CLD-525 Details

Other IDs this deficiency may be known by:

Basic Information:

Version Specific Information:

Details:

=================================== Overview ===================================

An issue was discovered in libX11 through 1.6.5. The function XListExtensions
in ListExt.c interprets a variable as signed instead of unsigned, resulting in
an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code
execution. 

================================ Initial Report ================================

From http://www.openwall.com/lists/oss-security/2018/08/21/6:


Out of boundary write (CVE-2018-14600).
---------------------------------------

The length value is interpreted as signed char on many systems
(depending on default signedness of char), which can lead to an out of
boundary write up to 128 bytes in front of the allocated storage, but
limited to NUL byte(s).

Casting the length value to unsigned char fixes the problem and allows
string values with up to 255 characters.

================================= Our Analysis =================================

----- Affected Products -----
libX11 in Xorg 7.7 is vulnerable, meaning that xorg-libraries as originally
packaged in Cucumber Linux 1.0 and 1.1 is vulnerable.

----- Scope and Impact of this Vulnerability -----
Allows for a denial of service and remote code execution.

----- Fix for this Vulnerability -----
This vulnerability is fixed in commit
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=dbf72805fd9d7b1846fe9a11b46f3994bfc27fea

================================= Our Solution =================================

We have applied the patch from the aforementioned commit and rebuilt
xorg-libraries.

Note that we had to modify the patch to get it to apply to Xorg 7.7. The
modified patch can be found at:
https://mirror.cucumberlinux.com/cucumber/cucumber-1.1/source/x-base/xorg-libraries/patches/libX11/00030_CVE-2018-14600_dbf72805fd9d7b1846fe9a11b46f3994bfc27fea.patch