An issue was discovered in ListExt.c:XListExtensions and GetFPath.c:XGetFontPath in libX11 through version 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault).
Created libX11 tracking bugs for this issue:
Affects: fedora-all [bug 1623239]
When a reply from a malicious server has the first element with an invalid length, the ListExt.c:XListExtensions and GetFPath.c:XGetFontPath functions may wrongly initialize the returned list. Thus a following call to XFreeExtensionsList/XFreeFontPath will try to access an invalid list, causing a segmentation fault in the client program.
This issue did not affect the versions of libX11 as shipped with Red Hat Enterprise Linux 5 as they did not include the vulnerable code.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2019:2079 https://access.redhat.com/errata/RHSA-2019:2079
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):