X.Org Security Advisory: October 8, 2013 - CVE-2013-4396 Use after free in Xserver handling of ImageText requests ======================================================== Description: ============ Pedro Ribeiro (pedrib at gmail.com) reported an issue to the X.Org security team in which an authenticated X client can cause an X server to use memory after it was freed, potentially leading to crash and/or memory corruption. Affected Versions ================= This bug appears to have been introduced in RCS version 1.42 on 1993/09/18, and is thus believed to be present in every X server release starting with X11R6.0 up to the current xorg-server 1.14.3. (Manual inspection shows it is present in the sources from the X11R6 tarballs, but not in those from the X11R5 tarballs.) Fixes ===== A fix is available via the attached patch, which is intended to be included in xorg-server 1.15.0 and 1.14.4. Thanks ====== X.Org thanks Pedro Ribeiro for reporting this issues to our security team at xorg-security at lists.x.org.
Fixed in xorg-server-1.9.5-r3 xorg-server-1.10.6-r3 xorg-server-1.11.4-r3 xorg-server-1.12.4-r2 xorg-server-1.13.4-r1 xorg-server-1.14.3-r2
*** Bug 487536 has been marked as a duplicate of this bug. ***
Arches, please stabilize the versions mentioned in comment 1.
For everything prior to 1.14.3 I have dropped HPPA keywording. =x11-base/xorg-server-1.14.3-r2 is stable for HPPA.
amd64 stable
arm stable
alpha stable
ia64 stable
ppc64 stable
x86 stable
ppc and sparc stable
CVE-2013-4396 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4396): Use-after-free vulnerability in the doImageText function in dix/dixfonts.c in the xorg-server module before 1.14.4 in X.Org X11 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted ImageText request that triggers memory-allocation failure.
Thanks everyone, GLSA request filed @maintainers: cleanup vulnerable versions, please
Vulnerable versions have been removed from the tree.
This issue was resolved and addressed in GLSA 201405-07 at http://security.gentoo.org/glsa/glsa-201405-07.xml by GLSA coordinator Mikle Kolyada (Zlogene).
