Security
Headlines
HeadlinesLatestCVEs

Headline

Ubuntu Security Notice USN-6168-1

Ubuntu Security Notice 6168-1 - Gregory James Duck discovered that libx11 incorrectly handled certain Request, Event, or Error IDs. If a user were tricked into connecting to a malicious X Server, a remote attacker could possibly use this issue to cause libx11 to crash, resulting in a denial of service.

Packet Storm
#vulnerability#ubuntu#dos

==========================================================================
Ubuntu Security Notice USN-6168-1
June 15, 2023

libx11 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 23.04
  • Ubuntu 22.10
  • Ubuntu 22.04 LTS
  • Ubuntu 20.04 LTS

Summary:

libx11 could be made to crash if it received specially crafted network
traffic.

Software Description:

  • libx11: X11 client-side library

Details:

Gregory James Duck discovered that libx11 incorrectly handled certain
Request, Event, or Error IDs. If a user were tricked into connecting to a
malicious X Server, a remote attacker could possibly use this issue to
cause libx11 to crash, resulting in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.04:
libx11-6 2:1.8.4-2ubuntu0.2

Ubuntu 22.10:
libx11-6 2:1.8.1-2ubuntu0.2

Ubuntu 22.04 LTS:
libx11-6 2:1.7.5-1ubuntu0.2

Ubuntu 20.04 LTS:
libx11-6 2:1.6.9-2ubuntu1.5

After a standard system update you need to reboot your computer to make all
the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6168-1
CVE-2023-3138

Package Information:
https://launchpad.net/ubuntu/+source/libx11/2:1.8.4-2ubuntu0.2
https://launchpad.net/ubuntu/+source/libx11/2:1.8.1-2ubuntu0.2
https://launchpad.net/ubuntu/+source/libx11/2:1.7.5-1ubuntu0.2
https://launchpad.net/ubuntu/+source/libx11/2:1.6.9-2ubuntu1.5

Related news

Gentoo Linux Security Advisory 202407-21

Gentoo Linux Security Advisory 202407-21 - Multiple vulnerabilities have been discovered in the X.Org X11 library, the worst of which could lead to a denial of service. Versions greater than or equal to 1.8.7 are affected.

Red Hat Security Advisory 2024-1417-03

Red Hat Security Advisory 2024-1417-03 - An update for libX11 is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a buffer overflow vulnerability.

Red Hat Security Advisory 2024-1088-03

Red Hat Security Advisory 2024-1088-03 - An update for libX11 is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a buffer overflow vulnerability.

CVE-2023-3138: InitExt.c: Add bounds checks for extension request, event, & error codes (304a654a) · Commits · xorg / lib / libX11 · GitLab

A vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption.

Debian Security Advisory 5433-1

Debian Linux Security Advisory 5433-1 - Gregory James Duck reported that missing input validation in various functions provided by libx11, the X11 client-side library, may result in denial of service.

Ubuntu Security Notice USN-6168-2

Ubuntu Security Notice 6168-2 - USN-6168-1 fixed a vulnerability in libx11. This update provides the corresponding update for Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 18.04 ESM. Gregory James Duck discovered that libx11 incorrectly handled certain Request, Event, or Error IDs. If a user were tricked into connecting to a malicious X Server, a remote attacker could possibly use this issue to cause libx11 to crash, resulting in a denial of service.

Packet Storm: Latest News

Zeek 6.0.9