SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   X Vendors:   X.org
(HP Issues Fix for HP-UX) X Window Client Library Protocol Handling Flaws Let Remote Authenticated or Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1033258
SecurityTracker URL:  http://securitytracker.com/id/1033258
CVE Reference:   CVE-2013-1981, CVE-2013-1982, CVE-2013-1997, CVE-2013-2002, CVE-2013-2004, CVE-2013-2005, CVE-2013-2062, CVE-2013-2063   (Links to External Site)
Date:  Aug 12 2015
Impact:   User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.5.99.902
Description:   Multiple vulnerabilities were reported in X. A remote authenticated or local user can obtain elevated privileges on the target system.

Several X Window System client libraries do not properly validate data returned from an X server.

A remote authenticated or local user may be able to exploit this to cause arbitrary code to be executed by the target X client. If the X client runs with privileges, the user may be able to obtain those privileges.

An integer overflow in libX11 may occur in XQueryFont(), _XF86BigfontQueryFont(), XListFontsWithInfo(), XGetMotionEvents(), XListHosts(), XGetModifierMapping(), XGetPointerMapping(), XGetKeyboardMapping(), XGetWindowProperty(), and XGetImage() [CVE-2013-1981].

An integer overflow in libXext may occur in XcupGetReservedColormapEntries(), XcupStoreColors(), XdbeGetVisualInfo(), XeviGetVisualInfo(), and XShapeGetRectangles(), XSyncListSystemCounters() [CVE-2013-1982].

An integer overflow in libXfixes may occur in XFixesGetCursorImage() [CVE-2013-1983].

An integer overflow in libXi may occur in XGetDeviceControl(), XGetFeedbackControl(), XGetDeviceDontPropagateList(), XGetDeviceMotionEvents(), XIGetProperty(), XIGetSelectedEvents(), XGetDeviceProperties(), and XListInputDevices() [CVE-2013-1984].

An integer overflow in libXinerama may occur in XineramaQueryScreens() [CVE-2013-1985].

An integer overflow in libXp may occur in XpGetAttributes(), XpGetOneAttribute(), XpGetPrinterList(), and XpQueryScreens() [CVE-2013-2062].

An integer overflow in libXrandr may occur in XRRQueryOutputProperty() and XRRQueryProviderProperty() [CVE-2013-1986].

An integer overflow in libXrender may occur in XRenderQueryFilters(), XRenderQueryFormats(), and XRenderQueryPictIndexValues() [CVE-2013-1987].

An integer overflow in libXRes may occur in XResQueryClients() and XResQueryClientResources() [CVE-2013-1988].

An integer overflow in libXtst may occur in XRecordGetContext() [CVE-2013-2063].

An integer overflow in libXv may occur in XvQueryPortAttributes(), XvListImageFormats(), and XvCreateImage() [CVE-2013-1989].

An integer overflow in libXvMC may occur in XvMCListSurfaceTypes() and XvMCListSubpictureTypes() [CVE-2013-1990].

An integer overflow in libXxf86dga may occur in XDGAQueryModes() and XDGASetMode() [CVE-2013-1991].

An integer overflow in libdmx may occur in DMXGetScreenAttributes(), DMXGetWindowAttributes(), and DMXGetInputAttributes() [CVE-2013-1992].

An integer overflow in libxcb may occur in read_packet() [CVE-2013-2064].

An integer overflow in libGLX may occur in XF86DRIOpenConnection() and XF86DRIGetClientDriverName() [CVE-2013-1993].

An integer overflow in libchromeXvMC and libchromeXvMCPro in openChrome may occur in uniDRIOpenConnection(), and uniDRIGetClientDriverName() [CVE-2013-1994].

A sign extension flaw in libXi may occur in XListInputDevices() [CVE-2013-1995].

A sign extension flaw in libFS may occur in FSOpenServer() [CVE-2013-1996].

A buffer overflow in libX11 may occur in XAllocColorCells(), _XkbReadGetDeviceInfoReply(), _XkbReadGeomShapes(), _XkbReadGetGeometryReply(), _XkbReadKeySyms(), _XkbReadKeyActions(), _XkbReadKeyBehaviors(), _XkbReadModifierMap(), _XkbReadExplicitComponents(), _XkbReadVirtualModMap(), _XkbReadGetNamesReply(), _XkbReadGetMapReply(), _XimXGetReadData(), XListFonts(), XListExtensions(), and XGetFontPath() [CVE-2013-1997].

A buffer overflow in libXi may occur in XGetDeviceButtonMapping(), _XIPassiveGrabDevice(), and XQueryDeviceState() [CVE-2013-1998].

A buffer overflow in libXv may occur in XvQueryPortAttributes() [CVE-2013-2066].

A buffer overflow in libXvMC may occur in XvMCGetDRInfo() [CVE-2013-1999].

A buffer overflow in libXxf86dga may occur in XDGAQueryModes() and XDGASetMode() [CVE-2013-2000].

A buffer overflow in libXxf86vm may occur in XF86VidModeGetGammaRamp() [CVE-2013-2001].

A buffer overflow in libXt may occur in _XtResourceConfigurationEH() [CVE-2013-2002].

An integer overflow in libX11 may occur in LoadColornameDB(), XrmGetFileDatabase(),
_XimParseStringFile(), and TransFileName() [CVE-2013-1981].

An integer overflow in libXcursor may occur in _XcursorFileHeaderCreate() [CVE-2013-2003].

An unbounded recursion parsing error in libX11 may occur in GetDatabase() and _XimParseStringFile() [CVE-2013-2004].

A memory corruption error in libXt may occur in ReqCleanup(), HandleSelectionEvents(), ReqTimedOut(), HandleNormal(), and HandleSelectionReplies() [CVE-2013-2005].

Ilja van Sprundel of IOActive reported these vulnerabilities.

Impact:   A remote authenticated or local user can obtain elevated privileges on the target system.
Solution:   HP has issued a fix for CVE-2013-1981, CVE-2013-1982, CVE-2013-1997, CVE-2013-2002, CVE-2013-2004, CVE-2013-2005, CVE-2013-2062, and CVE-2013-2063.

The HP advisory is available at:

http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04341797

Vendor URL:  h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04341797 (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error
Underlying OS:  UNIX (HP/UX)
Underlying OS Comments:  11.11, 11.23, and 11.31

Message History:   This archive entry is a follow-up to the message listed below.
May 23 2013 X Window Client Library Protocol Handling Flaws Let Remote Authenticated or Local Users Gain Elevated Privileges



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC