Security update for xorg-x11-libX11 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:2934-1 Final 1 1 2018-09-28T08:56:15Z current 2018-09-28T08:56:15Z 2018-09-28T08:56:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xorg-x11-libX11 This update for xorg-x11-libX11 fixes the following issues: - CVE-2018-14599: The function XListExtensions was vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact (bsc#1102062) - CVE-2018-14600: The function XListExtensions interpreted a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution (bsc#1102068) - CVE-2018-14598: A malicious server could have sent a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault) (bsc#1102073) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sdksp4-xorg-x11-libX11-13801,sleposp3-xorg-x11-libX11-13801,slessp3-xorg-x11-libX11-13801,slessp4-xorg-x11-libX11-13801 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20182934-1/ Link for SUSE-SU-2018:2934-1 https://lists.suse.com/pipermail/sle-security-updates/2018-September/004622.html E-Mail link for SUSE-SU-2018:2934-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1102062 SUSE Bug 1102062 https://bugzilla.suse.com/1102068 SUSE Bug 1102068 https://bugzilla.suse.com/1102073 SUSE Bug 1102073 https://www.suse.com/security/cve/CVE-2018-14598/ SUSE CVE CVE-2018-14598 page https://www.suse.com/security/cve/CVE-2018-14599/ SUSE CVE CVE-2018-14599 page https://www.suse.com/security/cve/CVE-2018-14600/ SUSE CVE CVE-2018-14600 page SUSE Linux Enterprise Point of Sale 11 SP3 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server for SAP Applications 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP4 xorg-x11-libX11-devel-7.4-5.11.72.9.1 xorg-x11-libX11-devel-32bit-7.4-5.11.72.9.1 xorg-x11-libX11-7.4-5.11.72.9.1 xorg-x11-libX11-32bit-7.4-5.11.72.9.1 xorg-x11-libX11-x86-7.4-5.11.72.9.1 xorg-x11-libX11-7.4-5.11.72.9.1 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 xorg-x11-libX11-7.4-5.11.72.9.1 as a component of SUSE Linux Enterprise Server 11 SP3-LTSS xorg-x11-libX11-32bit-7.4-5.11.72.9.1 as a component of SUSE Linux Enterprise Server 11 SP3-LTSS xorg-x11-libX11-7.4-5.11.72.9.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA xorg-x11-libX11-32bit-7.4-5.11.72.9.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA xorg-x11-libX11-7.4-5.11.72.9.1 as a component of SUSE Linux Enterprise Server 11 SP4 xorg-x11-libX11-32bit-7.4-5.11.72.9.1 as a component of SUSE Linux Enterprise Server 11 SP4 xorg-x11-libX11-x86-7.4-5.11.72.9.1 as a component of SUSE Linux Enterprise Server 11 SP4 xorg-x11-libX11-7.4-5.11.72.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 xorg-x11-libX11-32bit-7.4-5.11.72.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 xorg-x11-libX11-x86-7.4-5.11.72.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 xorg-x11-libX11-devel-7.4-5.11.72.9.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 xorg-x11-libX11-devel-32bit-7.4-5.11.72.9.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 An issue was discovered in XListExtensions in ListExt.c in libX11 through 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault). CVE-2018-14598 SUSE Linux Enterprise Point of Sale 11 SP3:xorg-x11-libX11-7.4-5.11.72.9.1 SUSE Linux Enterprise Server 11 SP3-LTSS:xorg-x11-libX11-32bit-7.4-5.11.72.9.1 SUSE Linux Enterprise Server 11 SP3-LTSS:xorg-x11-libX11-7.4-5.11.72.9.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:xorg-x11-libX11-32bit-7.4-5.11.72.9.