ISN 2023-22: Multiple X11 Vulnerabilites
Updated 17 October 2023 (IGEL OS 11.09.100 available)
First published 6 October 2023
CVSS 3.1: 5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A
Summary
Multiple issues have been found in the libX11 and libXpm libraries published by X.Org, which are used in IGEL OS. This affects the following IGEL products:
- IGEL OS 12
- IGEL OS 11
Details
The first issue (CVE-2023-43785) can be triggered by connecting to an X server that sends specially crafted replies to X11 protocol requests – this can happen with an X Session from IGEL OS. It can lead to an out-of-bounds memory access and is rated as medium.
The other four issues (CVE-2023-43786, CVE-2023-43787, CVE-2023-43788 and CVE-2023-43789) can be triggered by opening specially crafted XPM format image files via libXpm and can exhaust the stack, lead to a heap overflow or cause an out-of-bounds read. They are all rated as medium.
Update Instructions
- OS 12: IGEL is preparing an updated Base system for OS 12.
- OS 11: Update to IGEL OS 11.09.100 or newer.
References
- X.Org Security Advisory: Issues in libX11 prior to 1.8.7 & libXpm prior to 3.5.17 - https://lists.x.org/archives/xorg/2023-October/061506.html