The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

computer vulnerability bulletin CVE-2016-5407 CVE-2016-7942 CVE-2016-7943

X.Org: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of X.Org.
Vulnerable systems: Debian, Fedora, OpenBSD, openSUSE, openSUSE Leap, Solaris, Slackware, Ubuntu, XOrg Bundle ~ not comprehensive, libX11.
Severity of this threat: 2/4.
Consequences of an attack: user access/rights, denial of service on client.
Pirate's origin: intranet server.
Number of vulnerabilities in this bulletin: 13.
Creation date: 05/10/2016.
Références of this weakness: bulletinoct2016, CVE-2016-5407, CVE-2016-7942, CVE-2016-7943, CVE-2016-7944, CVE-2016-7945, CVE-2016-7946, CVE-2016-7947, CVE-2016-7948, CVE-2016-7949, CVE-2016-7950, CVE-2016-7951, CVE-2016-7952, CVE-2016-7953, DLA-654-1, DLA-660-1, DLA-664-1, DLA-667-1, DLA-671-1, DLA-684-1, DLA-684-2, DLA-685-1, DLA-685-2, DLA-686-1, FEDORA-2016-0e7694c456, FEDORA-2016-21f0de504c, FEDORA-2016-3b41a9eaa8, FEDORA-2016-49d560da23, FEDORA-2016-5aa206bd16, FEDORA-2016-83040426d6, FEDORA-2016-8877cf648b, FEDORA-2016-a236cb3315, FEDORA-2016-b26b497381, FEDORA-2016-c1d4b1df79, FEDORA-2016-cabb6d7ef7, FEDORA-2016-d045c2c7b3, FEDORA-2016-d286ffb801, FEDORA-2016-ff5a2f4839, openSUSE-SU-2016:2600-1, openSUSE-SU-2016:3031-1, openSUSE-SU-2016:3033-1, openSUSE-SU-2016:3034-1, openSUSE-SU-2016:3036-1, openSUSE-SU-2016:3037-1, openSUSE-SU-2016:3059-1, SSA:2016-305-02, USN-3758-1, USN-3758-2, VIGILANCE-VUL-20768.

Description of the vulnerability

Several vulnerabilities were announced in X.Org libraries.

An attacker can force a read at an invalid address via libX11 XGetImage(), in order to trigger a denial of service, or to obtain sensitive information. [severity:1/4; CVE-2016-7942]

An attacker can force a read at an invalid address via libX11 XListFonts(), in order to trigger a denial of service, or to obtain sensitive information. [severity:1/4; CVE-2016-7943]

An attacker can generate an integer overflow via libXfixes, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-7944]

An attacker can force a read at an invalid address via libXi, in order to trigger a denial of service, or to obtain sensitive information. [severity:1/4; CVE-2016-7945]

An attacker can generate an infinite loop via libXi, in order to trigger a denial of service. [severity:1/4; CVE-2016-7946]

An attacker can generate an integer overflow via libXrandr, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-7947]

An attacker can trigger a fatal error via libXrandr, in order to trigger a denial of service. [severity:1/4; CVE-2016-7948]

An attacker can generate a buffer overflow via libXrender, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-7949]

An attacker can generate a buffer overflow via libXrender XRenderQueryFilters, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-7950]

An attacker can force a read at an invalid address via libXtst XRecord, in order to trigger a denial of service, or to obtain sensitive information. [severity:1/4; CVE-2016-7951]

An attacker can generate an infinite loop via libXtst XRecord, in order to trigger a denial of service. [severity:1/4; CVE-2016-7952]

An attacker can generate a memory corruption via libXv, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-5407]

An attacker can force a read at an invalid address via libXvMC, in order to trigger a denial of service, or to obtain sensitive information. [severity:1/4; CVE-2016-7953]
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a computers vulnerabilities alert. The technology watch team tracks security threats targeting the computer system. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.