Security Bulletin
Summary
IBM Dynamic System Analysis (DSA) Preboot has addressed the following vulnerabilities in xorg-x11.
Vulnerability Details
DESCRIPTION: libXcursor is vulnerable to a one-byte heap-based buffer overflow, caused by improper bounds checking by the _XcursorThemeInherits in library.c. By persuading a victim to open a specially crafted Xcursor theme file, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause a denial of service.
CVSS Base Score: 7.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/148854 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
DESCRIPTION: X.Org X server could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper validation of command line parameters. An attacker could exploit this vulnerability using the -modulepath argument or the -logfile argument to overwrite arbitrary files and execute unprivileged code on the system.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/151991 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-14600
DESCRIPTION: X.Org libx11 could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write flaw. By sending a specially-crafted value, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/148663 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2018-14599
DESCRIPTION: X.Org libx11 is vulnerable to a denial of service, caused by an off-by-one flaw in multiple functions. By sending malicious server responses, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/148661 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-14598
DESCRIPTION: X.Org libx11 is vulnerable to a denial of service. By sending a specially-crafted reply, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/148664 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
|
Product |
Affected Version |
|
IBM Dynamic System Analysis (DSA) Preboot |
9.6 |
Remediation/Fixes
Firmware fix versions are available on Fix Central: http://www.ibm.com/support/fixcentral/
|
Product |
Fix Version |
|
IBM Dynamic System Analysis (DSA) Preboot |
dsyte2z-9.65 |
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
25 April 2019: Initial version published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
25 April 2019
UID
ibm10874890