It was found that when receiving a response from the server protocol data is not validated sufficiently. The 32 bit field "rep.length" is not checked for validity, which allows an integer overflow on 32 bit systems. A malicious server could send INT_MAX as length, which gets multiplied by the size of XRectangle. In that case the client won't read the whole data from server, getting out of sync. Upstream patch: https://cgit.freedesktop.org/xorg/lib/libXfixes/commit/?id=61c1039ee23a2d1de712843bed3480654d7ef42e External References: https://lists.x.org/archives/xorg-announce/2016-October/002720.html CVE assignment: http://seclists.org/oss-sec/2016/q4/17
Created libXfixes tracking bugs for this issue: Affects: fedora-all [bug 1381866]