CVE-2020-14344

NameCVE-2020-14344
DescriptionAn integer overflow leading to a heap-buffer overflow was found in The X Input Method (XIM) client was implemented in libX11 before version 1.6.10. As per upstream this is security relevant when setuid programs call XIM client functions while running with elevated privileges. No such programs are shipped with Red Hat Enterprise Linux.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2312-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libx11 (PTS)stretch2:1.6.4-3+deb9u1vulnerable
stretch (security)2:1.6.4-3+deb9u3fixed
buster2:1.6.7-1+deb10u1fixed
bullseye, sid2:1.6.12-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libx11sourcestretch2:1.6.4-3+deb9u2DLA-2312-1
libx11sourcebuster2:1.6.7-1+deb10u1
libx11source(unstable)2:1.6.10-1

Notes

https://lists.x.org/archives/xorg-announce/2020-July/003050.html
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/0e6561efcfaa0ae7b5c74eac7e064b76d687544e
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/388b303c62aa35a245f1704211a023440ad2c488
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/2fcfcc49f3b1be854bb9085993a01d17c62acf60
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1703b9f3435079d3c6021e1ee2ec34fd4978103d
Original patchset introduces regression: https://bugs.debian.org/966691 and https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/116
Follow-up for regression: https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/93fce3f4e79cbc737d6468a4f68ba3de1b83953b

Search for package or bug name: Reporting problems