CLD-526 Details

Other IDs this deficiency may be known by:

Basic Information:

Version Specific Information:

Details:

=================================== Overview ===================================

An issue was discovered in XListExtensions in ListExt.c in libX11 through
1.6.5. A malicious server can send a reply in which the first string overflows,
causing a variable to be set to NULL that will be freed later on, leading to
DoS (segmentation fault). 

================================ Initial Report ================================

From http://www.openwall.com/lists/oss-security/2018/08/21/6:

Crash on invalid reply (CVE-2018-14598).
----------------------------------------

If the server sends a reply in which even the first string would
overflow the transmitted bytes, list[0] (or flist[0]) will be set to
NULL and a count of 0 is returned.

If the resulting list is freed with XFreeExtensionList or
XFreeFontPath later on, the first Xfree call:

    Xfree (list[0]-1)
 turns into
    Xfree (NULL-1)

which will most likely trigger a segmentation fault.

================================= Our Analysis =================================

----- Affected Products -----
libX11 in Xorg 7.7 is vulnerable, meaning that xorg-libraries as originally
packaged in Cucumber Linux 1.0 and 1.1 is vulnerable.

----- Scope and Impact of this Vulnerability -----
Allows for a denial of service.

----- Fix for this Vulnerability -----
This vulnerability is fixed in commit
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=e83722768fd5c467ef61fa159e8c6278770b45c2

================================= Our Solution =================================

We have applied the patch from the aforementioned commit and rebuilt
xorg-libraries.