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:xorg-x11-libX11-7.4-5.11.72.9.1 SUSE Linux Enterprise Server 11 SP4:xorg-x11-libX11-32bit-7.4-5.11.72.9.1 SUSE Linux Enterprise Server 11 SP4:xorg-x11-libX11-7.4-5.11.72.9.1 SUSE Linux Enterprise Server 11 SP4:xorg-x11-libX11-x86-7.4-5.11.72.9.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:xorg-x11-libX11-32bit-7.4-5.11.72.9.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:xorg-x11-libX11-7.4-5.11.72.9.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:xorg-x11-libX11-x86-7.4-5.11.72.9.1 SUSE Linux Enterprise Software Development Kit 11 SP4:xorg-x11-libX11-devel-32bit-7.4-5.11.72.9.1 SUSE Linux Enterprise Software Development Kit 11 SP4:xorg-x11-libX11-devel-7.4-5.11.72.9.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20182934-1/ https://www.suse.com/security/cve/CVE-2018-14598.html CVE-2018-14598 https://bugzilla.suse.com/1102073 SUSE Bug 1102073 An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c is vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact. CVE-2018-14599 SUSE Linux Enterprise Point of Sale 11 SP3:xorg-x11-libX11-7.4-5.11.72.9.1 SUSE Linux Enterprise Server 11 SP3-LTSS:xorg-x11-libX11-32bit-7.4-5.11.72.9.1 SUSE Linux Enterprise Server 11 SP3-LTSS:xorg-x11-libX11-7.4-5.11.72.9.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:xorg-x11-libX11-32bit-7.4-5.11.72.9.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:xorg-x11-libX11-7.4-5.11.72.9.1 SUSE Linux Enterprise Server 11 SP4:xorg-x11-libX11-32bit-7.4-5.11.72.9.1 SUSE Linux Enterprise Server 11 SP4:xorg-x11-libX11-7.4-5.11.72.9.1 SUSE Linux Enterprise Server 11 SP4:xorg-x11-libX11-x86-7.4-5.11.72.9.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:xorg-x11-libX11-32bit-7.4-5.11.72.9.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:xorg-x11-libX11-7.4-5.11.72.9.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:xorg-x11-libX11-x86-7.4-5.11.72.9.1 SUSE Linux Enterprise Software Development Kit 11 SP4:xorg-x11-libX11-devel-32bit-7.4-5.11.72.9.1 SUSE Linux Enterprise Software Development Kit 11 SP4:xorg-x11-libX11-devel-7.4-5.11.72.9.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20182934-1/ https://www.suse.com/security/cve/CVE-2018-14599.html CVE-2018-14599 https://bugzilla.suse.com/1102062 SUSE Bug 1102062 An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c interprets a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution. CVE-2018-14600 SUSE Linux Enterprise Point of Sale 11 SP3:xorg-x11-libX11-7.4-5.11.72.9.1 SUSE Linux Enterprise Server 11 SP3-LTSS:xorg-x11-libX11-32bit-7.4-5.11.72.9.1 SUSE Linux Enterprise Server 11 SP3-LTSS:xorg-x11-libX11-7.4-5.11.72.9.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:xorg-x11-libX11-32bit-7.4-5.11.72.9.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:xorg-x11-libX11-7.4-5.11.72.9.1 SUSE Linux Enterprise Server 11 SP4:xorg-x11-libX11-32bit-7.4-5.11.72.9.1 SUSE Linux Enterprise Server 11 SP4:xorg-x11-libX11-7.4-5.11.72.9.1 SUSE Linux Enterprise Server 11 SP4:xorg-x11-libX11-x86-7.4-5.11.72.9.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:xorg-x11-libX11-32bit-7.4-5.11.72.9.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:xorg-x11-libX11-7.4-5.11.72.9.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:xorg-x11-libX11-x86-7.4-5.11.72.9.1 SUSE Linux Enterprise Software Development Kit 11 SP4:xorg-x11-libX11-devel-32bit-7.4-5.11.72.9.1 SUSE Linux Enterprise Software Development Kit 11 SP4:xorg-x11-libX11-devel-7.4-5.11.72.9.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20182934-1/ https://www.suse.com/security/cve/CVE-2018-14600.html CVE-2018-14600 https://bugzilla.suse.com/1102068 SUSE Bug 1102068 https://bugzilla.suse.com/1178417 SUSE Bug 1178417