📖 ~4 min read • Source: Ubuntu Security Notice USN-3456-1
Related CVEs: CVE-2017-12176 CVE-2017-12177 CVE-2017-12178 CVE-2017-12179 CVE-2017-12180 CVE-2017-12181 CVE-2017-12182 CVE-2017-12183 +9 more
Upstream summary: It was discovered that the X.Org X server incorrectly handled certain
lengths. An attacker able to connect to an X server, either locally or
remotely, could use these issues to crash the server, or possibly execute
arbitrary code.
Table of contents
Symptom & Impact
On Ubuntu 14.04 (trusty) hosts that have xorg-server-lts-xenial installed, administrators report behaviour consistent with Ubuntu Security Notice USN-3456-1: apt reports pending security updates, services backed by xorg-server-lts-xenial fail or restart unexpectedly, AppArmor denials appear in the kernel log, and — for security-rated advisories — the host is exposed to the vulnerability set above. Impact ranges from a single service-restart loop to wider availability incidents whenever xorg-server-lts-xenial sits on the serving path.
Environment & Reproduction
Reproduction targets Ubuntu 14.04 (trusty). Confirm release and installed package:
lsb_release -a
cat /etc/os-release
dpkg -l xorg-server-lts-xenial | tail -2
apt-cache policy xorg-server-lts-xenial
uname -rTrigger the workflow that exposes xorg-server-lts-xenial — multiple vulnerabilities (17 CVEs) — patch and remediation guide while collecting:
sudo tail -200 /var/log/syslog | grep -i xorg-server-lts-xenial
sudo tail -200 /var/log/syslog
sudo tail -200 /var/log/apt/history.log
sudo tail -200 /var/log/kern.log | grep -i apparmorRoot Cause Analysis
Root cause is documented in Ubuntu Security Notice USN-3456-1. Canonical security maintainers shipped fixes in the corresponding xorg-server-lts-xenial update for Ubuntu 14.04; running an outdated build leaves the host exposed to the failure modes described in the advisory. On this release the fix typically arrives via the Ubuntu Pro ESM (esm-infra / esm-apps) channels rather than the standard archive. Correlate apt history with the journal:
grep -A2 -B2 xorg-server-lts-xenial /var/log/apt/history.log
zgrep -A2 -B2 xorg-server-lts-xenial /var/log/apt/history.log.*.gz 2>/dev/null
cat /proc/sys/kernel/tainted # non-zero = tainted kernel / out-of-tree modulesQuick Triage
Run these on Ubuntu 14.04 to capture the current state of xorg-server-lts-xenial:
dpkg -l xorg-server-lts-xenial | tail -1 # installed version
dpkg -V xorg-server-lts-xenial # verify shipped files
sudo apt update && apt list --upgradable 2>/dev/null | grep -i security
sudo service xorg-server-lts-xenial status
sudo ufw status verbose 2>/dev/null | head -20
sudo aa-status 2>/dev/null | head -20
# If xorg-server-lts-xenial ships a service unit (unit/job name often differs from pkg name, e.g.
# bind9→named, apache2→apache2, postgresql-NN→postgresql@NN-main):
initctl list 2>/dev/null | grep xorgOn trusty the standard archive no longer ships security fixes. Verify Ubuntu Pro ESM coverage:
# `pro` CLI not available on this release; check the older `ubuntu-advantage-tools`:
sudo ua status --format=json 2>/dev/null | head
apt-cache policy | grep -i esmStep-by-Step Diagnosis
-
List failing services.
initctl list | grep -v running -
Tail the journal / syslog for
xorg-server-lts-xenial.sudo tail -f /var/log/upstart/xorg-server-lts-xenial.log sudo tail -f /var/log/syslog -
Inspect UFW (Uncomplicated Firewall) state.
sudo ufw status numbered sudo ufw show added sudo iptables -L -n -v | head -30 -
Surface AppArmor denials and switch the profile to complain mode if needed.
sudo journalctl -k 2>/dev/null | grep -i 'apparmor="DENIED"' | tail -30 sudo aa-status # /etc/apparmor.d/usr.bin.xorg-server-lts-xenial or usr.sbin.xorg-server-lts-xenial — inspect first sudo aa-complain /etc/apparmor.d/usr.bin.xorg-server-lts-xenial 2>/dev/null || true -
Verify
xorg-server-lts-xenialintegrity and reinstall if anything is altered.sudo dpkg -V xorg-server-lts-xenial sudo debsums -c xorg-server-lts-xenial 2>/dev/null sudo apt install --reinstall -y xorg-server-lts-xenial -
Correlate findings with
/var/log/apt/history.log,/var/log/dpkg.log, and Ubuntu Security Notice USN-3456-1 to pin the change that introduced xorg-server-lts-xenial — multiple vulnerabilities (17 CVEs) — patch and remediation guide.
Solution – Primary Fix
Apply the corrective apt transaction referenced by Ubuntu Security Notice USN-3456-1, then reload the affected service:
sudo apt update
sudo apt -y install --only-upgrade xorg-server-lts-xenial
# upstart uses initctl, not systemctl:
# Service name may differ from pkg name; check first:
initctl list 2>/dev/null | grep xorg
sudo service xorg-server-lts-xenial restart
dpkg -l xorg-server-lts-xenial | tail -1 # confirm new version
sudo service xorg-server-lts-xenial statusOn trusty the standard archive is past EoL for security; enable Ubuntu Pro ESM to receive the fix:
# Older releases use the `ua` command:
sudo ua attach <token>
sudo ua enable esm-infra
sudo ua enable esm-apps
sudo apt update
sudo apt -y install --only-upgrade xorg-server-lts-xenialFor kernel / glibc / systemd / openssl advisories a reboot (or Livepatch) is required:
sudo apt install -y needrestart
sudo needrestart -r l # list units that need restart
sudo systemctl reboot # or: sudo shutdown -r nowNeed help rolling this patch across an Ubuntu fleet? Our IT Solutions & Services team manages Ubuntu patch windows with Landscape and Ubuntu Pro integration. Get in touch for a free consultation.
