Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 639062 (CVE-2017-16612)

Summary: <x11-libs/libXcursor-1.1.15: Heap overflows when parsing malicious files
Product: Gentoo Security Reporter: Ian Zimmerman <nobrowser>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: x11
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa cve]
Package list:
Runtime testing required: ---

Description Ian Zimmerman 2017-11-28 15:59:53 UTC
According to a posting on oss-security [1]:

X.Org has just release libXcursor version 1.1.15 which contains the
following security fix:

Author:     Tobias Stoeckmann <>
AuthorDate: Sat Oct 21 23:47:52 2017 +0200
Commit:     Matthieu Herrb <>
CommitDate: Sat Nov 25 11:52:34 2017 +0100

    Fix heap overflows when parsing malicious files. (CVE-2017-16612)

    It is possible to trigger heap overflows due to an integer overflow
    while parsing images and a signedness issue while parsing comments.

Comment 1 D'juan McDonald (domhnall) 2017-11-28 21:07:24 UTC
Thanks for the report Ian.

@maintainter(s): after bump, please call for stabilization when ready, thank you.

Gentoo Security Padawan
Comment 2 Matt Turner gentoo-dev 2017-11-29 01:41:52 UTC
Now in tree. Please proceed with stabilization.
Comment 3 Agostino Sarubbo gentoo-dev 2017-11-29 11:19:44 UTC
amd64 stable
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-29 18:54:43 UTC
x86 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-29 20:31:44 UTC
sparc stable (thanks to Rolf Eike Beer)
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2017-11-30 20:22:03 UTC
Stable on alpha.
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-01 07:35:42 UTC
hppa/ia64/ppc/ppc64 stable
Comment 8 Markus Meier gentoo-dev 2017-12-13 21:05:58 UTC
arm stable, all arches done.
Comment 9 D'juan McDonald (domhnall) 2018-01-05 03:18:42 UTC
Thank you A/Ts, maintainter(s), please cleanup. 

Gentoo Security Padawan
Comment 10 Larry the Git Cow gentoo-dev 2018-01-05 18:50:38 UTC
The bug has been referenced in the following commit(s):

commit 301bb79cee5d82e534147d942089cabaf940a3d8
Author:     Matt Turner <>
AuthorDate: 2018-01-05 18:50:13 +0000
Commit:     Matt Turner <>
CommitDate: 2018-01-05 18:50:29 +0000

    x11-libs/libXcursor: Drop vulnerable version

 x11-libs/libXcursor/Manifest                 |  1 -
 x11-libs/libXcursor/libXcursor-1.1.14.ebuild | 22 ----------------------
 2 files changed, 23 deletions(-)}
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-06 01:52:05 UTC
New GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2018-01-07 23:28:20 UTC
This issue was resolved and addressed in
 GLSA 201801-04 at
by GLSA coordinator Aaron Bauman (b-man).