CVE-2020-14344: Integer Overflow
First published: Thu Jul 30 2020(Updated: )
An integer overflow leading to a heap-buffer overflow was found in The X Input Method (XIM) client was implemented in libX11 before version 1.6.10. As per upstream this is security relevant when setuid programs call XIM client functions while running with elevated privileges. No such programs are shipped with Red Hat Enterprise Linux.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| X.Org libX11 | <1.6.10 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =20.04 | |
| openSUSE Leap | =15.1 | |
| openSUSE Leap | =15.2 | |
| redhat/libX11 | <1.6.10 | 1.6.10 |
| IBM Cloud Pak for Security (CP4S) | <=1.7.2.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.1.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.0.0 | |
| debian/libx11 | 2:1.7.2-1+deb11u2 2:1.8.4-2+deb12u2 2:1.8.10-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00014.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00015.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00031.html
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14344
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4VDDSAYV7XGNRCXE7HCU23645MG74OFF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AVXCQOSCAPKYYHFIJAZ6E2C7LJBTLXF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XY4H2SIEF2362AMNX5ZKWAELGU7LKFJB/
- https://lists.x.org/archives/xorg-announce/2020-July/003050.html
- https://security.gentoo.org/glsa/202008-18
- https://usn.ubuntu.com/4487-1/
- https://usn.ubuntu.com/4487-2/
- https://www.openwall.com/lists/oss-security/2020/07/31/1
- https://launchpad.net/bugs/cve/CVE-2020-14344
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1862519
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1862518
- https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1703b9f3435079d3c6021e1ee2ec34fd4978103d
- https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
- https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/2fcfcc49f3b1be854bb9085993a01d17c62acf60
- https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/388b303c62aa35a245f1704211a023440ad2c488
- https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/0e6561efcfaa0ae7b5c74eac7e064b76d687544e
- https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/40
- https://access.redhat.com/security/cve/cve-2020-14344
- https://access.redhat.com/errata/RHSA-2021:1804
- https://bugzilla.redhat.com/show_bug.cgi?id=1862255
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4VDDSAYV7XGNRCXE7HCU23645MG74OFF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7AVXCQOSCAPKYYHFIJAZ6E2C7LJBTLXF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XY4H2SIEF2362AMNX5ZKWAELGU7LKFJB/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/186164
- https://www.ibm.com/support/pages/node/6493729 (Advisory)
- https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/116
- https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/93fce3f4e79cbc737d6468a4f68ba3de1b83953b
- https://security-tracker.debian.org/tracker/CVE-2020-14344
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14344
- https://nvd.nist.gov/vuln/detail/CVE-2020-14344
- https://ubuntu.com/security/CVE-2020-14344
Frequently Asked Questions
What is the vulnerability ID for this security issue?
The vulnerability ID for this security issue is CVE-2020-14344.
What is the severity level of CVE-2020-14344?
CVE-2020-14344 has a severity level of medium.
What is the affected software for CVE-2020-14344?
The affected software for CVE-2020-14344 includes X.Org libX11, Ubuntu, Red Hat, IBM Cloud Pak for Security, Fedora, Canonical Ubuntu Linux, and openSUSE Leap.
How can a local attacker exploit CVE-2020-14344?
A local attacker can exploit CVE-2020-14344 by sending specially-crafted messages to the X Input Method (XIM) client implementation.
Are there any remedies available for CVE-2020-14344?
Yes, there are remedies available for CVE-2020-14344. Please refer to the provided references for more information.
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-14344
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- agent/weakness
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/remedy
- agent/references
- agent/description
- agent/event
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/trending
- vendor/x.org
- canonical/x.org libx11
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/20.04
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- version/opensuse leap/15.2
- package-manager/redhat
- vendor/ibm
- canonical/ibm cloud pak for security (cp4s)
- version/ibm cloud pak for security (cp4s)/1.7.2.0
- version/ibm cloud pak for security (cp4s)/1.7.1.0
- version/ibm cloud pak for security (cp4s)/1.7.0.0
- package-manager/debian