X.Org Server 1.19.5 Released To Fix Another Handful Of Security Vulnerabilities

X.Org Server 1.19.5 was released today to fix nearly one dozen new security vulnerabilities from recent CVE tickets.

X.Org Server 1.19.5 came out today to fix some unexpected security issues. The problems include:

CVE-2017-12176: Unvalidated extra length in ProcEstablishConnection
CVE-2017-12177: dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo
CVE-2017-12178: Xi: fix wrong extra length check in ProcXIChangeHierarchy
CVE-2017-12179: Xi: integer overflow and unvalidated length in (S)ProcXIBarrierReleasePointer
CVE-2017-12180: hw/xfree86: unvalidated lengths
CVE-2017-12181: hw/xfree86: unvalidated lengths
CVE-2017-12182: hw/xfree86: unvalidated lengths
CVE-2017-12183: xfixes: unvalidated lengths
CVE-2017-12184: Unvalidated lengths
CVE-2017-12185: Unvalidated lengths
CVE-2017-12186: Unvalidated lengths
CVE-2017-12187: Unvalidated lengths

Ouch, so basically a lot of potential for buffer overflows. Sadly, this is not the first time we have seen a big batch of X.Org Security vulnerabilities and security researchers in the past have generally characterized X.Org security as even worse than it looks.

Red Hat's Adam Jackson wrote simply as today's 1.19.5 announcement, "One regression fix since 1.19.4 (mea culpa), and fixes for CVEs 2017-12176 through 2017-12187. C is a terrible language, please stop writing code in it."