libX11-6-1.7.2-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10918-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libX11-6-1.7.2-1.2 on GA media These are all security issues fixed in the libX11-6-1.7.2-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10918 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-14598/ SUSE CVE CVE-2018-14598 page https://www.suse.com/security/cve/CVE-2018-14599/ SUSE CVE CVE-2018-14599 page https://www.suse.com/security/cve/CVE-2018-14600/ SUSE CVE CVE-2018-14600 page https://www.suse.com/security/cve/CVE-2020-14344/ SUSE CVE CVE-2020-14344 page https://www.suse.com/security/cve/CVE-2020-14363/ SUSE CVE CVE-2020-14363 page https://www.suse.com/security/cve/CVE-2021-31535/ SUSE CVE CVE-2021-31535 page openSUSE Tumbleweed libX11-6-1.7.2-1.2 libX11-6-32bit-1.7.2-1.2 libX11-data-1.7.2-1.2 libX11-devel-1.7.2-1.2 libX11-devel-32bit-1.7.2-1.2 libX11-xcb1-1.7.2-1.2 libX11-xcb1-32bit-1.7.2-1.2 libX11-6-1.7.2-1.2 as a component of openSUSE Tumbleweed libX11-6-32bit-1.7.2-1.2 as a component of openSUSE Tumbleweed libX11-data-1.7.2-1.2 as a component of openSUSE Tumbleweed libX11-devel-1.7.2-1.2 as a component of openSUSE Tumbleweed libX11-devel-32bit-1.7.2-1.2 as a component of openSUSE Tumbleweed libX11-xcb1-1.7.2-1.2 as a component of openSUSE Tumbleweed libX11-xcb1-32bit-1.7.2-1.2 as a component of openSUSE Tumbleweed An issue was discovered in XListExtensions in ListExt.c in libX11 through 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault). CVE-2018-14598 openSUSE Tumbleweed:libX11-6-1.7.2-1.2 openSUSE Tumbleweed:libX11-6-32bit-1.7.2-1.2 openSUSE Tumbleweed:libX11-data-1.7.2-1.2 openSUSE Tumbleweed:libX11-devel-1.7.2-1.2 openSUSE Tumbleweed:libX11-devel-32bit-1.7.2-1.2 openSUSE Tumbleweed:libX11-xcb1-1.7.2-1.2 openSUSE Tumbleweed:libX11-xcb1-32bit-1.7.2-1.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-14598.html CVE-2018-14598 https://bugzilla.suse.com/1102073 SUSE Bug 1102073 An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c is vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact. CVE-2018-14599 openSUSE Tumbleweed:libX11-6-1.7.2-1.2 openSUSE Tumbleweed:libX11-6-32bit-1.7.2-1.2 openSUSE Tumbleweed:libX11-data-1.7.2-1.2 openSUSE Tumbleweed:libX11-devel-1.7.2-1.2 openSUSE Tumbleweed:libX11-devel-32bit-1.7.2-1.2 openSUSE Tumbleweed:libX11-xcb1-1.7.2-1.2 openSUSE Tumbleweed:libX11-xcb1-32bit-1.7.2-1.2 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-14599.html CVE-2018-14599 https://bugzilla.suse.com/1102062 SUSE Bug 1102062 An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c interprets a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution. CVE-2018-14600 openSUSE Tumbleweed:libX11-6-1.7.2-1.2 openSUSE Tumbleweed:libX11-6-32bit-1.7.2-1.2 openSUSE Tumbleweed:libX11-data-1.7.2-1.2 openSUSE Tumbleweed:libX11-devel-1.7.2-1.2 openSUSE Tumbleweed:libX11-devel-32bit-1.7.2-1.2 openSUSE Tumbleweed:libX11-xcb1-1.7.2-1.2 openSUSE Tumbleweed:libX11-xcb1-32bit-1.7.2-1.2 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-14600.html CVE-2018-14600 https://bugzilla.suse.com/1102068 SUSE Bug 1102068 https://bugzilla.suse.com/1178417 SUSE Bug 1178417 An integer overflow leading to a heap-buffer overflow was found in The X Input Method (XIM) client was implemented in libX11 before version 1.6.10. As per upstream this is security relevant when setuid programs call XIM client functions while running with elevated privileges. No such programs are shipped with Red Hat Enterprise Linux. CVE-2020-14344 openSUSE Tumbleweed:libX11-6-1.7.2-1.2 openSUSE Tumbleweed:libX11-6-32bit-1.7.2-1.2 openSUSE Tumbleweed:libX11-data-1.7.2-1.2 openSUSE Tumbleweed:libX11-devel-1.7.2-1.2 openSUSE Tumbleweed:libX11-devel-32bit-1.7.2-1.2 openSUSE Tumbleweed:libX11-xcb1-1.7.2-1.2 openSUSE Tumbleweed:libX11-xcb1-32bit-1.7.2-1.2 moderate 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-14344.html CVE-2020-14344 https://bugzilla.suse.com/1174628 SUSE Bug 1174628 https://bugzilla.suse.com/1174638 SUSE Bug 1174638 https://bugzilla.suse.com/1175880 SUSE Bug 1175880 An integer overflow vulnerability leading to a double-free was found in libX11. This flaw allows a local privileged attacker to cause an application compiled with libX11 to crash, or in some cases, result in arbitrary code execution. The highest threat from this flaw is to confidentiality, integrity as well as system availability. CVE-2020-14363 openSUSE Tumbleweed:libX11-6-1.7.2-1.2 openSUSE Tumbleweed:libX11-6-32bit-1.7.2-1.2 openSUSE Tumbleweed:libX11-data-1.7.2-1.2 openSUSE Tumbleweed:libX11-devel-1.7.2-1.2 openSUSE Tumbleweed:libX11-devel-32bit-1.7.2-1.2 openSUSE Tumbleweed:libX11-xcb1-1.7.2-1.2 openSUSE Tumbleweed:libX11-xcb1-32bit-1.7.2-1.2 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-14363.html CVE-2020-14363 https://bugzilla.suse.com/1175239 SUSE Bug 1175239 LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session. CVE-2021-31535 openSUSE Tumbleweed:libX11-6-1.7.2-1.2 openSUSE Tumbleweed:libX11-6-32bit-1.7.2-1.2 openSUSE Tumbleweed:libX11-data-1.7.2-1.2 openSUSE Tumbleweed:libX11-devel-1.7.2-1.2 openSUSE Tumbleweed:libX11-devel-32bit-1.7.2-1.2 openSUSE Tumbleweed:libX11-xcb1-1.7.2-1.2 openSUSE Tumbleweed:libX11-xcb1-32bit-1.7.2-1.2 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-31535.html CVE-2021-31535 https://bugzilla.suse.com/1182506 SUSE Bug 1182506 https://bugzilla.suse.com/1191879 SUSE Bug 1191879 https://bugzilla.suse.com/1205051 SUSE Bug 1205051