New Search

RHSA-2014:1436: X11 client libraries security bug fix and enhancement update (Moderate)

oval:org.mitre.oval:def:26759

The X11 (Xorg) libraries provide library routines that are used within all X Window applications. Multiple integer overflow flaws leading to heap-based buffer overflows were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system. (CVE-2013-1981 CVE-2013-1982 CVE-2013-1983 CVE-2013-1984 CVE-2013-1985 CVE-2013-1986 CVE-2013-1987 CVE-2013-1988 CVE-2013-1989 CVE-2013-1990 CVE-2013-1991 CVE-2013-2003 CVE-2013-2062 CVE-2013-2064) Multiple array index errors leading to heap-based buffer out-of-bounds write flaws were found in the way various X11 client libraries handled data returned from an X11 server. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client. (CVE-2013-1997 CVE-2013-1998 CVE-2013-1999 CVE-2013-2000 CVE-2013-2001 CVE-2013-2002 CVE-2013-2066) A buffer overflow flaw was found in the way the XListInputDevices() function of X.Org X11's libXi runtime library handled signed numbers. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client. (CVE-2013-1995) A flaw was found in the way the X.Org X11 libXt runtime library used uninitialized pointers. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client. (CVE-2013-2005) Two stack-based buffer overflow flaws were found in the way libX11 the Core X11 protocol client library processed certain user-specified files. A malicious X11 server could possibly use this flaw to crash an X11 client via a specially crafted file. (CVE-2013-2004) The xkeyboard-config package has been upgraded to upstream version 2.11 which provides a number of bug fixes and enhancements over the previous version. (BZ#1077471) This update also fixes the following bugs: * Previously updating the mesa-libGL package did not update the libX11 package although it was listed as a dependency of mesa-libGL. This bug has been fixed and updating mesa-libGL now updates all dependent packages as expected. (BZ#1054614) * Previously closing a customer application could occasionally cause the X Server to terminate unexpectedly. After this update the X Server no longer hangs when a user closes a customer application. (BZ#971626) All X11 client libraries users are advised to upgrade to these updated packages which correct these issues and add these enhancements.

Family:
unix
Status:
ACCEPTED
Platform(s):
  • Red Hat Enterprise Linux 6
  • CentOS Linux 6
Class:
patch
Reference(s):
  • RHSA-2014:1436-01
  • CVE-2013-1981
  • CVE-2013-1982
  • CVE-2013-1983
  • CVE-2013-1984
  • CVE-2013-1985
  • CVE-2013-1986
  • CVE-2013-1987
  • CVE-2013-1988
  • CVE-2013-1989
  • CVE-2013-1990
  • CVE-2013-1991
  • CVE-2013-1995
  • CVE-2013-1997
  • CVE-2013-1998
  • CVE-2013-1999
  • CVE-2013-2000
  • CVE-2013-2001
  • CVE-2013-2002
  • CVE-2013-2003
  • CVE-2013-2004
  • CVE-2013-2005
  • CVE-2013-2062
  • CVE-2013-2064
  • CVE-2013-2066
  • CESA-2014:1436-CentOS 6
Product(s):
  • libXext
  • libXv
  • libXrandr
  • libXxf86vm
  • libXt
  • xkeyboard-config
  • xorg-x11-xtrans-devel
  • libXres
  • libXinerama
  • libXrender
  • libXi
  • xorg-x11-proto-devel
  • libxcb
  • libXfixes
  • libXxf86dga
  • libXp
  • libXtst
  • libX11
  • libXcursor
  • xcb-proto
  • libdmx
  • libXvMC