SB2015081007 - Multiple vulnerabilities in HP-UX Running X Windows Libraries

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2015081007

SB2015081007 - Multiple vulnerabilities in HP-UX Running X Windows Libraries

Published: August 10, 2015 Updated: April 27, 2023

Security Bulletin ID SB2015081007
Severity
Medium
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2013-1981)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Multiple integer overflows in X.org libX11 1.5.99.901 (1.6 RC1) and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XQueryFont, (2) _XF86BigfontQueryFont, (3) XListFontsWithInfo, (4) XGetMotionEvents, (5) XListHosts, (6) XGetModifierMapping, (7) XGetPointerMapping, (8) XGetKeyboardMapping, (9) XGetWindowProperty, (10) XGetImage, (11) LoadColornameDB, (12) XrmGetFileDatabase, (13) _XimParseStringFile, or (14) TransFileName functions. Additional products added per http://www.ubuntu.com/usn/USN-1854-1/


2) Input validation error (CVE-ID: CVE-2013-1982)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Multiple integer overflows in X.org libXext 1.3.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XcupGetReservedColormapEntries, (2) XcupStoreColors, (3) XdbeGetVisualInfo, (4) XeviGetVisualInfo, (5) XShapeGetRectangles, and (6) XSyncListSystemCounters functions.


3) Buffer overflow (CVE-ID: CVE-2013-1997)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Multiple buffer overflows in X.org libX11 1.5.99.901 (1.6 RC1) and earlier allow X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the (1) XAllocColorCells, (2) _XkbReadGetDeviceInfoReply, (3) _XkbReadGeomShapes, (4) _XkbReadGetGeometryReply, (5) _XkbReadKeySyms, (6) _XkbReadKeyActions, (7) _XkbReadKeyBehaviors, (8) _XkbReadModifierMap, (9) _XkbReadExplicitComponents, (10) _XkbReadVirtualModMap, (11) _XkbReadGetNamesReply, (12) _XkbReadGetMapReply, (13) _XimXGetReadData, (14) XListFonts, (15) XListExtensions, and (16) XGetFontPath functions.


4) Input validation error (CVE-ID: CVE-2013-2002)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Buffer overflow in X.org libXt 1.1.3 and earlier allows X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the _XtResourceConfigurationEH function.


5) Buffer overflow (CVE-ID: CVE-2013-2004)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The (1) GetDatabase and (2) _XimParseStringFile functions in X.org libX11 1.5.99.901 (1.6 RC1) and earlier do not restrict the recursion depth when processing directives to include files, which allows X servers to cause a denial of service (stack consumption) via a crafted file.


6) Buffer overflow (CVE-ID: CVE-2013-2005)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

X.org libXt 1.1.3 and earlier does not check the return value of the XGetWindowProperty function, which allows X servers to trigger use of an uninitialized pointer and memory corruption via vectors related to the (1) ReqCleanup, (2) HandleSelectionEvents, (3) ReqTimedOut, (4) HandleNormal, and (5) HandleSelectionReplies functions.


7) Input validation error (CVE-ID: CVE-2013-2062)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Multiple integer overflows in X.org libXp 1.0.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XpGetAttributes, (2) XpGetOneAttribute, (3) XpGetPrinterList, and (4) XpQueryScreens functions.


8) Input validation error (CVE-ID: CVE-2013-2063)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Integer overflow in X.org libXtst 1.2.1 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the XRecordGetContext function.


Remediation

Install update from vendor's website.

References