Arch Linux Security Advisory ASA-201711-42
=========================================
Severity: High
Date    : 2017-11-30
CVE-ID  : CVE-2017-16612
Package : lib32-libxcursor
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-532

Summary
======
The package lib32-libxcursor before version 1.1.15-1 is vulnerable to
arbitrary code execution.

Resolution
=========
Upgrade to 1.1.15-1.

# pacman -Syu "lib32-libxcursor>=1.1.15-1"

The problem has been fixed upstream in version 1.1.15.

Workaround
=========
None.

Description
==========
It was discovered that libxcursor before 1.1.15 is vulnerable to heap
overflows due to an integer overflow while parsing images and a
signedness issue while parsing comments. An attacker could use local
privileges or trick a user into parsing a malicious file to cause
libxcursor to crash, resulting in a denial of service, or possibly
execute arbitrary code.

Impact
=====
An attacker could use local privileges or trick a user into parsing a
malicious image file to cause libxcursor to crash, resulting in a
denial of service, or possibly execute arbitrary code.

References
=========
https://www.openwall.com/lists/oss-security/2017/11/28/6
https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
https://marc.info/?l=freedesktop-xorg-announce&m=151188036018262&w=2
https://security.archlinux.org/CVE-2017-16612

ArchLinux: 201711-42: lib32-libxcursor: arbitrary code execution

December 1, 2017

Summary

It was discovered that libxcursor before 1.1.15 is vulnerable to heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments. An attacker could use local privileges or trick a user into parsing a malicious file to cause libxcursor to crash, resulting in a denial of service, or possibly execute arbitrary code.

Resolution

Upgrade to 1.1.15-1. # pacman -Syu "lib32-libxcursor>=1.1.15-1"
The problem has been fixed upstream in version 1.1.15.

References

https://www.openwall.com/lists/oss-security/2017/11/28/6 https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8 https://marc.info/?l=freedesktop-xorg-announce&m=151188036018262&w=2 https://security.archlinux.org/CVE-2017-16612

Severity
Package : lib32-libxcursor
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-532

Workaround

None.

Related News

Linux Mint 22: Elevating Security and Usability for Admins
3 - 5 min read
Linux Mint has has long been recognized as a versatile and user-friendly distribution and has earned great popularity among administrators and
Exim 4.98 Addresses Critical Vulnerabilities, Bolsters Email Server Security
2 - 4 min read
Exim is one of Unix-like systems' most widely used mail transfer agents. It's essential for email delivery and handling and is a significant part of
Recent OpenSSH RCE Bug Explained: Impact & Mitigations
2 - 4 min read
In an era where cybersecurity threats loom larger than ever, the discovery of a Remote Code Execution (RCE) vulnerability in OpenSSH by Qualys’
CVE-2024-4577: A Swiftly Weaponized Vulnerability for Ransomware Distribution
2 - 4 min read
Security researchers recently issued an update detailing how attackers are exploiting a PHP code execution vulnerability to spread TellYouThePass
Play Ransomware Group Unleashes New Threat on ESXi Environments: Analysis & Mitigation Strategies
3 - 5 min read
The Play ransomware group, well-known for its double-extortion tactics, recently unveiled a Linux variant targeting ESXi environments. This
Critical Linux Kernel Vulnerabilities Patched in Ubuntu Azure Systems
2 - 4 min read
Canonical has fixed several recently identified critical Linux kernel vulnerabilities in July 2024. These vulnerabilities primarily affect Microsoft
The Urgent Need for Secure Software Development: New Report Serves as a Wake-Up Call for the Industry
3 - 5 min read
The Linux Foundation and Open Source Security Foundation recently published a report entitled "Secure Software Development Education 2024
Severe Linux Kernel Privilege Escalation Bugs Could Compromise Entire Systems
2 - 4 min read
The Cybersecurity and Infrastructure Security Agency (CISA) recently added a new Linux kernel privilege escalation bug ( CVE-2024-1086 ) to its

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved