Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 569
Alerts This Week
Warning Icon 1 569

Red Hat 6 RHSA-2014:1436-02 Moderate: X11 Libraries Security Fix

red hat
Calendar Grey October 14, 2014
Scroller Redhat
The latest advisory from Red Hat regarding X11 libraries tackles various security vulnerabilities, corrections, and improvements.
Updated X11 client libraries packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258

Summary

The X11 (Xorg) libraries provide library routines that are used within all X Window applications.
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system. (CVE-2013-1981, CVE-2013-1982, CVE-2013-1983, CVE-2013-1984, CVE-2013-1985, CVE-2013-1986, CVE-2013-1987, CVE-2013-1988, CVE-2013-1989, CVE-2013-1990, CVE-2013-1991, CVE-2013-2003, CVE-2013-2062, CVE-2013-2064)
Multiple array index errors, leading to heap-based buffer out-of-bounds write flaws, were found in the way various X11 client libraries handled data returned from an X11 server. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client. (CVE-2013-1997, CVE-2013-1998, CVE-2013-1999, CVE-2013-2000, CVE-2013-2001, CVE-2013-2002, CVE-2013-2066)
A buffer overflow flaw was found in the way the XListInputDevices() function of X.Org X11's libXi runtime library handled signed numbers. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client. (CVE-2013-1995)
A flaw was found in the way the X.Org X11 libXt runtime library used uninitialized pointers. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client. (CVE-2013-2005)
Two stack-based buffer overflow flaws were found in the way libX11, the Core X11 protocol client library, processed certain user-specified files. A malicious X11 server could possibly use this flaw to crash an X11 client via a specially crafted file. (CVE-2013-2004)
The xkeyboard-config package has been upgraded to upstream version 2.11, which provides a number of bug fixes and enhancements over the previous version. (BZ#1077471)
This update also fixes the following bugs:
* Previously, updating the mesa-libGL package did not update the libX11 package, although it was listed as a dependency of mesa-libGL. This bug has been fixed and updating mesa-libGL now updates all dependent packages as expected. (BZ#1054614)
* Previously, closing a customer application could occasionally cause the X Server to terminate unexpectedly. After this update, the X Server no longer hangs when a user closes a customer application. (BZ#971626)
All X11 client libraries users are advised to upgrade to these updated packages, which correct these issues and add these enhancements.

References

https://access.redhat.com/security/cve/CVE-2013-1981 https://access.redhat.com/security/cve/CVE-2013-1982 https://access.redhat.com/security/cve/CVE-2013-1983 https://access.redhat.com/security/cve/CVE-2013-1984 https://access.redhat.com/security/cve/CVE-2013-1985 https://access.redhat.com/security/cve/CVE-2013-1986 https://access.redhat.com/security/cve/CVE-2013-1987 https://access.redhat.com/security/cve/CVE-2013-1988 https://access.redhat.com/security/cve/CVE-2013-1989 https://access.redhat.com/security/cve/CVE-2013-1990 https://access.redhat.com/security/cve/CVE-2013-1991 https://access.redhat.com/security/cve/CVE-2013-1995 https://access.redhat.com/security/cve/CVE-2013-1997 https://access.redhat.com/security/cve/CVE-2013-1998 https://access.redhat.com/security/cve/CVE-2013-1999 https://access.redhat.com/security/cve/CVE-2013-2000 https://access.redhat.com/security/cve/CVE-2013-2001 https://access.redhat.com/security/cve/CVE-2013-2002 https://access.redhat.com/security/cve/CVE-2013-2003 https://access.redhat.com/security/cve/CVE-2013-2004 https://access.redhat.com/security/cve/CVE-2013-2005 https://access.redhat.com/security/cve/CVE-2013-2062 https://access.redhat.com/security/cve/CVE-2013-2064 https://access.redhat.com/security/cve/CVE-2013-2066 Read the Full Advisory

