Bug 1623242 (CVE-2018-14600)

Summary: CVE-2018-14600 libX11: Out of Bounds write in XListExtensions in ListExt.c
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, ajax, alexl, caillon+fedoraproject, dbaker, jglisse, john.j5live, jokerman, peter.hutterer, rhughes, rschiron, rstrode, sandmann, shivrao, slawomir, sthangav, trankin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: libX11 1.6.6 Doc Type: If docs needed, set a value
Doc Text:
An out of bounds write, limited to NULL bytes, was discovered in libX11 in functions XListExtensions() and XGetFontPath(). The length field is considered as a signed value, which makes the library access memory before the intended buffer. An attacker who can either configure a malicious X server or modify the data coming from one could use this flaw to make the program crash or have other unspecified effects, caused by the memory corruption.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 19:19:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1623243, 1623244, 1624412    
Bug Blocks: 1623253    

Description Laura Pardo 2018-08-28 20:07:56 UTC
An issue was discovered in libX11 through 1.6.5. Functions ListExt.c:XListExtensions and GetFPath.c:XGetFontPath interpret a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution.


Upstream Patch:

Comment 1 Laura Pardo 2018-08-28 20:08:29 UTC
Created libX11 tracking bugs for this issue:

Affects: fedora-all [bug 1623243]

Comment 4 Riccardo Schirone 2018-08-31 13:42:15 UTC
Functions ListExt.c:XListExtensions and GetFPath.c:XGetFontPath interpret the length field, which is a char, as a signed value, resulting in a read and a write before the intended buffer when they traverse the list of extensions/paths provided by the server.

Comment 6 Shiva Prasad Rao 2019-01-29 23:32:20 UTC
Is the fix going to be ported to RHEL 7?

Comment 7 errata-xmlrpc 2019-08-06 12:11:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2079 https://access.redhat.com/errata/RHSA-2019:2079

Comment 8 Product Security DevOps Team 2019-08-06 19:19:39 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):