StarlingX

CVE-2018-14599: libX11: Off-by-one error in XListExtensions in ListExt.c

Bug #1849198 reported by Bruce Jones
274
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Robin Lu

Bug Description

CVE-2018-14599
status : fixed
cvss2Score : 7.5
Attack Vector: N
Access Complexity : L
Autentication: N
Availability Impact :P
Affected packages:
['libX11', 'libX11-common']
An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c is vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact.
https://nvd.nist.gov/vuln/detail/CVE-2018-14599

CVE References

Bruce Jones (brucej)
tags: added: stx.security
Bruce Jones (brucej)
Changed in starlingx:
importance: Undecided → High
tags: added: stx.3.0
Revision history for this message
Ghada Khalil (gkhalil) wrote :

This CVE meets the fix criteria for StarlingX. Therefore, it needs to be fixed in master for stx.3.0 and then cherry-picked to r/stx.2.0.

tags: added: stx.2.0
summary: - Fix CVE-2018-14599
+ CVE-2018-14599: libX11: Off-by-one error in XListExtensions in ListExt.c
Revision history for this message
Ghada Khalil (gkhalil) wrote :

These two launchpads should be addressed together:
https://bugs.launchpad.net/starlingx/+bug/1849198
https://bugs.launchpad.net/starlingx/+bug/1849199

since they affect the same package and are addressed in the same package version. Please link both launchpads to the same gerrit review

Ghada Khalil (gkhalil)
Changed in starlingx:
status: New → Triaged
Cindy Xie (xxie1)
Changed in starlingx:
assignee: nobody → Cindy Xie (xxie1)
Revision history for this message
Lin Shuicheng (shuicheng) wrote :

Here is the link from Redhat:
https://access.redhat.com/errata/RHSA-2019:2079

Here is the related rpms need be upgraded:
./rpms_centos.lst:761:libX11-1.6.5-2.el7.x86_64.rpm
./rpms_centos.lst:762:libX11-common-1.6.5-2.el7.noarch.rpm
./rpms_centos.lst:763:libX11-devel-1.6.5-2.el7.x86_64.rpm
./rpms_centos.lst:786:libxkbcommon-0.7.1-1.el7.x86_64.rpm
./rpms_centos.lst:787:libxkbcommon-devel-0.7.1-1.el7.x86_64.rpm

Robin Lu (robinlu)
Changed in starlingx:
assignee: Cindy Xie (xxie1) → Robin Lu (robinlu)
Ghada Khalil (gkhalil)
information type: Private Security → Public Security
Changed in starlingx:
status: Triaged → Fix Released
Revision history for this message
Ghada Khalil (gkhalil) wrote :

Fixed by https://review.opendev.org/693297
Merged on 2019-11-22

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (f/centos8)

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/698553

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (f/centos8)
Download full text (8.7 KiB)

Reviewed: https://review.opendev.org/698553
Committed: https://git.openstack.org/cgit/starlingx/tools/commit/?id=202776a187184e536adce99b3b0f0ce1ce04fdee
Submitter: Zuul
Branch: f/centos8

commit 063e29fe2e12a306be51755e994d8eb10b2d3614
Author: VictorRodriguez <email address hidden>
Date: Wed Nov 27 17:39:51 2019 -0600

    Add feature to check if a CVE has an open launchpad

    This change enables the capability to track if a CVE to be fixed already
    has an open launchpad in starlingx: https://bugs.launchpad.net/starlingx/

    This will help the security team to focus on the CVEs that do not
    have a launchpad already open, reducing the overhead of analysis of CVEs
    already presented to the development team.

    Story:2006971

    Change-Id: I494f0221cb52a4bf7ace20d75e067b17c719d749
    Signed-off-by: VictorRodriguez <email address hidden>

commit 1d33f5ae60201a6d1baba026a6503ea43843b3ab
Author: Robin Lu <email address hidden>
Date: Mon Nov 11 16:47:49 2019 +0800

    Update OVMF rpm, due to CVE bug.