Package List

Red Hat Enterprise Linux Desktop (v. 6):
Source: libX11-1.6.0-2.2.el6.src.rpm libXcursor-1.1.14-2.1.el6.src.rpm libXext-1.3.2-2.1.el6.src.rpm libXfixes-5.0.1-2.1.el6.src.rpm libXi-1.7.2-2.2.el6.src.rpm libXinerama-1.1.3-2.1.el6.src.rpm libXp-1.0.2-2.1.el6.src.rpm libXrandr-1.4.1-2.1.el6.src.rpm libXrender-0.9.8-2.1.el6.src.rpm libXres-1.0.7-2.1.el6.src.rpm libXt-1.1.4-6.1.el6.src.rpm libXtst-1.2.2-2.1.el6.src.rpm libXv-1.0.9-2.1.el6.src.rpm libXvMC-1.0.8-2.1.el6.src.rpm libXxf86dga-1.1.4-2.1.el6.src.rpm libXxf86vm-1.1.3-2.1.el6.src.rpm libdmx-1.1.3-3.el6.src.rpm libxcb-1.9.1-2.el6.src.rpm xkeyboard-config-2.11-1.el6.src.rpm
i386: libX11-1.6.0-2.2.el6.i686.rpm libX11-debuginfo-1.6.0-2.2.el6.i686.rpm libXcursor-1.1.14-2.1.el6.i686.rpm libXcursor-debuginfo-1.1.14-2.1.el6.i686.rpm libXext-1.3.2-2.1.el6.i686.rpm libXext-debuginfo-1.3.2-2.1.el6.i686.rpm libXfixes-5.0.1-2.1.el6.i686.rpm libXfixes-debuginfo-5.0.1-2.1.el6.i686.rpm libXi-1.7.2-2.2.el6.i686.rpm libXi-debuginfo-1.7.2-2.2.el6.i686.rpm libXinerama-1.1.3-2.1.el6.i686.rpm libXinerama-debuginfo-1.1.3-2.1.el6.i686.rpm libXp-1.0.2-2.1.el6.i686.rpm libXp-debuginfo-1.0.2-2.1.el6.i686.rpm libXrandr-1.4.1-2.1.el6.i686.rpm libXrandr-debuginfo-1.4.1-2.1.el6.i686.rpm libXrender-0.9.8-2.1.el6.i686.rpm

Read the Full Advisory


Advisory ID: RHSA-2014:1436-02
Product: Red Hat Enterprise Linux
Advisory URL:
Issue date: 2014-10-14

Topic

Updated X11 client libraries packages that fix multiple security issues,several bugs, and add various enhancements are now available for Red HatEnterprise Linux 6.Red Hat Product Security has rated this update as having Moderate securityimpact. Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.

Relevant Releases Architectures

Red Hat Enterprise Linux Desktop (v. 6) - i386, noarch, x86_64

Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64

Red Hat Enterprise Linux HPC Node (v. 6) - noarch, x86_64

Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64

Red Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, ppc64, s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64

Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64

Bugs Fixed

959040 - CVE-2013-1981 libX11: Multiple integer overflows leading to heap-based buffer-overflows

959046 - CVE-2013-1982 libXext: Multiple integer overflows leading to heap-based buffer-overflows

959048 - CVE-2013-1983 libXfixes: Integer overflow leading to heap-based buffer overflow

959049 - CVE-2013-1984 libXi: Multiple integer overflows leading to heap-based buffer-overflows

959056 - CVE-2013-1985 libXinerama: Integer overflow leading to heap-based buffer overflow

959059 - CVE-2013-1986 libXrandr: Multiple integer overflows leading to heap-based bufer overflows

959061 - CVE-2013-1987 libXrender: Multiple integer overflows leading to heap-based bufer overflows

959066 - CVE-2013-1988 libXRes: Multiple integer overflows leading to heap-based bufer overflows

959068 - CVE-2013-1989 libXv: Multiple integer overflows leading to heap-based bufer overflows

959070 - CVE-2013-1990 libXvMC: Multiple integer overflows leading to heap-based buffer overflows

959072 - CVE-2013-1991 libXxf86dga: Multiple integer overflows leading to heap-based buffer overflows

959077 - CVE-2013-2003 libXcursor: Integer overflow leading to heap-based buffer overflow

959108 - CVE-2013-2005 libXt: Memory corruption due to unchecked use of unchecked function pointers959112 - CVE-2013-2004 libX11: unbounded recursion leading to stack-overflow

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.