It was found that when receiving a response from the server protocol data is not validated sufficiently. The Xv query functions for adaptors and encodings suffer from out of boundary accesses if a hostile X server sends a maliciously crafted response. Upstream patch: https://cgit.freedesktop.org/xorg/lib/libXv/commit/?id=d9da580b46a28ab497de2e94fdc7b9ff953dab17 External References: https://lists.x.org/archives/xorg-announce/2016-October/002720.html CVE assignment: http://seclists.org/oss-sec/2016/q4/17
Created libXv tracking bugs for this issue: Affects: fedora-all [bug 1381932]
Analysis: This issue stem from the client libraries trusting the server to send correct protocol data, and not verifying that the values will not overflow or cause other damage. Most of the time X clients & servers are run by the same user, with the server more privileged than the clients, under these circumstances this flaw should be non-exploitable, unless the attacker is able to run a MITM attack and impersonate a legitimate X server.