ISN 2023-22: Multiple X11 Vulnerabilites

Updated 17 October 2023 (IGEL OS 11.09.100 available)

First published 6 October 2023

CVSS 3.1: 5.5 (Medium)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A

Summary

Multiple issues have been found in the libX11 and libXpm libraries published by X.Org, which are used in IGEL OS. This affects the following IGEL products:

• IGEL OS 12
• IGEL OS 11

Details

The first issue (CVE-2023-43785) can be triggered by connecting to an X server that sends specially crafted replies to X11 protocol requests – this can happen with an X Session from IGEL OS. It can lead to an out-of-bounds memory access and is rated as medium.

The other four issues (CVE-2023-43786, CVE-2023-43787, CVE-2023-43788 and CVE-2023-43789) can be triggered by opening specially crafted XPM format image files via libXpm and can exhaust the stack, lead to a heap overflow or cause an out-of-bounds read. They are all rated as medium.

Update Instructions

• OS 12: IGEL is preparing an updated Base system for OS 12.
• OS 11: Update to IGEL OS 11.09.100 or newer.

References

• X.Org Security Advisory: Issues in libX11 prior to 1.8.7 & libXpm prior to 3.5.17 - https://lists.x.org/archives/xorg/2023-October/061506.html