Red Hat Bugzilla – Bug 1381931
CVE-2016-5407 libXv: Insufficient validation of server responses results in out-of bounds accesses
Last modified: 2017-08-28 03:00:06 EDT
It was found that when receiving a response from the server protocol data is not validated sufficiently. The Xv query functions for adaptors and encodings suffer from out of boundary accesses if a hostile X server sends a maliciously crafted response. Upstream patch: https://cgit.freedesktop.org/xorg/lib/libXv/commit/?id=d9da580b46a28ab497de2e94fdc7b9ff953dab17 External References: https://lists.x.org/archives/xorg-announce/2016-October/002720.html CVE assignment: http://seclists.org/oss-sec/2016/q4/17
Created libXv tracking bugs for this issue: Affects: fedora-all [bug 1381932]
Analysis: This issue stem from the client libraries trusting the server to send correct protocol data, and not verifying that the values will not overflow or cause other damage. Most of the time X clients & servers are run by the same user, with the server more privileged than the clients, under these circumstances this flaw should be non-exploitable, unless the attacker is able to run a MITM attack and impersonate a legitimate X server.