Headline
Ubuntu Security Notice USN-6168-2
Ubuntu Security Notice 6168-2 - USN-6168-1 fixed a vulnerability in libx11. This update provides the corresponding update for Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 18.04 ESM. Gregory James Duck discovered that libx11 incorrectly handled certain Request, Event, or Error IDs. If a user were tricked into connecting to a malicious X Server, a remote attacker could possibly use this issue to cause libx11 to crash, resulting in a denial of service.
==========================================================================Ubuntu Security Notice USN-6168-2June 20, 2023libx11 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 16.04 LTS (Available with Ubuntu Pro)- Ubuntu 14.04 LTS (Available with Ubuntu Pro)Summary:libx11 could be made to crash if it received specially crafted networktraffic.Software Description:- libx11: X11 client-side libraryDetails:USN-6168-1 fixed a vulnerability in libx11. This update providesthe corresponding update for Ubuntu 14.04 ESM, Ubuntu 16.04 ESM,and Ubuntu 18.04 ESM.Original advisory details: Gregory James Duck discovered that libx11 incorrectly handled certain Request, Event, or Error IDs. If a user were tricked into connecting to a malicious X Server, a remote attacker could possibly use this issue to cause libx11 to crash, resulting in a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS (Available with Ubuntu Pro): libx11-6 2:1.6.4-3ubuntu0.4+esm1Ubuntu 16.04 LTS (Available with Ubuntu Pro): libx11-6 2:1.6.3-1ubuntu2.2+esm2Ubuntu 14.04 LTS (Available with Ubuntu Pro): libx11-6 2:1.6.2-1ubuntu2.1+esm3After a standard system update you need to reboot your computer to make allthe necessary changes.References: https://ubuntu.com/security/notices/USN-6168-2 https://ubuntu.com/security/notices/USN-6168-1 CVE-2023-3138
Related news
Gentoo Linux Security Advisory 202407-21 - Multiple vulnerabilities have been discovered in the X.Org X11 library, the worst of which could lead to a denial of service. Versions greater than or equal to 1.8.7 are affected.
Red Hat Security Advisory 2024-1417-03 - An update for libX11 is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a buffer overflow vulnerability.
Red Hat Security Advisory 2024-1088-03 - An update for libX11 is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a buffer overflow vulnerability.
A vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption.
Debian Linux Security Advisory 5433-1 - Gregory James Duck reported that missing input validation in various functions provided by libx11, the X11 client-side library, may result in denial of service.
Ubuntu Security Notice 6168-1 - Gregory James Duck discovered that libx11 incorrectly handled certain Request, Event, or Error IDs. If a user were tricked into connecting to a malicious X Server, a remote attacker could possibly use this issue to cause libx11 to crash, resulting in a denial of service.