS Linux 7 CentOS Linux 6	Product(s):	xorg-x11-server
Definition Synopsis:
Red Hat Enterprise Linux 6 release section The operating system installed on the system is Red Hat Enterprise Linux 6 Packages match section xorg-x11-server-Xdmx is earlier than 0:1.15.0-25.el6_6 AND xorg-x11-server-Xephyr is earlier than 0:1.15.0-25.el6_6 AND xorg-x11-server-Xnest is earlier than 0:1.15.0-25.el6_6 AND xorg-x11-server-Xorg is earlier than 0:1.15.0-25.el6_6 AND xorg-x11-server-Xvfb is earlier than 0:1.15.0-25.el6_6 AND xorg-x11-server-common is earlier than 0:1.15.0-25.el6_6 AND xorg-x11-server-debuginfo is earlier than 0:1.15.0-25.el6_6 AND xorg-x11-server-devel is earlier than 0:1.15.0-25.el6_6 AND xorg-x11-server-source is earlier than 0:1.15.0-25.el6_6 AND Red Hat Enterprise Linux 7 and CentOS Linux 7 release section Operation system section The operating system installed on the system is Red Hat Enterprise Linux 7 AND The operating system installed on the system is CentOS Linux 7.x Packages match section xorg-x11-server-Xdmx is earlier than 0:1.15.0-7.el7_0.3 AND xorg-x11-server-Xephyr is earlier than 0:1.15.0-7.el7_0.3 AND xorg-x11-server-Xnest is earlier than 0:1.15.0-7.el7_0.3 AND xorg-x11-server-Xorg is earlier than 0:1.15.0-7.el7_0.3 AND xorg-x11-server-Xvfb is earlier than 0:1.15.0-7.el7_0.3 AND xorg-x11-server-common is earlier than 0:1.15.0-7.el7_0.3 AND xorg-x11-server-devel is earlier than 0:1.15.0-7.el7_0.3 AND xorg-x11-server-source is earlier than 0:1.15.0-7.el7_0.3 AND Red Hat Enterprise Linux 7 release section The operating system installed on the system is Red Hat Enterprise Linux 7 AND xorg-x11-server-debuginfo is earlier than 0:1.15.0-7.el7_0.3 AND CentOS Linux 6 release section The operating system installed on the system is CentOS Linux 6.x Packages match section xorg-x11-server-common is earlier than 0:1.15.0-25.el6.centos AND xorg-x11-server-devel is earlier than 0:1.15.0-25.el6.centos AND xorg-x11-server-source is earlier than 0:1.15.0-25.el6.centos AND xorg-x11-server-Xdmx is earlier than 0:1.15.0-25.el6.centos AND xorg-x11-server-Xephyr is earlier than 0:1.15.0-25.el6.centos AND xorg-x11-server-Xnest is earlier than 0:1.15.0-25.el6.centos AND xorg-x11-server-Xorg is earlier than 0:1.15.0-25.el6.centos AND xorg-x11-server-Xvfb is earlier than 0:1.15.0-25.el6.centos

Definition Id: oval:org.mitre.oval:def:28635

Oval ID:	oval:org.mitre.oval:def:28635
Title:	USN-2436-1 -- X.Org X server vulnerabilities
Description:	Ilja van Sprundel discovered a multitude of security issues in the X.Org X server. An attacker able to connect to an X server, either locally or remotely, could use these issues to cause the X server to crash or execute arbitrary code resulting in possible privilege escalation.
Family:	unix	Class:	patch
Reference(s):	USN-2436-1 CVE-2014-8091 CVE-2014-8092 CVE-2014-8093 CVE-2014-8094 CVE-2014-8095 CVE-2014-8096 CVE-2014-8097 CVE-2014-8098 CVE-2014-8099 CVE-2014-8100 CVE-2014-8101 CVE-2014-8102 CVE-2014-8103	Version:	3
Platform(s):	Ubuntu 14.10 Ubuntu 14.04 Ubuntu 12.04	Product(s):	xorg-server xorg-server-lts-trusty
Definition Synopsis:
Ubuntu 14.10 release section Ubuntu 14.10 is installed AND xserver-xorg-core is earlier than 2:1.16.0-1ubuntu1.1 AND Ubuntu 14.04 release section Ubuntu 14.04 is installed AND xserver-xorg-core is earlier than 2:1.15.1-0ubuntu2.4 AND Ubuntu 12.04 release section Ubuntu 12.04 is installed Packages match section xserver-xorg-core is earlier than 2:1.11.4-0ubuntu10.15 AND xserver-xorg-core-lts-trusty is earlier than 2:1.15.1-0ubuntu2~precise3

