Debian Bug report logs - #349251
CVE-2006-0197: XClientMessageEvent struct issue on 64 bit

Package: libx11-6; Maintainer for libx11-6 is Debian X Strike Force <[email protected]>; Source for libx11-6 is src:libx11 (PTS, buildd, popcon).

Reported by: Joey Hess <[email protected]>

Date: Sat, 21 Jan 2006 20:48:10 UTC

Severity: normal

Tags: security

Reply or subscribe to this bug.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to [email protected], Debian X Strike Force <[email protected]>:
Bug#349251; Package xorg-x11. (full text, mbox, link).

Acknowledgement sent to Joey Hess <[email protected]>:
New Bug report received and forwarded. Copy sent to Debian X Strike Force <[email protected]>. (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

From: Joey Hess <[email protected]>
To: Debian Bug Tracking System <[email protected]>
Subject: CVE-2006-0197: XClientMessageEvent struct issue on 64 bit
Date: Sat, 21 Jan 2006 15:18:35 -0500
[Message part 1 (text/plain, inline)]
Package: xorg-x11
Severity: normal
Version: 6.9.0.dfsg.1-4
Tags: security

CVE-2006-0197 describes a potential security problem as follows:

  The XClientMessageEvent struct used in certain components of X.Org 6.8.2
  and earlier, possibly including (1) the X server and (2) Xlib, uses a
  "long" specifier for elements of the l array, which results in
  inconsistent sizes in the struct on 32-bit versus 64-bit platforms, and
  might allow attackers to cause a denial of service (application crash)
  and possibly conduct other attacks.

With details here:

http://www.securityfocus.com/archive/1/archive/1/421256/100/0/threaded

The struct remains the same in version 6.9.0.dfsg.1-4. I don't know if
this is actually exploitable or even a bug at all, so please
investigate.

-- 
see shy jo

[signature.asc (application/pgp-signature, inline)]

Bug reassigned from package `xorg-x11' to `xorg'. Request was from Martin Michlmayr <[email protected]> to [email protected]. (full text, mbox, link).

Bug reassigned from package `xorg' to `libx11-6'. Request was from Brice Goglin <[email protected]> to [email protected]. (Tue, 22 May 2007 21:36:29 GMT) (full text, mbox, link).

Information forwarded to [email protected], Debian X Strike Force <[email protected]>:
Bug#349251; Package libx11-6. (Fri, 10 Aug 2012 14:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Arne Wichmann <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <[email protected]>. (Fri, 10 Aug 2012 14:39:03 GMT) (full text, mbox, link).

Message #14 received at [email protected] (full text, mbox, reply):

From: Arne Wichmann <[email protected]>
To: [email protected]
Subject: Ping
Date: Fri, 10 Aug 2012 16:32:37 +0200
[Message part 1 (text/plain, inline)]
Hi.

Even though this is just a normal bug it does have security implications,
and it is open for over 5 years now.

Could somebody have a closer look at it?

cu

AW
-- 
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann ([email protected])

[signature.asc (application/pgp-signature, inline)]

Information forwarded to [email protected], Debian X Strike Force <[email protected]>:
Bug#349251; Package libx11-6. (Sat, 18 Aug 2012 16:24:03 GMT) (full text, mbox, link).

Acknowledgement sent to Julien Cristau <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <[email protected]>. (Sat, 18 Aug 2012 16:24:03 GMT) (full text, mbox, link).

Message #19 received at [email protected] (full text, mbox, reply):

From: Julien Cristau <[email protected]>
To: Arne Wichmann <[email protected]>, [email protected]
Subject: Re: Bug#349251: Ping
Date: Sat, 18 Aug 2012 18:21:29 +0200
[Message part 1 (text/plain, inline)]
On Fri, Aug 10, 2012 at 16:32:37 +0200, Arne Wichmann wrote:

> Hi.
> 
> Even though this is just a normal bug it does have security implications,
> and it is open for over 5 years now.
> 
> Could somebody have a closer look at it?
> 
Neither the subject nor the body of your mail provide a clue as to what
it's about.  Please try to give some context next time.

If this bug is important to you, consider supplying a patch.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 09:18:36 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.