Headline
Debian Security Advisory 5433-1
Debian Linux Security Advisory 5433-1 - Gregory James Duck reported that missing input validation in various functions provided by libx11, the X11 client-side library, may result in denial of service.
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5433-1 [email protected]://www.debian.org/security/ Salvatore BonaccorsoJune 21, 2023 https://www.debian.org/security/faq- -------------------------------------------------------------------------Package : libx11CVE ID : CVE-2023-3138Debian Bug : 1038133Gregory James Duck reported that missing input validation in variousfunctions provided by libx11, the X11 client-side library, may result indenial of service.For the oldstable distribution (bullseye), this problem has been fixedin version 2:1.7.2-1+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 2:1.8.4-2+deb12u1.We recommend that you upgrade your libx11 packages.For the detailed security status of libx11 please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/libx11Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: [email protected] PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmSSwdZfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0RK+xAAlgl5li8mTpTB5e+HbDF5DSrw8BtyiKKrn8X/D35DuLwPE14MoT1u9yx07mqUjuNkQjOyQ4DS4DW+UZlk+q4ljlj2lw2qTvtSXVgw42VWVyZGnZfeuH+Bhdmqcf5jxD69+3TdmIn3iC1egTUUlUm1aUS6h0GvioFF+QZ+Nbu43QpiPMe4EEOSLauFb9l6CJMo4bfN6+luKX5q/wd9sG2P5aHEPpp1UXphFDfi3XjITsLJthDGwKOk0B6M+AQcEO9sTMZiwdK9iIK1ySg1oJpaQtTie2MdXJynIs0PA2uYQa6ORwXYwsv4FdpvMSSF4mHfkzninuGcSfkH0FN+zS4H28Qh/nflrTCf1i4fCmS5Nn9k+Hfueo4B4NeTIIA2HnaNItWePD7KBo6griGpRU4L1xcktx2x4VAwOz7zSLq+Ydd0xEdGj1oM2LpwC/euNCesBhonBuYWuKiZCp10zirPdgupm9K9x974OtnnkeJ+gvfUYgzGtELUQ4efNqIAks1HlGmqZSfgtEjTYFFMVKd7OUSaLUxbrxdzttnXVYHSFfn8o1ESt/JxBosg78DhI/LognZM9/XyXDkmEpDhB0RPN7AIy+t0dKcn53eTBaERy+ES4HXL8dflSbbJIopa8jVXqkyZ+gqu94jYGXYHmKmzd8TwlL6fRvC2/Jg3LYWYBEQ==XLRD-----END PGP SIGNATURE-----Related news
Gentoo Linux Security Advisory 202407-21 - Multiple vulnerabilities have been discovered in the X.Org X11 library, the worst of which could lead to a denial of service. Versions greater than or equal to 1.8.7 are affected.
Red Hat Security Advisory 2024-1417-03 - An update for libX11 is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a buffer overflow vulnerability.
Red Hat Security Advisory 2024-1088-03 - An update for libX11 is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a buffer overflow vulnerability.
A vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption.
Ubuntu Security Notice 6168-2 - USN-6168-1 fixed a vulnerability in libx11. This update provides the corresponding update for Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 18.04 ESM. Gregory James Duck discovered that libx11 incorrectly handled certain Request, Event, or Error IDs. If a user were tricked into connecting to a malicious X Server, a remote attacker could possibly use this issue to cause libx11 to crash, resulting in a denial of service.
Ubuntu Security Notice 6168-1 - Gregory James Duck discovered that libx11 incorrectly handled certain Request, Event, or Error IDs. If a user were tricked into connecting to a malicious X Server, a remote attacker could possibly use this issue to cause libx11 to crash, resulting in a denial of service.