CLD-156 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-16612 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) xorg-libraries
Deficiency Type SECURITY
Date Created 2017-11-28 10:33:41
Date Last Modified 2017-11-28 11:53:50

Version Specific Information:

Cucumber 1.0 i686fixed in xorg-libraries-7.7-i686-4
Cucumber 1.0 x86_64fixed in xorg-libraries-7.7-x86_64-4 and xorg-libraries-lib_i686-7.7-lib_i686-4

Cucumber 1.1 i686 fixed in xorg-libraries-7.7-i686-4
Cucumber 1.1 x86_64 fixed in xorg-libraries-7.7-x86_64-4 and xorg-libraries-lib_i686-7.7-lib_i686-4


================================ Initial Report ================================

From Openwall (

Date: Tue, 28 Nov 2017 15:52:26 +0100
From: Matthieu Herrb 
Subject: CVE-2017-16612 libXcursor: heap overflows when parsing malicious


X.Org has just release libXcursor version 1.1.15 which contains the
following security fix:

Author:     Tobias Stoeckmann 
AuthorDate: Sat Oct 21 23:47:52 2017 +0200
Commit:     Matthieu Herrb 
CommitDate: Sat Nov 25 11:52:34 2017 +0100

    Fix heap overflows when parsing malicious files. (CVE-2017-16612)

    It is possible to trigger heap overflows due to an integer overflow
    while parsing images and a signedness issue while parsing comments.

    The integer overflow occurs because the chosen limit 0x10000 for
    dimensions is too large for 32 bit systems, because each pixel takes
    4 bytes. Properly chosen values allow an overflow which in turn will
    lead to less allocated memory than needed for subsequent reads.

    The signedness bug is triggered by reading the length of a comment
    as unsigned int, but casting it to int when calling the function
    XcursorCommentCreate. Turning length into a negative value allows the
    check against XCURSOR_COMMENT_MAX_LEN to pass, and the following
    addition of sizeof (XcursorComment) + 1 makes it possible to allocate
    less memory than needed for subsequent reads.
Matthieu Herrb

================================= Our Analysis =================================

----- Fix for this Vulnerability -----
This vulnerability has been fixed by the upstream Xorg developers in commit
which has been applied in the 1.1.15 release of libXcursor.

----- Affected Products -----
Any systems using a version of libXcursor prior to 1.1.15 that have not applied
the aforementioned patch are vulnerable to this vulnerability. This includes
Cucumber Linux 1.0 and 1.1 (as of Tue Nov 28 11:35:36 EST 2017) since they both
use libXcursor 1.1.14.

----- Scope and Impact of this Vulnerability -----
This is a classic buffer overflow vulnerability, meaning it could theoretically
result in information disclosure, arbitrary code execution and/or privilege
escalation. However, as of Tue Nov 28 11:37:39 EST 2017, the effective scope
of this vulnerability is unknown.

================================= Our Solution =================================

We have patched this vulnerability by applying the upstream patch
to the xorg-libraries package (effective in xorg-libraries-7.7-i686-4). It
worked without modification.