CPE : Common Platform Enumeration

Type	Description	Count
Application	X.Org Xorg-Server cpe:2.3:a:x.org:xorg-server:1.16.2.99.901:::::::* cpe:2.3:a:x.org:xorg-server:1.16.2.901:::::::* cpe:2.3:a:x.org:xorg-server:1.16.2:::::::* cpe:2.3:a:x.org:xorg-server:1.16.1.901:::::::* cpe:2.3:a:x.org:xorg-server:1.16.1:::::::* cpe:2.3:a:x.org:xorg-server:1.16.0.901:::::::* cpe:2.3:a:x.org:xorg-server:1.16.0:::::::* cpe:2.3:a:x.org:xorg-server:1.15.99.904:::::::* cpe:2.3:a:x.org:xorg-server:1.15.99.903:::::::* cpe:2.3:a:x.org:xorg-server:1.15.99.902:::::::* cpe:2.3:a:x.org:xorg-server:1.15.99.901:::::::* cpe:2.3:a:x.org:xorg-server:1.15.2:::::::* cpe:2.3:a:x.org:xorg-server:1.15.1:::::::* cpe:2.3:a:x.org:xorg-server:1.15.0.901:::::::* cpe:2.3:a:x.org:xorg-server:1.15.0:::::::*	15

Nessus® Vulnerability Scanner

Date	Description
2015-06-10	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201504-06.nasl - Type : ACT_GATHER_INFO
2015-05-20	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-0047-1.nasl - Type : ACT_GATHER_INFO
2015-01-16	Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2015-470.nasl - Type : ACT_GATHER_INFO
2014-12-29	Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-815.nasl - Type : ACT_GATHER_INFO
2014-12-23	Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2014-356-03.nasl - Type : ACT_GATHER_INFO
2014-12-15	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-1983.nasl - Type : ACT_GATHER_INFO
2014-12-15	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-1983.nasl - Type : ACT_GATHER_INFO
2014-12-15	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1983.nasl - Type : ACT_GATHER_INFO
2014-12-15	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20141211_xorg_x11_server_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2014-12-10	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2436-1.nasl - Type : ACT_GATHER_INFO
2014-12-10	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2436-2.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

Source	Url
CONFIRM	http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/
GENTOO	https://security.gentoo.org/glsa/201504-06
SECUNIA	http://secunia.com/advisories/61947

Alert History

If you want to see full details history, please login or register.

Date	Informations
2023-02-13 05:28:13	Multiple Updates
2023-02-02 21:28:30	Multiple Updates
2021-05-04 12:34:53	Multiple Updates
2021-04-22 01:42:21	Multiple Updates
2020-05-23 00:42:35	Multiple Updates
2017-01-03 09:23:00	Multiple Updates
2016-12-22 09:23:40	Multiple Updates
2016-10-26 09:22:43	Multiple Updates
2016-04-27 01:23:12	Multiple Updates
2015-06-11 13:27:36	Multiple Updates
2015-05-21 13:31:46	Multiple Updates
2015-04-09 21:27:28	Multiple Updates
2015-01-18 13:25:05	Multiple Updates
2014-12-30 13:25:09	Multiple Updates
2014-12-24 13:25:30	Multiple Updates
2014-12-16 13:25:32	Multiple Updates
2014-12-12 00:22:43	Multiple Updates
2014-12-11 17:22:50	Multiple Updates
2014-12-11 13:25:09	Multiple Updates
2014-12-10 21:25:30	First insertion

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	3
CPE ID(s)	15
Sources(s)	4
Nessus® Exploit(s)	11

	Related
6.5	USN-2436-1
6.5	RHSA-2014:1983
6.5	GLSA-201504-06
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 3 more Alert(s)

6.5 - CVE-2014-8103

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

Nessus® Vulnerability Scanner

Sources (Detail)

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU