X.Org Security Advisory: October 8, 2013 - CVE-2013-4396
Use after free in Xserver handling of ImageText requests
Pedro Ribeiro (pedrib at gmail.com) reported an issue to the X.Org security
team in which an authenticated X client can cause an X server to use memory
after it was freed, potentially leading to crash and/or memory corruption.
This bug appears to have been introduced in RCS version 1.42 on 1993/09/18,
and is thus believed to be present in every X server release starting with
X11R6.0 up to the current xorg-server 1.14.3. (Manual inspection shows it
is present in the sources from the X11R6 tarballs, but not in those from the
A fix is available via the attached patch, which is intended to be included
in xorg-server 1.15.0 and 1.14.4.
X.Org thanks Pedro Ribeiro for reporting this issues to our security team at
xorg-security at lists.x.org.
*** Bug 487536 has been marked as a duplicate of this bug. ***
Arches, please stabilize the versions mentioned in comment 1.
For everything prior to 1.14.3 I have dropped HPPA keywording.
=x11-base/xorg-server-1.14.3-r2 is stable for HPPA.
ppc and sparc stable
Use-after-free vulnerability in the doImageText function in dix/dixfonts.c
in the xorg-server module before 1.14.4 in X.Org X11 allows remote
authenticated users to cause a denial of service (daemon crash) or possibly
execute arbitrary code via a crafted ImageText request that triggers
Thanks everyone, GLSA request filed
@maintainers: cleanup vulnerable versions, please
Vulnerable versions have been removed from the tree.
This issue was resolved and addressed in
GLSA 201405-07 at http://security.gentoo.org/glsa/glsa-201405-07.xml
by GLSA coordinator Mikle Kolyada (Zlogene).