    CVE bug: CVE-2019-0160
    The updated rpm is selected from the below link.
    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006035.html

    Tests:
    simplex, duplex, multi-node

    Closes-Bug: 1849205

    Change-Id: Ifdbbd82de912488af201f028a65c679acc204ed9
    Signed-off-by: Robin Lu <email address hidden>

commit d964e258beb0c75b5a23ec7db1b523f263db7c9f
Author: Jim Somerville <email address hidden>
Date: Mon Nov 25 15:51:29 2019 -0500

    Uprev ntp to version 4.2.6p5-29.el7

    This solves:
    ntp: Stack-based buffer overflow in ntpq and ntpdc allows
    denial of service or code execution (CVE-2018-12327)

    See the announcement link:

    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006016.html

    for more details.

    Change-Id: Ic92fd6af30bf05c6f40cb6a6c60e0bc3811ff22a
    Partial-Bug: 1849197
    Signed-off-by: Jim Somerville <email address hidden>

commit c75164899fb0d242022338d67144c06be7c5b32f
Author: Robin Lu <email address hidden>
Date: Fri Nov 22 16:08:13 2019 +0800

    Update sudo srpm for CVE bug

    To fix below CVE, we will use sudo-1.8.23-4.el7_7.1.src.rpm
    https://lists.centos.org/pipermail/centos-announce/2019-October/023499.html

    CVE bug: CVE-2019-14287: sudo: can bypass certain policy blacklists

    Closes-Bug: 1852825

    Change-Id: Iaafc053fe6e3b58468b5fa7c47dbc0f61a2d3c44
    Signed-off-by: Robin Lu <email address hidden>

commit ea25ae6f265f6a9531dd72a8576462a71c3074dc
Author: Jim Somerville <email address hidden>
Date: Fri Nov 22 16:35:45 2019 -0500

    Uprev ruby and associated gems to subminor ver 36

    All affected packages are moved forward to their -36 version.

    This solves:
    ruby: Unintentional directory traversal by poisoned NULL byte
    in Dir (CVE-2018-8780)
    rubygems: Improper verification of signatures in tarball
    allows to install mis-signed gem (CVE-2018-1000076)

    along with numerous other issues.

    See the announcement link:

    https://lists.centos.org/pipermail/centos-cr-announce/2019-Augu...

Read more...

tags: added: in-f-centos8
Revision history for this message
Ghada Khalil (gkhalil) wrote :

@Robin, please cherry-pick/port the equivalent change to the r/stx.2.0 branch.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (r/stx.2.0)

Fix proposed to branch: r/stx.2.0
Review: https://review.opendev.org/699319

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (r/stx.2.0)

Reviewed: https://review.opendev.org/699319
Committed: https://git.openstack.org/cgit/starlingx/tools/commit/?id=a43a3d54ffdcee496268a463d1ec230d60afaf4f
Submitter: Zuul
Branch: r/stx.2.0

commit a43a3d54ffdcee496268a463d1ec230d60afaf4f
Author: blu <email address hidden>
Date: Thu Nov 7 14:32:01 2019 +0800

    Update libX11 related rpms, due to CVE bugs

    CVE bugs: CVE-2018-14599, CVE-2018-14600

    Extra CVE bugs: CVE-2018-14598, CVE-2018-15853, CVE-2018-15854,
    CVE-2018-15855, CVE-2018-15856, CVE-2018-15857, CVE-2018-15859,
    CVE-2018-15861, CVE-2018-15862, CVE-2018-15863, CVE-2018-15864
    These extra CVE bugs are fixed together. Although libxkbcommon
    has a low score, we are including it here anyway just to stay
    consistent with RedHat's bundling decision.

    The updated rpms are selected from the link provided by RedHat.
    (https://access.redhat.com/errata/RHSA-2019:2079)

    Tests:
    simplex, duplex, multi-node

    Closes-Bug: 1849198
    Closes-Bug: 1849199

    Change-Id: I184ff40d855c60d4824e28f2fe701230191d62b0
    Signed-off-by: Robin Lu <email address hidden>
    (cherry picked from commit e4ea643e3cfbf3303e49b36915d3eb87b7fb4033)

Ghada Khalil (gkhalil)
tags: added: in-r-stx20
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.