X.Org Server 1.19.5 Released To Fix Another Handful Of Security Vulnerabilities

Written by Michael Larabel in X.Org on 12 October 2017 at 02:47 PM EDT. 27 Comments
X.Org Server 1.19.5 was released today to fix nearly one dozen new security vulnerabilities from recent CVE tickets.

X.Org Server 1.19.5 came out today to fix some unexpected security issues. The problems include:

CVE-2017-12176: Unvalidated extra length in ProcEstablishConnection
CVE-2017-12177: dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo
CVE-2017-12178: Xi: fix wrong extra length check in ProcXIChangeHierarchy
CVE-2017-12179: Xi: integer overflow and unvalidated length in (S)ProcXIBarrierReleasePointer
CVE-2017-12180: hw/xfree86: unvalidated lengths
CVE-2017-12181: hw/xfree86: unvalidated lengths
CVE-2017-12182: hw/xfree86: unvalidated lengths
CVE-2017-12183: xfixes: unvalidated lengths
CVE-2017-12184: Unvalidated lengths
CVE-2017-12185: Unvalidated lengths
CVE-2017-12186: Unvalidated lengths
CVE-2017-12187: Unvalidated lengths

Ouch, so basically a lot of potential for buffer overflows. Sadly, this is not the first time we have seen a big batch of X.Org Security vulnerabilities and security researchers in the past have generally characterized X.Org security as even worse than it looks.

Red Hat's Adam Jackson wrote simply as today's 1.19.5 announcement, "One regression fix since 1.19.4 (mea culpa), and fixes for CVEs 2017-12176 through 2017-12187. C is a terrible language, please stop writing code in it."
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week