Solution – Alternative Approaches
If the primary upgrade is not viable, pick from these:
-
Hold the package so apt cannot upgrade it:
sudo apt-mark hold xorg-server-lts-xenial apt-mark showhold | grep xorg-server-lts-xenial # Release the hold later with: sudo apt-mark unhold xorg-server-lts-xenial -
Pin a known-good version via apt preferences:
# /etc/apt/preferences.d/xorg-server-lts-xenial.pref Package: xorg-server-lts-xenial Pin: version <good-version> Pin-Priority: 1001 -
Downgrade to an older version if a regression is suspected:
apt-cache madison xorg-server-lts-xenial sudo apt install --allow-downgrades -y xorg-server-lts-xenial=<older-version> -
Investigate AppArmor blocking the new binary; switch to complain briefly, capture denials, then re-enforce:
sudo aa-complain /etc/apparmor.d/usr.bin.xorg-server-lts-xenial 2>/dev/null # reproduce the failure sudo journalctl -k | grep apparmor | tail sudo aa-enforce /etc/apparmor.d/usr.bin.xorg-server-lts-xenial 2>/dev/null -
Take only the security pocket update and defer the full point-release upgrade:
sudo apt -y install --only-upgrade -t trusty-security xorg-server-lts-xenial
Verification & Acceptance Criteria
All of these should pass after the fix is applied:
dpkg -l xorg-server-lts-xenial | tail -1 # expected fixed version
apt list --upgradable 2>/dev/null | grep -i security || echo OK
sudo service xorg-server-lts-xenial status
sudo tail -50 /var/log/syslog | grep xorg-server-lts-xenial || echo OK
sudo ufw status numbered | head
sudo aa-status 2>/dev/null | head -5The original reproduction for xorg-server-lts-xenial — multiple vulnerabilities (17 CVEs) — patch and remediation guide must not trigger across two consecutive runs.
Rollback Plan
Capture state before any change:
apt list --installed 2>/dev/null > /root/apt-pre.txt
dpkg --get-selections > /root/dpkg-pre.txt
# ZFS-on-root (Ubuntu 20.04+ default installer option):
sudo zfs snapshot rpool/ROOT/ubuntu@pre-xorg-server-lts-xenial
# LVM-on-root:
sudo lvcreate -L 4G -s -n root_pre_patch /dev/<vg>/<root-lv>To revert:
sudo apt install --allow-downgrades -y xorg-server-lts-xenial=<old-version>
sudo service xorg-server-lts-xenial restart
sudo service xorg-server-lts-xenial restart
# Kernel rollback: pick the prior kernel from the GRUB menu, then:
sudo systemctl reboot
# ZFS rollback (rolls the whole root dataset):
sudo zfs rollback -r rpool/ROOT/ubuntu@pre-xorg-server-lts-xenialPrevention & Hardening
Reduce the chance of this recurring on Ubuntu 14.04 (trusty):
-
Enable scheduled security updates via
unattended-upgrades:sudo apt install -y unattended-upgrades update-notifier-common sudo dpkg-reconfigure -plow unattended-upgrades # /etc/apt/apt.conf.d/50unattended-upgrades: Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; }; -
Install
needrestartso services restart automatically after library upgrades:sudo apt install -y needrestart # /etc/needrestart/needrestart.conf -> $nrconf{restart} = 'a'; -
Attach Ubuntu Pro for ESM (mandatory on this past-EoL release) and Livepatch where supported:
sudo ua attach <token> sudo ua enable esm-infra sudo ua enable esm-apps -
Subscribe to ubuntu-security-announce and watch ubuntu.com/security/cves.
-
Monitor file integrity with
debsumsand AIDE:sudo apt install -y debsums aide sudo debsums -ca sudo aideinit && sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db sudo aide --check -
For estate-wide patching, manage with Canonical Landscape:
sudo apt install -y landscape-client sudo landscape-config -
Keep AppArmor profiles in enforce mode and apply CIS Ubuntu Linux Benchmark hardening.
Related Errors & Cross-Refs
Issues that commonly surface alongside xorg-server-lts-xenial — multiple vulnerabilities (17 CVEs) — patch and remediation guide: apt lock contention, broken dpkg state, systemd ordering cycles, AppArmor denials, and UFW rule drift. Useful triage:
sudo dpkg --configure -a
sudo apt --fix-broken install
initctl list | head
sudo journalctl -k 2>/dev/null | grep -i apparmor | tail
cat /proc/sys/kernel/taintedView all ubuntu-14-04 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Primary reference: Ubuntu Security Notice USN-3456-1. Manual pages useful on Ubuntu 14.04:
man apt
man apt-get
man apt-mark
man dpkg
man initctl
# journald not present on this release
man ufw
man apparmor
man aa-status
man unattended-upgrades
man uaOther resources: Ubuntu Security Notices, Ubuntu CVE Tracker, Ubuntu upgrade notes, and per-package notes in /usr/share/doc/xorg-server-lts-xenial/ for components implicated in xorg-server-lts-xenial — multiple vulnerabilities (17 CVEs) — patch and remediation guide.
