Univention Bugzilla – Bug 47753
libx11: Multiple issues (4.2)
Last modified: 2018-09-05 13:17:18 CEST
New Debian libx11 2:1.6.2-3+deb8u2 fixes: This update addresses the following issue(s): * * Crash on invalid reply in XListExtensions in ListExt.c (CVE-2018-14598) * off-by-one error in XListExtensions in ListExt.c (CVE-2018-14599) * Out of Bounds write in XListExtensions in ListExt.c (CVE-2018-14600)
--- mirror/ftp/4.2/unmaintained/4.2-4/source/libx11_1.6.2-3+deb8u1.dsc +++ apt/ucs_4.2-0-errata4.2-4/source/libx11_1.6.2-3+deb8u2.dsc @@ -1,3 +1,21 @@ +2:1.6.2-3+deb8u2 [Wed, 29 Aug 2018 23:24:26 +0200] Markus Koschany <apo@debian.org>: + + * Non-maintainer upload by the LTS team. + * Fix CVE-2018-14598, CVE-2018-14599 and CVE-2018-14600: + * CVE-2018-14599: + The functions XGetFontPath, XListExtensions, and XListFonts are vulnerable + to an off-by-one override on malicious server responses. + * CVE-2018-14600: + The length value is interpreted as signed char on many systems (depending + on default signedness of char), which can lead to an out of boundary write + up to 128 bytes in front of the allocated storage, but limited to NUL + byte(s). + * CVE-2018-14598: + If the server sends a reply in which even the first string would overflow + the transmitted bytes, list[0] (or flist[0]) will be set to NULL and a + count of 0 is returned. This may trigger a segmentation fault leading to a + Denial of Service. + 2:1.6.2-3+deb8u1 [Sat, 28 Jan 2017 14:01:35 +0100] Julien Cristau <jcristau@debian.org>: * Insufficient validation of data from the X server can cause out of <http://10.200.17.11/4.2-4/#3214080127618062062>
The upstream package has been copied. No UCS specific patches. Piuparts report and advisory look ok.
<http://errata.software-univention.de/ucs/4.2/503.html>