Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 28 Nov 2017 15:52:26 +0100
From: Matthieu Herrb <>
Subject: CVE-2017-16612 libXcursor: heap overflows when parsing malicious


X.Org has just release libXcursor version 1.1.15 which contains the
following security fix:

Author:     Tobias Stoeckmann <>
AuthorDate: Sat Oct 21 23:47:52 2017 +0200
Commit:     Matthieu Herrb <>
CommitDate: Sat Nov 25 11:52:34 2017 +0100

    Fix heap overflows when parsing malicious files. (CVE-2017-16612)

    It is possible to trigger heap overflows due to an integer overflow
    while parsing images and a signedness issue while parsing comments.

    The integer overflow occurs because the chosen limit 0x10000 for
    dimensions is too large for 32 bit systems, because each pixel takes
    4 bytes. Properly chosen values allow an overflow which in turn will
    lead to less allocated memory than needed for subsequent reads.

    The signedness bug is triggered by reading the length of a comment
    as unsigned int, but casting it to int when calling the function
    XcursorCommentCreate. Turning length into a negative value allows the
    check against XCURSOR_COMMENT_MAX_LEN to pass, and the following
    addition of sizeof (XcursorComment) + 1 makes it possible to allocate
    less memory than needed for subsequent reads.
Matthieu Herrb

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.