VuXML ID | Description |
6faa7feb-d3fa-11ea-9aba-0c9d925bbbc0 | libX11 -- Heap corruption in the X input method client in libX11
The X.org project reports:
The X Input Method (XIM) client implementation in libX11 has some
integer overflows and signed/unsigned comparison issues that can
lead to heap corruption when handling malformed messages from an
input method.
Discovery 2020-07-31 Entry 2020-08-01 libX11
< 1.6.9_3,1
https://lists.x.org/archives/xorg-announce/2020-July/003050.html
CVE-2020-14344
|
58d6ed66-c2e8-11eb-9fb0-6451062f0f7a | libX11 -- Arbitrary code execution
The X.org project reports:
XLookupColor() and other X libraries function lack proper validation
of the length of their string parameters. If those parameters can be
controlled by an external application (for instance a color name that
can be emitted via a terminal control sequence) it can lead to the
emission of extra X protocol requests to the X server.
Discovery 2021-05-11 Entry 2021-06-01 Modified 2022-02-08 libX11
< 1.7.1,1
CVE-2021-31535
https://lists.freedesktop.org/archives/xorg/2021-May/060699.html
https://nvd.nist.gov/vuln/detail/CVE-2021-31535
|
8da79498-e6f6-11ea-8cbf-54e1ad3d6335 | libX11 -- Doublefree in locale handlng code
The X.org project reports:
There is an integer overflow and a double free vulnerability in
the way LibX11 handles locales. The integer overflow is a necessary
precursor to the double free.
Discovery 2020-08-25 Entry 2020-08-25 Modified 2020-11-15 libX11
< 1.6.12,1
CVE-2020-14363
https://lists.x.org/archives/xorg-announce/2020-August/003056.html
|
734b8f46-773d-4fef-bed3-61114fe8e4c5 | libX11 -- Sub-object overflows
The X.Org project reports:
- Buffer overflows in InitExt.c in libX11 prior to 1.8.6 [CVE-2023-3138]
The functions in src/InitExt.c in libX11 prior to 1.8.6 do not check
that the values provided for the Request, Event, or Error IDs are
within the bounds of the arrays that those functions write to, using
those IDs as array indexes. Instead they trusted that they were called
with values provided by an Xserver that was adhering to the bounds
specified in the X11 protocol, as all X servers provided by X.Org do.
As the protocol only specifies a single byte for these values, an
out-of-bounds value provided by a malicious server (or a malicious
proxy-in-the-middle) can only overwrite other portions of the Display
structure and not write outside the bounds of the Display structure
itself. Testing has found it is possible to at least cause the client
to crash with this memory corruption.
Discovery 2023-06-15 Entry 2023-06-16 libX11
< 1.8.6,1
https://lists.x.org/archives/xorg-announce/2023-June/003406.html
CVE-2023-3138
|
1cf65085-a760-41d2-9251-943e1af62eb8 | X.org libraries -- multiple vulnerabilities
Matthieu Herrb reports:
Tobias Stoeckmann from the OpenBSD project has discovered a
number of issues in the way various X client libraries handle
the responses they receive from servers, and has worked with
X.Org's security team to analyze, confirm, and fix these issues.
These issue come in addition to the ones discovered by Ilja van
Sprundel in 2013.
Most of these issues stem from the client libraries trusting
the server to send correct protocol data, and not verifying
that the values will not overflow or cause other damage. Most
of the time X clients and servers are run by the same user, with
the server more privileged than the clients, so this is not a
problem, but there are scenarios in which a privileged client
can be connected to an unprivileged server, for instance,
connecting a setuid X client (such as a screen lock program)
to a virtual X server (such as Xvfb or Xephyr) which the user
has modified to return invalid data, potentially allowing the
user to escalate their privileges.
Discovery 2016-10-04 Entry 2016-10-07 Modified 2016-10-10 libX11
< 1.6.4,1
libXfixes
< 5.0.3
libXi
< 1.7.7,1
libXrandr
< 1.5.1
libXrender
< 0.9.10
libXtst
< 1.2.3
libXv
< 1.0.11,1
libXvMC
< 1.0.10
https://lists.x.org/archives/xorg-announce/2016-October/002720.html
CVE-2016-5407
|
fe99d3ca-a63a-11e8-a7c6-54e1ad3d6335 | libX11 -- Multiple vulnerabilities
The freedesktop.org project reports:
The functions XGetFontPath, XListExtensions, and XListFonts are
vulnerable to an off-by-one override on malicious server responses.
The server replies consist of chunks consisting of a length byte
followed by actual string, which is not NUL-terminated.
While parsing the response, the length byte is overridden with '\0',
thus the memory area can be used as storage of C strings later on.
To be able to NUL-terminate the last string, the buffer is reserved
with an additional byte of space. For a boundary check, the variable
chend (end of ch) was introduced, pointing at the end of the buffer
which ch initially points to. Unfortunately there is a difference
in handling "the end of ch". While chend points at the first byte
that must not be written to, the for-loop uses chend as the last
byte that can be written to. Therefore, an off-by-one can occur.
The length value is interpreted as signed char on many systems
(depending on default signedness of char), which can lead to an out
of boundary write up to 128 bytes in front of the allocated storage,
but limited to NUL byte(s).
If the server sends a reply in which even the first string would
overflow the transmitted bytes, list[0] (or flist[0]) will be set to
NULL and a count of 0 is returned. If the resulting list is freed
with XFreeExtensionList or XFreeFontPath later on, the first Xfree
call is turned into Xfree (NULL-1) which will most likely trigger a
segmentation fault. Casting the length value to unsigned char fixes
the problem and allows string values with up to 255 characters.
Discovery 2018-08-21 Entry 2018-08-22 libX11
< 1.6.6,1
https://lists.x.org/archives/xorg-announce/2018-August/002915.html
CVE-2018-14598
CVE-2018-14599
CVE-2018-14600
|