Debian Security Advisory
DLA-1482-1 libx11 -- LTS security update
- Date Reported:
- 29 Aug 2018
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2018-14598, CVE-2018-14599, CVE-2018-14600.
- More information:
Several issues were discovered in libx11, the client interface to the X Windows System. The functions XGetFontPath, XListExtensions, and XListFonts are vulnerable to an off-by-one override on malicious server responses. A malicious server could also send a reply in which the first string overflows, causing a variable set to NULL that will be freed later on, leading to a segmentation fault and Denial of Service. The function XListExtensions in ListExt.c interprets a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to a Denial of Service or possibly remote code execution.
For Debian 8
Jessie, these problems have been fixed in version 2:1.6.2-3+deb8u2.
We recommend that you upgrade your libx11 packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS