_index

Security Advisories

This page details security issues that have been found in X.Org, and their remedies.

Please contact the X.Org security team at xorg-security@lists.x.org to report security issues in the X.Org codebase.

While the advisories are listed below by the most recent release they affect, most affect older releases as well, in many cases going back to the introduction of the affected functionality.

See the Security Checklist for the list of things to go from a bug report to a released advisory.

X.Org 7.7

• Oct. 25, 2018 Privilege escalation and file overwrite in X.Org X server 1.19 and later CVE-2018-14665

  • Please see the advisory for more information.
    

• Aug. 22, 2018 Out-of-bounds write in libXcursor prior to 1.1.15

  • libXcursor could write one byte out of bounds when processing Xcursor theme files. CVE-2015-9262.
  • Please see the advisory for more information.

• Aug. 21, 2018 Protocol handling issues in libX11 prior to 1.6.6

  • libX11 can write out of bounds or crash if servers send invalid replies. CVE-2018-14598, CVE-2018-14599, CVE-2018-14600.
  • Please see the advisory for more information.

• Oct. 12, 2017 Protocol handling issues in X servers prior to 1.19.5

  • The X server was not checking lengths of many requests from clients, and could read out of bounds. CVE-2017-12176, CVE-2017-12177, CVE-2017-12178, CVE-2017-12179, CVE-2017-12180, CVE-2017-12181, CVE-2017-12182, CVE-2017-12183, CVE-2017-12184, CVE-2017-12185, CVE-2017-12186, CVE-2017-12187
  • Please see the xorg-server 1.19.5 release announcement for more information.

• Oct. 4, 2017 X server implementation issues in MIT-SHM & XKB extensions

  • The X server can abort or overwrite the shared memory segment of another client if a client sends an invalid shared memory resource id. CVE-2017-13721.
  • The X server can write out of bounds when handling XKB strings. CVE-2017-13723.
  • Please see the advisory for more information.

• Oct. 4, 2016 Protocol handling issues in X Window System client libraries

  • X client libraries can overflow buffers or corrupt memory in clients if servers send invalid replies. CVE-2016-5407. CVE-2016-7942, CVE-2016-7943, CVE-2016-7944, CVE-2016-7945, CVE-2016-7946, CVE-2016-7947, CVE-2016-7948, CVE-2016-7949, CVE-2016-7950, CVE-2016-7951, CVE-2016-7952, CVE-2016-5953.
  • Please see the advisory (extended version) for more information.

• Apr. 14, 2015 - Buffer overflow in MakeBigReq macro in libX11 prior to 1.6

  • CVE-2013-7439 was assigned to track a buffer overflow fixed in libX11 in 2013 which requires other packages to be recompiled if they use the MakeBigReq() or SetReqLen() macros from <X11/XlibInt.h>.
  • Please see the advisory for more information.

• Mar. 17, 2015 - More BDF file parsing issues in libXfont

  • CVE-2015-1802..1804: The libXfont library used by the X server to read font files can read or write memory out of bounds when loading invalid BDF font files provided by a user.
  • Please see the advisory for more information.

• Feb 10, 2015 - Information leak in the XkbSetGeometry request of X servers

  • CVE-2015-0255: A malicious client with string lengths exceeding the request length can cause the server to copy adjacent memory data into the XKB structs.
  • Please see the advisory for more information.

• Dec. 9, 2014 - Protocol handling issues in X Window System servers

  • CVE-2014-8091..8103: X servers can access uninitialized memory or overwrite arbitrary memory in the X server process if clients send invalid requests. This could cause a denial of service (e.g., an X server segmentation fault), or could be exploited to achieve arbitrary code execution. Please see the advisory for more information.

• May 13, 2014 - X Font Service Protocol & Font metadata file handling issues in libXfont

  • CVE-2014-0209: integer overflow of allocations in font metadata file parsing
  • CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies
  • CVE-2014-0211: integer overflows calculating memory needs for xfs replies
  • Please see the advisory for more information.

• Jan. 7, 2014 - Stack buffer overflow in parsing of BDF font files in libXfont

  • CVE-2013-6462: An authenticated X client can cause an X server to read a font file that overflows a buffer on the stack in the X server, potentially leading to crash and/or privilege escalation in setuid servers. The fix is included in libXfont 1.4.7. Please see the advisory for more information.

• Oct. 8, 2013 - Use after free in Xserver handling of ImageText requests

  • CVE-2013-4396: An authenticated X client can cause an X server to use memory after it was freed, potentially leading to crash and/or memory corruption. Please see the advisory for more information.

• May 23, 2013 - Protocol handling issues in X Window System client libraries

  • CVE-2013-1981..2005, CVE-2013-2062..2066: X client libraries can overflow buffers or corrupt memory in clients if servers send invalid replies. Please see the advisory for more information.

• Apr 17, 2013 - vulnerability in VT-switch on Linux:

  • CVE-2013-1940: Xservers receive input from hot-plugged devices when user has switched to another VT on Linux systems. The fix was included in xorg-server 1.13.4 and xorg-server 1.14.1. Please see http://who-t.blogspot.com/2013/04/cve-2013-1940-vt-switched-servers.html for more information.

X.Org 7.6

• Jan 19, 2012 - vulnerability in default keyboard maps:
  • CVE-2012-0064: It is possible to bypass a screen locking application when displayed on Xorg 1.11 or later by using the input grab killing keystrokes, which were enabled by default. The fix was included in xkeyboard-config 2.5 to not enable those key mappings unless requested. Please see http://who-t.blogspot.com/2012/01/xkb-breaking-grabs-cve-2012-0064.html for more information.
• Oct 18, 2011 - 2 vulnerabilities related to X server lock files:
  • CVE-2011-4028: File disclosure vulnerability: It is possible to deduce if a file exists or not by exploiting the way that Xorg creates its lock files.
  • CVE-2011-4029: File permission change vulnerability: It is possible for a non-root user to set the permissions for all users on any file or directory to 444, giving unwanted read access or causing denies of service (by removing execute permission). This is caused by a race between creating the lock file and setting its access modes. Please see the advisory for more information. Patches are available: CVE-2011-4028 CVE-2011-4029 Fixes are included in xserver 1.11.2RC2 and later.
• Aug 10, 2011 - CVE-2011-2895: A specially crafted LZW compressed font file may be used by a user who can connect to the X server to overflow a buffer in the X server, possibly leading to a local privilege escalation. Please see the advisory for more information. Patch is available: CVE-2011-2895 Fix is included in libXfont 1.4.4 and later.
• Apr 5, 2011 - CVE-2011-0465: By crafting hostnames with shell escape characters, arbitrary commands can be executed in a root environment when a display manager reads in the resource database via xrdb. Please see the advisory for more information. Patch is available: CVE-2011-0465

X.Org 7.3

• Jun 11, 2008 - CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361, CVE-2008-2362: Several vulnerabilities have been found in the server-side code of some extensions in the X Window System. Improper validation of client-provided data can cause data corruption. Please see the advisory for more information. Patches are available: CVE-2008-1377 CVE-2008-1379 CVE-2008-2360 CVE-2008-2361 CVE-2008-2362
• Jan 17, 2008 - CVE-2007-5760, CVE-2007-5958, CVE-2007-6427, CVE-2007-6428, CVE-2007-6429, CVE-2008-0006: Several vulnerabilities have been identified in server code of the X window system caused by lack of proper input validation on user controlled data in various parts of the software, causing various kinds of overflows. Please see the advisory for more information. Patches are available for X11R7.2: libXfont 1.2.7 and xserver 1.2 as well as for X11R7.3: libXfont 1.3.1 and xserver 1.4.
• Update Jan 21, 2008 - The patch for the MIT-SHM vulnerability (CVE-2007-6429) introduced a regression for applications that allocate pixmaps with a less than 8 bits depth. New patches are available for xserver 1.2 and xserver 1.4.
  • MD5: 8e3f74c2cabddd3d629018924140e413 xorg-xserver-1.2-multiple-overflows-v2.diff
    
  • SHA1: 38ad95d97e83861c309276a27296787e6d0d1b54 xorg-xserver-1.2-multiple-overflows-v2.diff
  • MD5: ded4bc31104aedada0155514a968b45f xorg-xserver-1.4-multiple-overflows-v2.diff
  • SHA1: af92fd389e72a3bb59d25dbf9cbb06e827b75d7d xorg-xserver-1.4-multiple-overflows-v2.diff
• Oct 2, 2007 - CVE-2007-4568: Multiple vulnerabilities in the X font server can lead to head corruption or overflow from a client. Please see the advisory for more information. This is fixed in xfs 1.0.5. A Patch is available for xfs 1.0.4.

X.Org 7.2

• April 3, 2007 - CVE-2007-1003 CVE-2007-1351 CVE-2007-1352 CVE-2007-1352: Lack of validation of parameters passed to the X server and libX11 by client application can lead to various kinds of integer overflows or stack overflows that can be used to overwrite data in the X server memory. Please see the advisory for more information. Patches are available for 7.2.

X.Org 7.1

• January 9, 2007 - CVE-2006-6101 CVE-2006-6102 CVE-2006-6103: The ProcDbeGetVisualInfo(), ProcDbeSwapBuffer() and ProcRenderAddGlyphs() functions in the X server, implementing requests for the dbe and render extensions, may be used to overwrite data on the stack or in other parts of the X server's memory. Please see the advisory for more information. Patches are available for 6.8.2, 6.9.0, 7.0 and 7.1.
• September 12, 2006 - It may be possible for a user with the ability to set the X server font path, by making it point to a malicious font, to cause arbitrary code execution or denial of service on the X server. Please see the advisory for more information. Patches are available for 6.8.2, 6.9.0, 7.0 and 7.1.

X.Org 6.9.0/7.0

• June 20, 2006 - A lack of checks for setuid() failures when invoked by a privileged process (e.g., X server, xdm, xterm, if installed setuid or setgid) may cause the process to execute certain privileged operations (file access) as root while it was intended to be executed with a less privileged effective user ID, on systems where setuid() called by root can fail. This can be used by a malicious local user to overwrite files and possibly elevate privileges in some corner cases. Please see the advisory for more information. Patches are available for 6.8.2, 6.9.0, 7.0 and 7.1.
• May 2, 2006 - A security vulnerability has been found in the X.Org server as shipped with X11R6.8.x, X11R6.9.0 and X11R7.0 (xorg-server 1.0.x) -- this is CVE-2006-1526. Clients authorized to connect to the X server are able to crash it and to execute malicious code within the X server. Please see the advisory for more information. Patches are available for 6.8.2, 6.9.0 and 7.0.
• March 20, 2006 - A security vulnerability has been found in the X.Org server as shipped with X11R6.9.0 and X11R7.0 (xorg-server 1.0.0 and 1.0.1) -- this is CVE-2006-0745. Local users were able to escalate privileges to root and cause a DoS if the Xorg server was installed setuid root (the default). Note that earlier releases are not vulnerable. Please see the advisory for more information. Patches are available for 6.9.0 and 7.0. If you are running X11R7.0, you can upgrade xorg-server to 1.0.2 or later (release announcement).

X.Org 6.8.2

• September 12, 2005 - Due to missing range checks for the pixel size of the pixmap subsequent pixmap read/write functions can access memory outside of the allocated pixmap by any X client that can connect to the affected X server. This way any user having access to the server can access memory that is accessible from within the X server and/or crash the server. The CVE number for these vulnerabilities is CAN-2005-2495. A patch against 6.8.2 is available.

X.Org 6.8.1

• November 17, 2004 - X.Org was made aware of additional security vulnerability in libXpm, the X Pixmap library, which is shipped as part of the X Window System. The affected library is used in many popular application for image viewing and manipulation. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0914 to these issues. Patches are provided for 6.8.0 and 6.8.1. The problem is fixed in 6.8.2 and later.

X.Org 6.8.0

• September 15, 2004 - A security vulnerability has been found in libXpm, the X pixmap library which is shipped as part of the X Window System. Please check here for further information. This problem has been fixed in 6.8.1. We also provide a patch for 6.8.0 and earlier.

X11R6.6 and older

This is not a complete listing of older security issues, just those discovered more recently

• July 24, 2012 - CVE-2012-1699: A vulnerability has been found in the X11R6 font server code in the handling of the SetEventMask request in xfs which can lead to either denial of service or a leak of information from the xfs process address space. Please see the advisory for more information. Patch is included in the advisory. Fix is included in XFree86 3.3.3 and later, and X.Org X11R6.7 and later.

For older vulnerabilities, check the Open Source Vulnerability Database (OSVDB) pages for X.Org and XFree86.

• Development/Security/Advisory-2014-12-09
• Development/Security/Advisory-2015-02-10
• Development/Security/Advisory-2015-03-17
• Development/Security/Advisory-2016-10-04
• Development/Security/Organization
• X.Org Security Advisory: May 23, 2013