Bugzilla – Bug 1065386
VUL-0: CVE-2017-16612: libXcursor: heap overflows when parsing malicious files
Last modified: 2019-05-01 13:57:45 UTC
The patch hasn't been applied upstream yet. Therefore setting to NEEDINFO until Marcus can provide a CVE number.
CVE-2017-16612 is the one I got for it.
Fixed for sle12, sle11 and sle10. SR#146787 SR#146784 SR#146781 Please let me know, once I can add this patch also for obs://X11:XOrg and TW/factory. I assume this is still embargoed ...
we will remove the "EMBARGOED" tag from the bug and make it public once this issue is announced by upstream, then it can be fixed in OBS
CRD: 2017-11-28
Fixed in X11:XOrg/libXcursor and submitrequested for factory/TW/sle15 now. Reassigning.
This is an autogenerated message for OBS integration: This bug (1065386) was mentioned in https://build.opensuse.org/request/show/546195 Factory / libXcursor
is public now https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8 Fix heap overflows when parsing malicious files. (CVE-2017-16612) It is possible to trigger heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments. The integer overflow occurs because the chosen limit 0x10000 for dimensions is too large for 32 bit systems, because each pixel takes 4 bytes. Properly chosen values allow an overflow which in turn will lead to less allocated memory than needed for subsequent reads. The signedness bug is triggered by reading the length of a comment as unsigned int, but casting it to int when calling the function XcursorCommentCreate. Turning length into a negative value allows the check against XCURSOR_COMMENT_MAX_LEN to pass, and the following addition of sizeof (XcursorComment) + 1 makes it possible to allocate less memory than needed for subsequent reads. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Hmm. And now my changes in obs://X11:XOrg/libXcursor are gone. :-(
This is an autogenerated message for OBS integration: This bug (1065386) was mentioned in https://build.opensuse.org/request/show/546296 Factory / libXcursor
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2017-12-13. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63901
SUSE-SU-2017:3214-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1065386 CVE References: CVE-2017-16612 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): libXcursor-1.1.14-4.3.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): libXcursor-1.1.14-4.3.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): libXcursor-1.1.14-4.3.1 SUSE Linux Enterprise Server 12-SP3 (src): libXcursor-1.1.14-4.3.1 SUSE Linux Enterprise Server 12-SP2 (src): libXcursor-1.1.14-4.3.1 SUSE Linux Enterprise Desktop 12-SP3 (src): libXcursor-1.1.14-4.3.1 SUSE Linux Enterprise Desktop 12-SP2 (src): libXcursor-1.1.14-4.3.1
SUSE-SU-2018:0246-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1049692,1050459,1054285,1065386 CVE References: CVE-2017-13720,CVE-2017-13722,CVE-2017-16612 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): xorg-x11-libs-7.4-8.26.50.5.3 SUSE Linux Enterprise Server 11-SP4 (src): xorg-x11-libs-7.4-8.26.50.5.3 SUSE Linux Enterprise Debuginfo 11-SP4 (src): xorg-x11-libs-7.4-8.26.50.5.3
Leap 42.3 submission is still needed. (not connected to SLES 12 currently)
done -> SR#578320
This is an autogenerated message for OBS integration: This bug (1065386) was mentioned in https://build.opensuse.org/request/show/578320 42.3 / libXcursor
released
openSUSE-SU-2018:0504-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1065386 CVE References: CVE-2017-16612 Sources used: openSUSE Leap 42.3 (src): libXcursor-1.1.14-10.3.1