An issue was discovered in libX11 through 1.6.5. Functions ListExt.c:XListExtensions and GetFPath.c:XGetFontPath interpret a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution.
Created libX11 tracking bugs for this issue:
Affects: fedora-all [bug 1623243]
Functions ListExt.c:XListExtensions and GetFPath.c:XGetFontPath interpret the length field, which is a char, as a signed value, resulting in a read and a write before the intended buffer when they traverse the list of extensions/paths provided by the server.
Is the fix going to be ported to RHEL 7?
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2019:2079 https://access.redhat.com/errata/RHSA-2019:2079
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):