Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 877461 (CVE-2022-3554, CVE-2022-3555)

Summary: <x11-libs/libX11-1.8.2: memory leak
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A4 [glsa?]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-17 15:00:35 UTC 
CVE-2022-3555 (https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8a368d808fec166b5fb3dfe6312aab22c7ee20af):

A vulnerability was found in X.org libX11 and classified as problematic. This issue affects the function _XFreeX11XCBStructure of the file xcb_disp.c. The manipulation of the argument dpy leads to memory leak. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211055.

Patch seems unreleased.
Comment 1 Tee KOBAYASHI 2022-10-17 16:55:09 UTC 
There is a follow-up patch: https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=76d1cc3c1ce943c6ff81dc8c62a1d1b30fabf02e.

Both libX11-1.7.5 and libX11-1.8.1 seem to already include these fixes.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-18 21:52:01 UTC 
CVE-2022-3554 (https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=1d11822601fd24a396b354fa616b04ed3df8b4ef):

A vulnerability has been found in X.org libX11 and classified as problematic. This vulnerability affects the function _XimRegisterIMInstantiateCallback of the file modules/im/ximcp/imsClbk.c. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211054 is the identifier assigned to this vulnerability.

The first CVE is indeed fixed in 1.7.5 and 1.8.1, but *this* is the
one that appears unreleased.