openSUSE Security Update: update for libX11 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:1047-1 Rating: moderate References: #815451 #821664 Cross-References: CVE-2013-1981 CVE-2013-1997 CVE-2013-2004 Affected Products: openSUSE 12.3 openSUSE 12.2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update of libX11 fixes several security issues. - U_0001-integer-overflow-in-_XQueryFont-on-32-bit-platforms-. patch, U_0002-integer-overflow-in-_XF86BigfontQueryFont-CVE-2013-1. patch, U_0003-integer-overflow-in-XListFontsWithInfo-CVE-2013-1981. patch, U_0004-integer-overflow-in-XGetMotionEvents-CVE-2013-1981-4. patch, U_0005-integer-overflow-in-XListHosts-CVE-2013-1981-5-13.pat ch, U_0006-Integer-overflows-in-stringSectionSize-cause-buffer-. patch, U_0007-integer-overflow-in-ReadInFile-in-Xrm.c-CVE-2013-198. patch, U_0008-integer-truncation-in-_XimParseStringFile-CVE-2013-1. patch, U_0009-integer-overflows-in-TransFileName-CVE-2013-1981-9-1. patch, U_0010-integer-overflow-in-XGetWindowProperty-CVE-2013-1981. patch, U_0011-integer-overflow-in-XGetImage-CVE-2013-1981-11-13.pat ch, U_0012-integer-overflow-in-XGetPointerMapping-XGetKeyboardM. patch, U_0013-integer-overflow-in-XGetModifierMapping-CVE-2013-198. patch * integer overflow in various functions, integer truncation in _XimParseStringFile() [CVE-2013-1981] (bnc#821664, bnc#815451) - U_0001-unvalidated-lengths-in-XAllocColorCells-CVE-2013-199. patch, U_0002-unvalidated-index-in-_XkbReadGetDeviceInfoReply-CVE-. patch, U_0003-unvalidated-indexes-in-_XkbReadGeomShapes-CVE-2013-1. patch, U_0004-unvalidated-indexes-in-_XkbReadGetGeometryReply-CVE-. patch, U_0005-unvalidated-index-in-_XkbReadKeySyms-CVE-2013-1997-5. patch, U_0006-unvalidated-index-in-_XkbReadKeyActions-CVE-2013-199. patch, U_0007-unvalidated-index-in-_XkbReadKeyBehaviors-CVE-2013-1. patch, U_0008-unvalidated-index-in-_XkbReadModifierMap-CVE-2013-19. patch, U_0009-unvalidated-index-in-_XkbReadExplicitComponents-CVE-. patch, U_0010-unvalidated-index-in-_XkbReadVirtualModMap-CVE-2013-. patch, U_0011-unvalidated-index-length-in-_XkbReadGetNamesReply-CV. patch, U_0012-unvalidated-length-in-_XimXGetReadData-CVE-2013-1997. patch, U_0013-Avoid-overflows-in-XListFonts-CVE-2013-1997-13-15.pat ch, U_0014-Avoid-overflows-in-XGetFontPath-CVE-2013-1997-14-15.p atch, U_0015-Avoid-overflows-in-XListExtensions-CVE-2013-1997-15-. patch * unvalidated index/length in various functions; Avoid overflows in XListFonts(), XGetFontPath(), XListExtensions() [CVE-2013-1997] (bnc##821664, bnc#815451) - U_0001-Unbounded-recursion-in-GetDatabase-when-parsing-incl. patch, U_0002-Unbounded-recursion-in-_XimParseStringFile-when-pars. patch * Unbounded recursion in GetDatabase(), _XimParseStringFile when parsing include files [CVE-2013-2004] (bnc##821664, bnc#815451) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.3: zypper in -t patch openSUSE-2013-516 - openSUSE 12.2: zypper in -t patch openSUSE-2013-516 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.3 (i586 x86_64): libX11-6-1.5.0-4.7.1 libX11-6-debuginfo-1.5.0-4.7.1 libX11-debugsource-1.5.0-4.7.1 libX11-devel-1.5.0-4.7.1 libX11-xcb1-1.5.0-4.7.1 libX11-xcb1-debuginfo-1.5.0-4.7.1 - openSUSE 12.3 (x86_64): libX11-6-32bit-1.5.0-4.7.1 libX11-6-debuginfo-32bit-1.5.0-4.7.1 libX11-devel-32bit-1.5.0-4.7.1 libX11-xcb1-32bit-1.5.0-4.7.1 libX11-xcb1-debuginfo-32bit-1.5.0-4.7.1 - openSUSE 12.3 (noarch): libX11-data-1.5.0-4.7.1 - openSUSE 12.2 (i586 x86_64): libX11-6-1.5.0-2.7.1 libX11-6-debuginfo-1.5.0-2.7.1 libX11-debugsource-1.5.0-2.7.1 libX11-devel-1.5.0-2.7.1 libX11-xcb1-1.5.0-2.7.1 libX11-xcb1-debuginfo-1.5.0-2.7.1 - openSUSE 12.2 (x86_64): libX11-6-32bit-1.5.0-2.7.1 libX11-6-debuginfo-32bit-1.5.0-2.7.1 libX11-devel-32bit-1.5.0-2.7.1 libX11-xcb1-32bit-1.5.0-2.7.1 libX11-xcb1-debuginfo-32bit-1.5.0-2.7.1 - openSUSE 12.2 (noarch): libX11-data-1.5.0-2.7.1 References: http://support.novell.com/security/cve/CVE-2013-1981.html http://support.novell.com/security/cve/CVE-2013-1997.html http://support.novell.com/security/cve/CVE-2013-2004.html https://bugzilla.novell.com/815451 https://bugzilla.novell.com/821664