Bugzilla – Bug 1003000
VUL-0: CVE-2016-7947, CVE-2016-7948: libXrandr: insufficient validation of data can cause out of boundary memory writes.
Last modified: 2017-10-26 07:21:26 UTC
Insufficient validation of data from the X server can cause out of boundary memory writes. Affected versions: libXrandr <= 1.5.0 Upstream fix: https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6 CVE-2016-7947 for all of the integer overflows CVE-2016-7948 for all of the other mishandling of the reply data. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7947 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7948 http://seclists.org/oss-sec/2016/q4/17 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7947.html http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html https://access.redhat.com/security/cve/cve-2016-5407
Fix submitrequested for SUSE:SLE-12-SP2:GA (also covers Leap 42.2).
bugbot adjusting priority
SUSE-SU-2016:2505-1: An update that fixes 12 vulnerabilities is now available. Category: security (moderate) Bug References: 1002991,1002995,1002998,1003000,1003002,1003012,1003017,1003023 CVE References: CVE-2016-5407,CVE-2016-7942,CVE-2016-7944,CVE-2016-7945,CVE-2016-7946,CVE-2016-7947,CVE-2016-7948,CVE-2016-7949,CVE-2016-7950,CVE-2016-7951,CVE-2016-7952,CVE-2016-7953 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): libX11-1.6.2-6.2, libXfixes-5.0.1-5.2, libXi-1.7.4-12.2, libXrandr-1.4.2-5.2, libXrender-0.9.8-5.2, libXtst-1.2.2-5.2, libXv-1.0.10-5.2, libXvMC-1.0.8-5.2 SUSE Linux Enterprise Server 12-SP1 (src): libX11-1.6.2-6.2, libXfixes-5.0.1-5.2, libXi-1.7.4-12.2, libXrandr-1.4.2-5.2, libXrender-0.9.8-5.2, libXtst-1.2.2-5.2, libXv-1.0.10-5.2, libXvMC-1.0.8-5.2 SUSE Linux Enterprise Desktop 12-SP1 (src): libX11-1.6.2-6.2, libXfixes-5.0.1-5.2, libXi-1.7.4-12.2, libXrandr-1.4.2-5.2, libXrender-0.9.8-5.2, libXtst-1.2.2-5.2, libXv-1.0.10-5.2, libXvMC-1.0.8-5.2
This is an autogenerated message for OBS integration: This bug (1003000) was mentioned in https://build.opensuse.org/request/show/435727 42.1 / libXrandr
openSUSE-SU-2016:2600-1: An update that fixes 12 vulnerabilities is now available. Category: security (moderate) Bug References: 1002991,1002995,1002998,1003000,1003002,1003012,1003017,1003023 CVE References: CVE-2016-5407,CVE-2016-7942,CVE-2016-7944,CVE-2016-7945,CVE-2016-7946,CVE-2016-7947,CVE-2016-7948,CVE-2016-7949,CVE-2016-7950,CVE-2016-7951,CVE-2016-7952,CVE-2016-7953 Sources used: openSUSE Leap 42.1 (src): libX11-1.6.3-6.1, libXfixes-5.0.1-7.1, libXi-1.7.5-3.1, libXrandr-1.5.0-3.1, libXrender-0.9.9-3.1, libXtst-1.2.2-7.1, libXv-1.0.10-7.1, libXvMC-1.0.9-3.1
SLE done, openSUSE 13.2 remains affected
(In reply to Andreas Stieger from comment #9) > SLE done, openSUSE 13.2 remains affected Why SLE done? I stopped working on this security update long time ago.
SUSE-SU-2016:2828-1: An update that fixes 12 vulnerabilities is now available. Category: security (moderate) Bug References: 1002991,1002995,1002998,1003000,1003002,1003012,1003017,1003023 CVE References: CVE-2016-5407,CVE-2016-7942,CVE-2016-7944,CVE-2016-7945,CVE-2016-7946,CVE-2016-7947,CVE-2016-7948,CVE-2016-7949,CVE-2016-7950,CVE-2016-7951,CVE-2016-7952,CVE-2016-7953 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): libX11-1.6.2-8.1, libXfixes-5.0.1-7.1, libXi-1.7.4-14.1, libXrender-0.9.8-7.1, libXtst-1.2.2-7.1, libXv-1.0.10-7.1, libXvMC-1.0.8-7.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): libX11-1.6.2-8.1, libXfixes-5.0.1-7.1, libXi-1.7.4-14.1, libXrender-0.9.8-7.1, libXtst-1.2.2-7.1, libXv-1.0.10-7.1, libXvMC-1.0.8-7.1 SUSE Linux Enterprise Server 12-SP2 (src): libX11-1.6.2-8.1, libXfixes-5.0.1-7.1, libXi-1.7.4-14.1, libXrender-0.9.8-7.1, libXtst-1.2.2-7.1, libXv-1.0.10-7.1, libXvMC-1.0.8-7.1 SUSE Linux Enterprise Desktop 12-SP2 (src): libX11-1.6.2-8.1, libXfixes-5.0.1-7.1, libXi-1.7.4-14.1, libXrender-0.9.8-7.1, libXtst-1.2.2-7.1, libXv-1.0.10-7.1, libXvMC-1.0.8-7.1
https://lists.freedesktop.org/archives/xorg-devel/2016-October/051686.html https://lists.freedesktop.org/archives/xorg-devel/2016-October/051687.html https://lists.freedesktop.org/archives/xorg-devel/2016-October/051688.html Will these help? Thats what I found so far from upstream acknowleding the previously introduced memleaks.
Thanks. This is very useful. Now I can continue working on this. :-)
This is an autogenerated message for OBS integration: This bug (1003000) was mentioned in https://build.opensuse.org/request/show/441817 13.2 / libXrandr https://build.opensuse.org/request/show/441818 42.2 / libXrandr
sle10 also done. Reassigning to security team.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2016-12-14. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63232
openSUSE-SU-2016:3034-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1002991,1002998,1003000 CVE References: CVE-2016-7942,CVE-2016-7945,CVE-2016-7946,CVE-2016-7947,CVE-2016-7948 Sources used: openSUSE Leap 42.2 (src): libXrandr-1.5.0-5.1 openSUSE Leap 42.1 (src): libX11-1.6.3-9.1, libXi-1.7.5-6.1 openSUSE 13.2 (src): libX11-1.6.2-5.6.1, libXi-1.7.4-2.3.1, libXrandr-1.4.2-4.3.1, libxcb-1.11-2.5.1
SUSE-SU-2016:3189-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 1002998,1003000,1003012,1003023 CVE References: CVE-2016-7945,CVE-2016-7946,CVE-2016-7947,CVE-2016-7948,CVE-2016-7951,CVE-2016-7952,CVE-2016-7953 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): xorg-x11-libs-7.4-8.26.49.1 SUSE Linux Enterprise Server 11-SP4 (src): xorg-x11-libs-7.4-8.26.49.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): xorg-x11-libs-7.4-8.26.49.1
This is an autogenerated message for OBS integration: This bug (1003000) was mentioned in https://build.opensuse.org/request/show/499416 Factory / libXrandr
released