ID CVE-2018-14600
Summary An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c interprets a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution.
References
Vulnerable Configurations
  • cpe:2.3:a:x.org:libx11:1.6.5
    cpe:2.3:a:x.org:libx11:1.6.5
  • Canonical Ubuntu Linux 12.04 ESM (Extended Security Maintenance)
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:-:-:esm
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • Canonical Ubuntu Linux 18.04 LTS Edition
    cpe:2.3:o:canonical:ubuntu_linux:18.04:-:-:-:lts
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
CVSS
Base: 7.5
Impact:
Exploitability:
CWE CWE-787
CAPEC
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3758-1.NASL
    description Tobias Stoeckmann discovered that libx11 incorrectly handled certain images. An attacker could possibly use this issue to access sensitive information (CVE-2016-7942) Tobias Stoeckmann discovered that libx11 incorrectly handled certain inputs. An attacker could possibly use this issue to access sensitive information. (CVE-2016-7943) It was discovered that libx11 incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-14598, CVE-2018-14599, CVE-2018-14600). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 112205
    published 2018-08-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112205
    title Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : libx11 vulnerabilities (USN-3758-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2934-1.NASL
    description This update for xorg-x11-libX11 fixes the following issues : CVE-2018-14599: The function XListExtensions was vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact (bsc#1102062) CVE-2018-14600: The function XListExtensions interpreted a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution (bsc#1102068) CVE-2018-14598: A malicious server could have sent a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault) (bsc#1102073) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 117859
    published 2018-10-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117859
    title SUSE SLES11 Security Update : xorg-x11-libX11 (SUSE-SU-2018:2934-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-945.NASL
    description This update for libX11 fixes the following issues : Security issues fixed : - CVE-2018-14598: Fixed a crash on invalid reply in XListExtensions (boo#1102073) - CVE-2018-14599: Fixed an off-by-one write in XListExtensions (boo#1102062) - CVE-2018-14600: Fixed an out of boundary write in XListExtensions (boo#1102068)
    last seen 2019-02-21
    modified 2018-10-22
    plugin id 112262
    published 2018-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112262
    title openSUSE Security Update : libX11 (openSUSE-2018-945)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2955-1.NASL
    description This update for libX11 fixes the following security issues : CVE-2018-14599: The function XListExtensions was vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact (bsc#1102062) CVE-2018-14600: The function XListExtensions interpreted a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution (bsc#1102068) CVE-2018-14598: A malicious server could have sent a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault) (bsc#1102073) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 120113
    published 2019-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120113
    title SUSE SLED15 / SLES15 Security Update : libX11 (SUSE-SU-2018:2955-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201811-01.NASL
    description The remote host is affected by the vulnerability described in GLSA-201811-01 (X.Org X11 library: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in X.Org X11 library. Please review the CVE identifiers referenced below for details. Impact : A remote attacker, by enticing a user to connect to a malicious server, could cause the execution of arbitrary code with the privileges of the process, or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-11-09
    plugin id 118845
    published 2018-11-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118845
    title GLSA-201811-01 : X.Org X11 library: Multiple vulnerabilities
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2018-233-01.NASL
    description New libX11 packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen 2018-10-23
    modified 2018-10-22
    plugin id 112054
    published 2018-08-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112054
    title Slackware 14.0 / 14.1 / 14.2 / current : libX11 (SSA:2018-233-01)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-1107.NASL
    description This update for libX11 fixes the following security issues : - CVE-2018-14599: The function XListExtensions was vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact (bsc#1102062) - CVE-2018-14600: The function XListExtensions interpreted a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution (bsc#1102068) - CVE-2018-14598: A malicious server could have sent a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault) (bsc#1102073) This update was imported from the SUSE:SLE-15:Update update project.
    last seen 2019-02-21
    modified 2018-10-22
    plugin id 117974
    published 2018-10-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117974
    title openSUSE Security Update : libX11 (openSUSE-2018-1107)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1482.NASL
    description Several issues were discovered in libx11, the client interface to the X Windows System. The functions XGetFontPath, XListExtensions, and XListFonts are vulnerable to an off-by-one override on malicious server responses. A malicious server could also send a reply in which the first string overflows, causing a variable set to NULL that will be freed later on, leading to a segmentation fault and Denial of Service. The function XListExtensions in ListExt.c interprets a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to a Denial of Service or possibly remote code execution. For Debian 8 'Jessie', these problems have been fixed in version 2:1.6.2-3+deb8u2. We recommend that you upgrade your libx11 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-10-22
    plugin id 112184
    published 2018-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112184
    title Debian DLA-1482-1 : libx11 security update
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_FE99D3CAA63A11E8A7C654E1AD3D6335.NASL
    description The freedesktop.org project reports : The functions XGetFontPath, XListExtensions, and XListFonts are vulnerable to an off-by-one override on malicious server responses. The server replies consist of chunks consisting of a length byte followed by actual string, which is not NUL-terminated. While parsing the response, the length byte is overridden with '\0', thus the memory area can be used as storage of C strings later on. To be able to NUL-terminate the last string, the buffer is reserved with an additional byte of space. For a boundary check, the variable chend (end of ch) was introduced, pointing at the end of the buffer which ch initially points to. Unfortunately there is a difference in handling 'the end of ch'. While chend points at the first byte that must not be written to, the for-loop uses chend as the last byte that can be written to. Therefore, an off-by-one can occur. The length value is interpreted as signed char on many systems (depending on default signedness of char), which can lead to an out of boundary write up to 128 bytes in front of the allocated storage, but limited to NUL byte(s). If the server sends a reply in which even the first string would overflow the transmitted bytes, list[0] (or flist[0]) will be set to NULL and a count of 0 is returned. If the resulting list is freed with XFreeExtensionList or XFreeFontPath later on, the first Xfree call is turned into Xfree (NULL-1) which will most likely trigger a segmentation fault. Casting the length value to unsigned char fixes the problem and allows string values with up to 255 characters.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 112074
    published 2018-08-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112074
    title FreeBSD : libX11 -- Multiple vulnerabilities (fe99d3ca-a63a-11e8-a7c6-54e1ad3d6335)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-3102-1.NASL
    description This update for libX11 and libxcb fixes the following issue : libX11 : These security issues were fixed : CVE-2018-14599: The function XListExtensions was vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact (bsc#1102062). CVE-2018-14600: The function XListExtensions interpreted a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution (bsc#1102068). CVE-2018-14598: A malicious server could have sent a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault) (bsc#1102073). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 118080
    published 2018-10-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118080
    title SUSE SLED12 / SLES12 Security Update : libX11 / libxcb (SUSE-SU-2018:3102-1)
refmap via4
bid 105177
confirm
gentoo GLSA-201811-01
mlist
  • [debian-lts-announce] 20180829 [SECURITY] [DLA 1482-1] libx11 security update
  • [oss-security] 20180821 X.Org security advisory: August 21, 2018
  • [xorg-announce] 20180821 libX11 1.6.6
sectrack 1041543
ubuntu
  • USN-3758-1
  • USN-3758-2
Last major update 25-08-2018 - 06:29
Published 24-08-2018 - 15:29
Last modified 26-03-2019 - 21:48
Back to Top