The following updates has been released for Debian GNU/Linux:
Debian GNU/Linux 7 Extended LTS:
ELA-30-1 libx11 security update
Debian GNU/Linux 8 LTS:
DLA 1482-1: libx11 security update
Debian GNU/Linux 7 Extended LTS:
ELA-30-1 libx11 security update
Debian GNU/Linux 8 LTS:
DLA 1482-1: libx11 security update
ELA-30-1 libx11 security update
Package: libx11
Version: 2:1.5.0-1+deb7u5
Related CVE: CVE-2018-14598 CVE-2018-14599 CVE-2018-14600
Several issues were discovered in libx11, the client interface to the X Windows System. The functions XGetFontPath, XListExtensions, and XListFonts are vulnerable to an off-by-one override on malicious server responses. A malicious server could also send a reply in which the first string overflows, causing a variable set to NULL that will be freed later on, leading to a segmentation fault and Denial of Service. The function XListExtensions in ListExt.c interprets a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to a Denial of Service or possibly remote code execution.
For Debian 7 Wheezy, these problems have been fixed in version 2:1.5.0-1+deb7u5.
We recommend that you upgrade your libx11 packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
DLA 1482-1: libx11 security update
Package : libx11
Version : 2:1.6.2-3+deb8u2
CVE ID : CVE-2018-14598 CVE-2018-14599 CVE-2018-14600
Several issues were discovered in libx11, the client interface to the
X Windows System. The functions XGetFontPath, XListExtensions, and
XListFonts are vulnerable to an off-by-one override on malicious
server responses. A malicious server could also send a reply in which
the first string overflows, causing a variable set to NULL that will
be freed later on, leading to a segmentation fault and Denial of
Service. The function XListExtensions in ListExt.c interprets a
variable as signed instead of unsigned, resulting in an out-of-bounds
write (of up to 128 bytes), leading to a Denial of Service or possibly
remote code execution.
For Debian 8 "Jessie", these problems have been fixed in version
2:1.6.2-3+deb8u2.
We recommend that you upgrade your libx11 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS