Date: Tue, 28 Nov 2017 15:52:26 +0100 From: Matthieu Herrb <matthieu.herrb@...s.fr> To: oss-security@...ts.openwall.com Subject: CVE-2017-16612 libXcursor: heap overflows when parsing malicious files Hi, X.Org has just release libXcursor version 1.1.15 which contains the following security fix: Author: Tobias Stoeckmann <tobias@...eckmann.org> AuthorDate: Sat Oct 21 23:47:52 2017 +0200 Commit: Matthieu Herrb <matthieu@...rb.eu> CommitDate: Sat Nov 25 11:52:34 2017 +0100 Fix heap overflows when parsing malicious files. (CVE-2017-16612) It is possible to trigger heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments. The integer overflow occurs because the chosen limit 0x10000 for dimensions is too large for 32 bit systems, because each pixel takes 4 bytes. Properly chosen values allow an overflow which in turn will lead to less allocated memory than needed for subsequent reads. The signedness bug is triggered by reading the length of a comment as unsigned int, but casting it to int when calling the function XcursorCommentCreate. Turning length into a negative value allows the check against XCURSOR_COMMENT_MAX_LEN to pass, and the following addition of sizeof (XcursorComment) + 1 makes it possible to allocate less memory than needed for subsequent reads. https://marc.info/?l=freedesktop-xorg-announce&m=151188036018262&w=2 -- Matthieu Herrb Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.