[oss-security] 20161004 X.Org security advisory: Protocol handling issues in X Window System client libraries

[oss-security] 20161004 Re: X.Org security advisory: Protocol handling issues in X Window System client libraries

93369

1036945

https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=8fad00b0b647ee662ce4737ca15be033b7a21714

FEDORA-2016-ade20198ff

FEDORA-2016-8877cf648b

[xorg-announce] 20161004 X.Org security advisory: Protocol handling issues in X Window System client libraries

GLSA-201704-03

According to the versions of the libXrender package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The XRenderQueryFilters function in X.org libXrender     before 0.9.10 allows remote X servers to trigger     out-of-bounds write operations via vectors involving     filter name lengths.(CVE-2016-7950)

  - Multiple buffer overflows in the (1) XvQueryAdaptors     and (2) XvQueryEncodings functions in X.org libXrender     before 0.9.10 allow remote X servers to trigger     out-of-bounds write operations via vectors involving     length fields.(CVE-2016-7949)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libXrender packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Multiple buffer overflows in the (1) XvQueryAdaptors     and (2) XvQueryEncodings functions in X.org libXrender     before 0.9.10 allow remote X servers to trigger     out-of-bounds write operations via vectors involving     length fields.(CVE-2016-7949)

  - The XRenderQueryFilters function in X.org libXrender     before 0.9.10 allows remote X servers to trigger     out-of-bounds write operations via vectors involving     filter name lengths.(CVE-2016-7950)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201704-03 (X.Org: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in X.Org server and       libraries. Please review the CVE identifiers referenced below for       details.
  Impact :

    A local or remote users can utilize the vulnerabilities to attach to the       X.Org session as a user and execute arbitrary code.
  Workaround :

    There is no known workaround at this time.

This update for xorg-x11-libXrender fixes the following issues :

  - insufficient validation of data from the X server can     cause out of boundary memory writes (bsc#1003002,     CVE-2016-7949, CVE-2016-7950)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update of libXrender fixes the following issues :

  - insufficient validation of data from the X server could     cause out of boundary memory writes (boo#1003002,     CVE-2016-7949, CVE-2016-7950)

This update for the X Window System client libraries fixes a class of privilege escalation issues. A malicious X Server could send specially crafted data to X clients, which allowed for triggering crashes, or privilege escalation if this relationship was untrusted or crossed user or permission level boundaries. libX11, libXfixes, libXi, libXrandr, libXrender, libXtst, libXv, libXvMC were fixed, specifically: libX11 :

  - CVE-2016-7942: insufficient validation of data from the     X server allowed out of boundary memory read     (bsc#1002991) libXfixes :

  - CVE-2016-7944: insufficient validation of data from the     X server can cause an integer overflow on 32 bit     architectures (bsc#1002995) libXi :

  - CVE-2016-7945, CVE-2016-7946: insufficient validation of     data from the X server can cause out of boundary memory     access or endless loops (Denial of Service)     (bsc#1002998) libXtst :

  - CVE-2016-7951, CVE-2016-7952: insufficient validation of     data from the X server can cause out of boundary memory     access or endless loops (Denial of Service)     (bsc#1003012) libXv :

  - CVE-2016-5407: insufficient validation of data from the     X server can cause out of boundary memory and memory     corruption (bsc#1003017) libXvMC :

  - CVE-2016-7953: insufficient validation of data from the     X server can cause a one byte buffer read underrun     (bsc#1003023) libXrender :

  - CVE-2016-7949, CVE-2016-7950: insufficient validation of     data from the X server can cause out of boundary memory     writes (bsc#1003002) libXrandr :

  - CVE-2016-7947, CVE-2016-7948: insufficient validation of     data from the X server can cause out of boundary memory     writes (bsc#1003000)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security fix for CVE-2016-7949, CVE-2016-7950

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New x11 packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.

This update for the X Window System client libraries fixes a class of privilege escalation issues.

A malicious X Server could send specially crafted data to X clients, which allowed for triggering crashes, or privilege escalation if this relationship was untrusted or crossed user or permission level boundaries.

libX11, libXfixes, libXi, libXrandr, libXrender, libXtst, libXv, libXvMC were fixed, specifically :

libX11 :

  - CVE-2016-7942: insufficient validation of data from the     X server allowed out of boundary memory read     (bsc#1002991)

libXfixes :

  - CVE-2016-7944: insufficient validation of data from the     X server can cause an integer overflow on 32 bit     architectures (bsc#1002995)

libXi :

  - CVE-2016-7945, CVE-2016-7946: insufficient validation of     data from the X server can cause out of boundary memory     access or endless loops (Denial of Service)     (bsc#1002998)

libXtst :

  - CVE-2016-7951, CVE-2016-7952: insufficient validation of     data from the X server can cause out of boundary memory     access or endless loops (Denial of Service)     (bsc#1003012)

libXv :

  - CVE-2016-5407: insufficient validation of data from the     X server can cause out of boundary memory and memory     corruption (bsc#1003017)

libXvMC :

  - CVE-2016-7953: insufficient validation of data from the     X server can cause a one byte buffer read underrun     (bsc#1003023)

libXrender :

  - CVE-2016-7949, CVE-2016-7950: insufficient validation of     data from the X server can cause out of boundary memory     writes (bsc#1003002)

libXrandr :

  - CVE-2016-7947, CVE-2016-7948: insufficient validation of     data from the X server can cause out of boundary memory     writes (bsc#1003000)

This update was imported from the SUSE:SLE-12:Update update project.

Tobias Stoeckmann from the OpenBSD project has discovered a number of issues in the way various X client libraries handle the responses they receive from servers. Insufficient validation of data from the X server could cause out of boundary memory writes in the libXrender library potentially allowing the user to escalate their privileges.

For Debian 7 'Wheezy', these problems have been fixed in version 1:0.9.7-1+deb7u3.

We recommend that you upgrade your libxrender packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
140968	EulerOS Virtualization for ARM 64 3.0.6.0 : libXrender (EulerOS-SA-2020-2020)	Nessus	Huawei Local Security Checks	critical
131612	EulerOS 2.0 SP2 : libXrender (EulerOS-SA-2019-2458)	Nessus	Huawei Local Security Checks	critical
99276	GLSA-201704-03 : X.Org: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
95804	SUSE SLES11 Security Update : xorg-x11-libXrender (SUSE-SU-2016:3115-1)	Nessus	SuSE Local Security Checks	critical
95645	openSUSE Security Update : libXrender (openSUSE-2016-1421)	Nessus	SuSE Local Security Checks	critical
94939	SUSE SLED12 / SLES12 Security Update : X Window System client libraries (SUSE-SU-2016:2828-1)	Nessus	SuSE Local Security Checks	critical
94848	Fedora 25 : libXrender (2016-ade20198ff)	Nessus	Fedora Local Security Checks	critical
94484	Fedora 23 : libXrender (2016-49d560da23)	Nessus	Fedora Local Security Checks	critical
94439	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : x11 (SSA:2016-305-02)	Nessus	Slackware Local Security Checks	critical
94220	openSUSE Security Update : X Window System client libraries (openSUSE-2016-1214)	Nessus	SuSE Local Security Checks	critical
94112	Debian DLA-664-1 : libxrender security update	Nessus	Debian Local Security Checks	critical
94036	SUSE SLED12 / SLES12 Security Update : X Window System client libraries (SUSE-SU-2016:2505-1)	Nessus	SuSE Local Security Checks	critical
93924	Fedora 24 : libXrender (2016-8877cf648b)	Nessus	Fedora Local Security Checks	critical

CVE-2016-7950

critical

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical