SB2014112204 - Amazon Linux AMI update for libX11, libXcursor, libXfixes, libXi, libXrandr, libXrender, libXres, libXt, libXv, libXvMC, libXxf86dga, libXxf86vm, libdmx, xorg-x11-proto-devel
Published: November 22, 2014
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 24 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2013-1981)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple integer overflows in X.org libX11 1.5.99.901 (1.6 RC1) and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XQueryFont, (2) _XF86BigfontQueryFont, (3) XListFontsWithInfo, (4) XGetMotionEvents, (5) XListHosts, (6) XGetModifierMapping, (7) XGetPointerMapping, (8) XGetKeyboardMapping, (9) XGetWindowProperty, (10) XGetImage, (11) LoadColornameDB, (12) XrmGetFileDatabase, (13) _XimParseStringFile, or (14) TransFileName functions. Additional products added per http://www.ubuntu.com/usn/USN-1854-1/
2) Input validation error (CVE-ID: CVE-2013-1982)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple integer overflows in X.org libXext 1.3.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XcupGetReservedColormapEntries, (2) XcupStoreColors, (3) XdbeGetVisualInfo, (4) XeviGetVisualInfo, (5) XShapeGetRectangles, and (6) XSyncListSystemCounters functions.
3) Input validation error (CVE-ID: CVE-2013-1983)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Integer overflow in X.org libXfixes 5.0 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the XFixesGetCursorImage function.
4) Input validation error (CVE-ID: CVE-2013-1984)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple integer overflows in X.org libXi 1.7.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XGetDeviceControl, (2) XGetFeedbackControl, (3) XGetDeviceDontPropagateList, (4) XGetDeviceMotionEvents, (5) XIGetProperty, (6) XIGetSelectedEvents, (7) XGetDeviceProperties, and (8) XListInputDevices functions.
5) Input validation error (CVE-ID: CVE-2013-1985)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Integer overflow in X.org libXinerama 1.1.2 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the XineramaQueryScreens function.
6) Input validation error (CVE-ID: CVE-2013-1986)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple integer overflows in X.org libXrandr 1.4.0 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XRRQueryOutputProperty and (2) XRRQueryProviderProperty functions.
7) Input validation error (CVE-ID: CVE-2013-1987)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple integer overflows in X.org libXrender 0.9.7 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XRenderQueryFilters, (2) XRenderQueryFormats, and (3) XRenderQueryPictIndexValues functions. Additional products added per http://www.ubuntu.com/usn/USN-1863-1/ http://lists.opensuse.org/opensuse-updates/2013-06/msg00141.html
8) Input validation error (CVE-ID: CVE-2013-1988)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple integer overflows in X.org libXRes 1.0.6 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XResQueryClients and (2) XResQueryClientResources functions.
9) Input validation error (CVE-ID: CVE-2013-1989)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple integer overflows in X.org libXv 1.0.7 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XvQueryPortAttributes, (2) XvListImageFormats, and (3) XvCreateImage function.
10) Input validation error (CVE-ID: CVE-2013-1990)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple integer overflows in X.org libXvMC 1.0.7 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XvMCListSurfaceTypes and (2) XvMCListSubpictureTypes functions.
11) Input validation error (CVE-ID: CVE-2013-1991)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple integer overflows in X.org libXxf86dga 1.1.3 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XDGAQueryModes and (2) XDGASetMode functions.
12) Buffer overflow (CVE-ID: CVE-2013-1995)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
X.org libXi 1.7.1 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to an unexpected sign extension in the XListInputDevices function.
13) Buffer overflow (CVE-ID: CVE-2013-1997)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple buffer overflows in X.org libX11 1.5.99.901 (1.6 RC1) and earlier allow X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the (1) XAllocColorCells, (2) _XkbReadGetDeviceInfoReply, (3) _XkbReadGeomShapes, (4) _XkbReadGetGeometryReply, (5) _XkbReadKeySyms, (6) _XkbReadKeyActions, (7) _XkbReadKeyBehaviors, (8) _XkbReadModifierMap, (9) _XkbReadExplicitComponents, (10) _XkbReadVirtualModMap, (11) _XkbReadGetNamesReply, (12) _XkbReadGetMapReply, (13) _XimXGetReadData, (14) XListFonts, (15) XListExtensions, and (16) XGetFontPath functions.
14) Buffer overflow (CVE-ID: CVE-2013-1998)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple buffer overflows in X.org libXi 1.7.1 and earlier allow X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the (1) XGetDeviceButtonMapping, (2) XIPassiveGrabDevice, and (3) XQueryDeviceState functions.
15) Buffer overflow (CVE-ID: CVE-2013-1999)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Buffer overflow in X.org libXvMC 1.0.7 and earlier allows X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the XvMCGetDRInfo function.
16) Buffer overflow (CVE-ID: CVE-2013-2000)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple buffer overflows in X.org libXxf86dga 1.1.3 and earlier allow X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the (1) XDGAQueryModes and (2) XDGASetMode functions.
17) Buffer overflow (CVE-ID: CVE-2013-2001)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Buffer overflow in X.org libXxf86vm 1.1.2 and earlier allows X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the XF86VidModeGetGammaRamp function.
18) Input validation error (CVE-ID: CVE-2013-2002)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Buffer overflow in X.org libXt 1.1.3 and earlier allows X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the _XtResourceConfigurationEH function.
19) Input validation error (CVE-ID: CVE-2013-2003)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Integer overflow in X.org libXcursor 1.1.13 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the _XcursorFileHeaderCreate function.
20) Buffer overflow (CVE-ID: CVE-2013-2004)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The (1) GetDatabase and (2) _XimParseStringFile functions in X.org libX11 1.5.99.901 (1.6 RC1) and earlier do not restrict the recursion depth when processing directives to include files, which allows X servers to cause a denial of service (stack consumption) via a crafted file.
21) Buffer overflow (CVE-ID: CVE-2013-2005)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
X.org libXt 1.1.3 and earlier does not check the return value of the XGetWindowProperty function, which allows X servers to trigger use of an uninitialized pointer and memory corruption via vectors related to the (1) ReqCleanup, (2) HandleSelectionEvents, (3) ReqTimedOut, (4) HandleNormal, and (5) HandleSelectionReplies functions.
22) Input validation error (CVE-ID: CVE-2013-2062)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple integer overflows in X.org libXp 1.0.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XpGetAttributes, (2) XpGetOneAttribute, (3) XpGetPrinterList, and (4) XpQueryScreens functions.
23) Input validation error (CVE-ID: CVE-2013-2064)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Integer overflow in X.org libxcb 1.9 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the read_packet function.
24) Buffer overflow (CVE-ID: CVE-2013-2066)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Buffer overflow in X.org libXv 1.0.7 and earlier allows X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the XvQueryPortAttributes function.
Remediation
Install update from vendor's website.