Headline
CVE-2023-3138: InitExt.c: Add bounds checks for extension request, event, & error codes (304a654a) · Commits · xorg / lib / libX11 · GitLab
A vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption.
InitExt.c: Add bounds checks for extension request, event, & error codes
Fixes CVE-2023-3138: X servers could return values from XQueryExtension that would cause Xlib to write entries out-of-bounds of the arrays to store them, though this would only overwrite other parts of the Display struct, not outside the bounds allocated for that structure.
Reported-by: Gregory James DUCK <[email protected]> Signed-off-by: Alan Coopersmith <[email protected]>
Related news
Gentoo Linux Security Advisory 202407-21 - Multiple vulnerabilities have been discovered in the X.Org X11 library, the worst of which could lead to a denial of service. Versions greater than or equal to 1.8.7 are affected.
Red Hat Security Advisory 2024-1417-03 - An update for libX11 is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a buffer overflow vulnerability.
Red Hat Security Advisory 2024-1088-03 - An update for libX11 is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a buffer overflow vulnerability.
Debian Linux Security Advisory 5433-1 - Gregory James Duck reported that missing input validation in various functions provided by libx11, the X11 client-side library, may result in denial of service.
Ubuntu Security Notice 6168-2 - USN-6168-1 fixed a vulnerability in libx11. This update provides the corresponding update for Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 18.04 ESM. Gregory James Duck discovered that libx11 incorrectly handled certain Request, Event, or Error IDs. If a user were tricked into connecting to a malicious X Server, a remote attacker could possibly use this issue to cause libx11 to crash, resulting in a denial of service.
Ubuntu Security Notice 6168-1 - Gregory James Duck discovered that libx11 incorrectly handled certain Request, Event, or Error IDs. If a user were tricked into connecting to a malicious X Server, a remote attacker could possibly use this issue to cause libx11 to crash, resulting in a denial of service.