Debian Security Advisory

DLA-1482-1 libx11 -- LTS security update

Date Reported:
29 Aug 2018
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2018-14598, CVE-2018-14599, CVE-2018-14600.
More information:

Several issues were discovered in libx11, the client interface to the X Windows System. The functions XGetFontPath, XListExtensions, and XListFonts are vulnerable to an off-by-one override on malicious server responses. A malicious server could also send a reply in which the first string overflows, causing a variable set to NULL that will be freed later on, leading to a segmentation fault and Denial of Service. The function XListExtensions in ListExt.c interprets a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to a Denial of Service or possibly remote code execution.

For Debian 8 Jessie, these problems have been fixed in version 2:1.6.2-3+deb8u2.

We recommend that you upgrade your libx11 packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: