The popular X Windows System X.Org implementation which is used by many UNIX and Gnu/Linux operating systems has been patched to fix several critical security vulnerabilities.
The X.Org Libraries Have Been Found to Host Several Critical Vulnerabilities
X.Org is the most popular open-source implementation of the X Windows System which is also known as X11 or simply X. This is the graphical windowing system used by many UNIX, UNIX-Like, and Gnu/Linux distributions. Its libraries have been identified to host several security issues that are marked as critical by several security experts.
The initial discovery was done by Tobias Stoeckmann who is part of the OpemBSD Project. He discovered that several client libraries do not sufficiently validate the server responses which can lead to several scenarios where Xorg can be exploited locally or remotely.
The issues are the following:
- Out-of-bounds Memory read or writer error (CVE-2016-7942, CVE-2016-7943)
- Integer overflow on 32-bit systems on libXfixes version 5.0.2 (CVE-2016-7944)
- DoS condition via out-of-bounds memory access error or endless loop on libXi version 1.7.6 and earlier (CVE-2016-7945, CVE-2016-7946)
- Out-of-bounds memory write on libXrandr version 1.5.0 and earlier (CVE-2016-7947, CVE-2016-7948)
- Out-of-bounds memory write on libXrender version 0.9.9 and earlier (CVE-2016-7949, CVE-2016-7950)
- DoS condition via out of boundary memory access or endless loops on XRecord version 1.2.2 and earlier (CVE-2016-7951, CVE-2016-7952)
- Memory Corruption on libXv version 1.0.10 and earlier (CVE-2016-5407)
- Buffer read underflow on ibXvMC version 1.0.9 and earlier (CVE-2016-7953)
The X.Org Foundation has published an advisory in which they explain that most of the issues are caused because of mechanism in the client libraries that trusts the server to send correct protocol data without taking into consideration the values that can cause damage like overflow attacks.
The developers have released security patches that amend the discovered vulnerabilities. They should already be updated in the distribution packages of most operating system distributions.