Bug 1381931 (CVE-2016-5407)

Summary: CVE-2016-5407 libXv: Insufficient validation of server responses results in out-of bounds accesses
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: btissoir, huzaifas, kbost, sandmann, slawomir
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: libXv 1.0.11 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:59:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1381932    
Bug Blocks: 1381939    

Description Andrej Nemec 2016-10-05 11:37:58 UTC
It was found that when receiving a response from the server protocol data is not validated sufficiently. The Xv query functions for adaptors and encodings suffer from out of boundary accesses if a hostile X server sends a maliciously crafted response.

Upstream patch:


External References:


CVE assignment:


Comment 1 Andrej Nemec 2016-10-05 11:38:18 UTC
Created libXv tracking bugs for this issue:

Affects: fedora-all [bug 1381932]

Comment 3 Huzaifa S. Sidhpurwala 2017-08-28 07:00:06 UTC

This issue stem from the client libraries trusting the server to send correct protocol data, and not verifying that the values will not overflow or cause other damage. Most of the time X clients & servers are run by the same user, with the server more privileged than the clients, under these circumstances this flaw should be non-exploitable, unless the attacker is able to run a MITM attack and impersonate a legitimate X server.