Rapid7 Vulnerability & Exploit Database

RHSA-2014:1436: X11 client libraries security, bug fix, and enhancement update

Back to Search

RHSA-2014:1436: X11 client libraries security, bug fix, and enhancement update

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
06/15/2013
Created
07/25/2018
Added
10/14/2014
Modified
07/04/2017

Description

The X11 (Xorg) libraries provide library routines that are used within allX Window applications.Multiple integer overflow flaws, leading to heap-based buffer overflows,were found in the way various X11 client libraries handled certain protocoldata. An attacker able to submit invalid protocol data to an X11 server viaa malicious X11 client could use either of these flaws to potentiallyescalate their privileges on the system. (CVE-2013-1981, CVE-2013-1982,CVE-2013-1983, CVE-2013-1984, CVE-2013-1985, CVE-2013-1986, CVE-2013-1987,CVE-2013-1988, CVE-2013-1989, CVE-2013-1990, CVE-2013-1991, CVE-2013-2003,CVE-2013-2062, CVE-2013-2064)Multiple array index errors, leading to heap-based buffer out-of-boundswrite flaws, were found in the way various X11 client libraries handleddata returned from an X11 server. A malicious X11 server could possibly usethis flaw to execute arbitrary code with the privileges of the user runningan X11 client. (CVE-2013-1997, CVE-2013-1998, CVE-2013-1999, CVE-2013-2000,CVE-2013-2001, CVE-2013-2002, CVE-2013-2066)A buffer overflow flaw was found in the way the XListInputDevices()function of X.Org X11's libXi runtime library handled signed numbers.A malicious X11 server could possibly use this flaw to execute arbitrarycode with the privileges of the user running an X11 client. (CVE-2013-1995)A flaw was found in the way the X.Org X11 libXt runtime library useduninitialized pointers. A malicious X11 server could possibly use this flawto execute arbitrary code with the privileges of the user running an X11client. (CVE-2013-2005)Two stack-based buffer overflow flaws were found in the way libX11, theCore X11 protocol client library, processed certain user-specified files.A malicious X11 server could possibly use this flaw to crash an X11 clientvia a specially crafted file. (CVE-2013-2004)The xkeyboard-config package has been upgraded to upstream version 2.11,which provides a number of bug fixes and enhancements over the previousversion. (BZ#1077471)This update also fixes the following bugs:All X11 client libraries users are advised to upgrade to these updatedpackages, which correct these issues and add these enhancements.

Solution(s)

  • redhat-upgrade-libdmx
  • redhat-upgrade-libdmx-debuginfo
  • redhat-upgrade-libdmx-devel
  • redhat-upgrade-libx11
  • redhat-upgrade-libx11-common
  • redhat-upgrade-libx11-debuginfo
  • redhat-upgrade-libx11-devel
  • redhat-upgrade-libxcb
  • redhat-upgrade-libxcb-debuginfo
  • redhat-upgrade-libxcb-devel
  • redhat-upgrade-libxcb-doc
  • redhat-upgrade-libxcb-python
  • redhat-upgrade-libxcursor
  • redhat-upgrade-libxcursor-debuginfo
  • redhat-upgrade-libxcursor-devel
  • redhat-upgrade-libxext
  • redhat-upgrade-libxext-debuginfo
  • redhat-upgrade-libxext-devel
  • redhat-upgrade-libxfixes
  • redhat-upgrade-libxfixes-debuginfo
  • redhat-upgrade-libxfixes-devel
  • redhat-upgrade-libxi
  • redhat-upgrade-libxi-debuginfo
  • redhat-upgrade-libxi-devel
  • redhat-upgrade-libxinerama
  • redhat-upgrade-libxinerama-debuginfo
  • redhat-upgrade-libxinerama-devel
  • redhat-upgrade-libxp
  • redhat-upgrade-libxp-debuginfo
  • redhat-upgrade-libxp-devel
  • redhat-upgrade-libxrandr
  • redhat-upgrade-libxrandr-debuginfo
  • redhat-upgrade-libxrandr-devel
  • redhat-upgrade-libxrender
  • redhat-upgrade-libxrender-debuginfo
  • redhat-upgrade-libxrender-devel
  • redhat-upgrade-libxres
  • redhat-upgrade-libxres-debuginfo
  • redhat-upgrade-libxres-devel
  • redhat-upgrade-libxt
  • redhat-upgrade-libxt-debuginfo
  • redhat-upgrade-libxt-devel
  • redhat-upgrade-libxtst
  • redhat-upgrade-libxtst-debuginfo
  • redhat-upgrade-libxtst-devel
  • redhat-upgrade-libxv
  • redhat-upgrade-libxv-debuginfo
  • redhat-upgrade-libxv-devel
  • redhat-upgrade-libxvmc
  • redhat-upgrade-libxvmc-debuginfo
  • redhat-upgrade-libxvmc-devel
  • redhat-upgrade-libxxf86dga
  • redhat-upgrade-libxxf86dga-debuginfo
  • redhat-upgrade-libxxf86dga-devel
  • redhat-upgrade-libxxf86vm
  • redhat-upgrade-libxxf86vm-debuginfo
  • redhat-upgrade-libxxf86vm-devel
  • redhat-upgrade-xcb-proto
  • redhat-upgrade-xkeyboard-config
  • redhat-upgrade-xkeyboard-config-devel
  • redhat-upgrade-xorg-x11-proto-devel
  • redhat-upgrade-xorg-x11-xtrans-devel

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;