Debian 9858 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-30-1 libx11 security update

Debian GNU/Linux 8 LTS:
DLA 1482-1: libx11 security update



ELA-30-1 libx11 security update

Package: libx11
Version: 2:1.5.0-1+deb7u5
Related CVE: CVE-2018-14598 CVE-2018-14599 CVE-2018-14600
Several issues were discovered in libx11, the client interface to the X Windows System. The functions XGetFontPath, XListExtensions, and XListFonts are vulnerable to an off-by-one override on malicious server responses. A malicious server could also send a reply in which the first string overflows, causing a variable set to NULL that will be freed later on, leading to a segmentation fault and Denial of Service. The function XListExtensions in ListExt.c interprets a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to a Denial of Service or possibly remote code execution.

For Debian 7 Wheezy, these problems have been fixed in version 2:1.5.0-1+deb7u5.

We recommend that you upgrade your libx11 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1482-1: libx11 security update




Package : libx11
Version : 2:1.6.2-3+deb8u2
CVE ID : CVE-2018-14598 CVE-2018-14599 CVE-2018-14600

Several issues were discovered in libx11, the client interface to the
X Windows System. The functions XGetFontPath, XListExtensions, and
XListFonts are vulnerable to an off-by-one override on malicious
server responses. A malicious server could also send a reply in which
the first string overflows, causing a variable set to NULL that will
be freed later on, leading to a segmentation fault and Denial of
Service. The function XListExtensions in ListExt.c interprets a
variable as signed instead of unsigned, resulting in an out-of-bounds
write (of up to 128 bytes), leading to a Denial of Service or possibly
remote code execution.

For Debian 8 "Jessie", these problems have been fixed in version
2:1.6.2-3+deb8u2.

We recommend that you upgrade your libx11 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS