oss-security - Re: Fwd: X.Org Security Advisory: Issues in libX11 prior to 1.8.7 & libXpm prior to 3.5.17

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Wed, 24 Jan 2024 10:29:29 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Re: Fwd: X.Org Security Advisory: Issues in libX11 prior to 1.8.7 &
 libXpm prior to 3.5.17

On 10/3/23 09:31, Alan Coopersmith wrote:
> 2) CVE-2023-43786 libX11: stack exhaustion from infinite recursion
>     in PutSubImage()
> 
> Introduced in: X11R2 [released Feb. 1988]
> Fixed in: libX11 1.8.7
> Found by: Yair Mizrahi of the JFrog Vulnerability Research team

> 3) CVE-2023-43787 libX11: integer overflow in XCreateImage() leading to
>     a heap overflow
> 
> Introduced in: X11R2 [released Feb. 1988]
> Fixed in: libX11 1.8.7
> Found by: Yair Mizrahi of the JFrog Vulnerability Research team
> Fixed by: Yair Mizrahi of the JFrog Vulnerability Research team

Yair Mizrahi has now posted more about these two issues at:

https://jfrog.com/blog/xorg-libx11-vulns-cve-2023-43786-cve-2023-43787-part-one/
https://jfrog.com/blog/xorg-libx11-vulns-cve-2023-43786-cve-2023-43787-part-two/

-- 
      -Alan Coopersmith-              alan.coopersmith@...cle.com
        X.Org Security Response Team - xorg-security@...ts.x.org

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.