Security Experts:

X.Org Library Flaws Allow Privilege Escalation, DoS Attacks

X.Org developers released patches and updates to address over a dozen vulnerabilities found in several client libraries. The flaws can be exploited by local or remote attackers to cause a denial-of-service (DoS) condition or escalate privileges.

X.Org is a popular open source implementation of the X Windows System (also known as X11, X or X-Windows), the graphical windowing system used by Unix and Linux operating systems. The X.Org (Xorg) libraries provide the routines used within X-Windows applications.

Tobias Stoeckmann of the OpenBSD Project discovered that many of these client libraries don’t sufficiently validate the responses they receive from servers, which introduces vulnerabilities that could be exploited by local or remote attackers.

Here is a short description of the vulnerabilities, their CVE identifiers and the libraries they affect:

  • libX11 version 1.6.3 and earlier – out-of-bounds memory read or write error (CVE-2016-7942, CVE-2016-7943);
  • libXfixes version 5.0.2 and earlier – integer overflow on 32-bit systems (CVE-2016-7944);
  • libXi version 1.7.6 and earlier – DoS condition via out-of-bounds memory access error or endless loop (CVE-2016-7945, CVE-2016-7946);
  • libXrandr version 1.5.0 and earlier – out-of-bounds memory write (CVE-2016-7947, CVE-2016-7948);
  • libXrender version 0.9.9 and earlier – out-of-bounds memory write (CVE-2016-7949, CVE-2016-7950);
  • XRecord version 1.2.2 and earlier – DoS condition via out of boundary memory access or endless loops (CVE-2016-7951, CVE-2016-7952);
  • libXv version 1.0.10 and earlier – memory corruption (CVE-2016-5407);
  • ibXvMC version 1.0.9 and earlier – buffer read underflow (CVE-2016-7953).

In an advisory published this week, the X.Org Foundation explained that most of the flaws are caused by the fact that the client libraries trust the server to send correct protocol data, not taking into consideration that the values could cause an overflow or other damage.

“Most of the time X clients & servers are run by the same user, with the server more privileged than the clients, so this is not a problem, but there are scenarios in which a privileged client can be connected to an unprivileged server, for instance, connecting a setuid X client (such as a screen lock program) to a virtual X server (such as Xvfb or Xephyr) which the user has modified to return invalid data, potentially allowing the user to escalate their privileges,” said X.Org developer Matthieu Herrb.

Related: Several Vulnerabilities Patched in Libarchive Library

Related: "Libotr" Library Flaw Exposes Popular IM Apps

Related: Remote Code Execution Flaw Patched in glibc Library

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.