Bug 1623250 (CVE-2018-14599) - CVE-2018-14599 libX11: Off-by-one error in XListExtensions in ListExt.c
Summary: CVE-2018-14599 libX11: Off-by-one error in XListExtensions in ListExt.c
Alias: CVE-2018-14599
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1850150 1623251 1623252 1624787
Blocks: 1623253
TreeView+ depends on / blocked
Reported: 2018-08-28 20:18 UTC by Laura Pardo
Modified: 2020-06-23 15:31 UTC (History)
18 users (show)

Fixed In Version: libX11 1.6.6
Doc Type: If docs needed, set a value
Doc Text:
An off-by-one error has been discovered in libX11 in functions XGetFontPath(), XListExtensions(), and XListFonts(). An attacker who can either configure a malicious X server or modify the data coming from one could use this flaw to make the program crash or have other unspecified effects, caused by the memory corruption.
Clone Of:
Last Closed: 2019-08-06 19:19:41 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2079 None None None 2019-08-06 12:11:31 UTC

Description Laura Pardo 2018-08-28 20:18:13 UTC
An issue was discovered in libX11 through 1.6.5. Functions GetFPath.c:XGetFontPath, ListExt.c:XListExtensions and FontNames.c:XListFonts are vulnerable to an off-by-one error when parsing list of strings returned by malicious server responses, leading to DoS.


Upstream Patch:

Comment 1 Laura Pardo 2018-08-28 20:18:49 UTC
Created libX11 tracking bugs for this issue:

Affects: fedora-all [bug 1623251]

Comment 5 Riccardo Schirone 2018-09-03 09:51:33 UTC

This issue did not affect the versions of libX11 as shipped with Red Hat Enterprise Linux 5 as they did not include the vulnerable code.

Comment 6 Shiva Prasad Rao 2019-01-29 23:31:45 UTC
Is the fix going to be ported to RHEL 7?

Comment 7 Riccardo Schirone 2019-01-30 08:06:42 UTC

We suggest you to open a case with Support for these kind of questions.
Best regards,

Comment 8 errata-xmlrpc 2019-08-06 12:11:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2079 https://access.redhat.com/errata/RHSA-2019:2079

Comment 9 Product Security DevOps Team 2019-08-06 19:19:41 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.