Gentoo update for X.Org X11 library

Published: 2018-11-09 09:45:08 | Updated: 2018-11-09 09:45:27
Severity High
Patch available YES
Number of vulnerabilities 3
CVE ID CVE-2018-14598
CVE-2018-14599
CVE-2018-14600
CVSSv3 4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
8.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CWE ID CWE-20
CWE-193
CWE-787
Exploitation vector Network
Public exploit Not available
Vulnerable software Gentoo Linux
Vulnerable software versions Gentoo Linux -
Vendor URL Gentoo

Security Advisory

1) Improper input validation

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to an error when handling malicious input. A remote unauthenticated attacker can cause a remote server to return a specially crafted reply to cause the target X client to crash.

Remediation

Update the affected packages.
x11-libs/libX11 to version: 1.6.6

External links

https://security.gentoo.org/glsa/201811-01

2) Off-by-one error

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an off-by-one memory write error in the XGetFontPath(), XListExtensions(), and XListFonts() functions. A remote unauthenticated attacker can cause a remote X server to return a specially crafted response to trigger memory corruption and execute arbitrary code on the target X client.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Update the affected packages.
x11-libs/libX11 to version: 1.6.6

External links

https://security.gentoo.org/glsa/201811-01

3) Out-of-bounds write

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to out-of-bounds write when handling malicious input. A remote unauthenticated attacker can trick the victim into opening a specially crafted data, trigger memory corruption and execute arbitrary code on the target X client.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Update the affected packages.
x11-libs/libX11 to version: 1.6.6

External links

https://security.gentoo.org/glsa/201811-01

Back to List