CVE-2020-14344: Integer Overflow
First published: Thu Jul 30 2020(Updated: )
An integer overflow leading to a heap-buffer overflow was found in The X Input Method (XIM) client was implemented in libX11 before version 1.6.10. As per upstream this is security relevant when setuid programs call XIM client functions while running with elevated privileges. No such programs are shipped with Red Hat Enterprise Linux.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| X.Org libX11 | <1.6.10 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =20.04 | |
| openSUSE Leap | =15.1 | |
| openSUSE Leap | =15.2 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.2.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.1.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.0.0 | |
| redhat/libX11 | <1.6.10 | 1.6.10 |
| ubuntu/libx11 | <2:1.6.2-1ubuntu2.1+ | 2:1.6.2-1ubuntu2.1+ |
| ubuntu/libx11 | <2:1.6.10-1 | 2:1.6.10-1 |
| ubuntu/libx11 | <2:1.6.4-3ubuntu0.3 | 2:1.6.4-3ubuntu0.3 |
| ubuntu/libx11 | <2:1.6.9-2ubuntu1.1 | 2:1.6.9-2ubuntu1.1 |
| ubuntu/libx11 | <2:1.6.3-1ubuntu2.2 | 2:1.6.3-1ubuntu2.2 |
| debian/libx11 | 2:1.6.7-1+deb10u2 2:1.6.7-1+deb10u4 2:1.7.2-1+deb11u2 2:1.8.4-2+deb12u2 2:1.8.7-1 |
Remedy
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/0e6561efcfaa0ae7b5c74eac7e064b76d687544e
Remedy
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/388b303c62aa35a245f1704211a023440ad2c488
Remedy
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/2fcfcc49f3b1be854bb9085993a01d17c62acf60
Remedy
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
Remedy
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1703b9f3435079d3c6021e1ee2ec34fd4978103d
Remedy
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/93fce3f4e79cbc737d6468a4f68ba3de1b83953b
Remedy
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/d15c24c8b44be5e4054c8ecd0ff9dcf2c8e18e5b
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00014.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00015.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00031.html
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14344
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4VDDSAYV7XGNRCXE7HCU23645MG74OFF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AVXCQOSCAPKYYHFIJAZ6E2C7LJBTLXF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XY4H2SIEF2362AMNX5ZKWAELGU7LKFJB/
- https://lists.x.org/archives/xorg-announce/2020-July/003050.html
- https://security.gentoo.org/glsa/202008-18
- https://usn.ubuntu.com/4487-1/
- https://usn.ubuntu.com/4487-2/
- https://www.openwall.com/lists/oss-security/2020/07/31/1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/186164
- https://www.ibm.com/support/pages/node/6493729 (Advisory)
- https://launchpad.net/bugs/cve/CVE-2020-14344
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1862519
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1862518
- https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1703b9f3435079d3c6021e1ee2ec34fd4978103d
- https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
- https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/2fcfcc49f3b1be854bb9085993a01d17c62acf60
- https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/388b303c62aa35a245f1704211a023440ad2c488
- https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/0e6561efcfaa0ae7b5c74eac7e064b76d687544e
- https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/40
- https://access.redhat.com/security/cve/cve-2020-14344
- https://access.redhat.com/errata/RHSA-2021:1804
- https://bugzilla.redhat.com/show_bug.cgi?id=1862255
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4VDDSAYV7XGNRCXE7HCU23645MG74OFF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7AVXCQOSCAPKYYHFIJAZ6E2C7LJBTLXF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XY4H2SIEF2362AMNX5ZKWAELGU7LKFJB/
- https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/116
- https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/93fce3f4e79cbc737d6468a4f68ba3de1b83953b
- https://security-tracker.debian.org/tracker/CVE-2020-14344
- https://ubuntu.com/security/notices/USN-4487-1
- https://ubuntu.com/security/notices/USN-4487-2
- https://www.cve.org/CVERecord?id=CVE-2020-14344
- https://nvd.nist.gov/vuln/detail/CVE-2020-14344
- https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/d15c24c8b44be5e4054c8ecd0ff9dcf2c8e18e5b
- https://ubuntu.com/security/CVE-2020-14344
Frequently Asked Questions
What is the vulnerability ID for this security issue?
The vulnerability ID for this security issue is CVE-2020-14344.
What is the severity level of CVE-2020-14344?
CVE-2020-14344 has a severity level of medium.
What is the affected software for CVE-2020-14344?
The affected software for CVE-2020-14344 includes X.Org libX11, Ubuntu, Red Hat, IBM Cloud Pak for Security, Fedora, Canonical Ubuntu Linux, and openSUSE Leap.
How can a local attacker exploit CVE-2020-14344?
A local attacker can exploit CVE-2020-14344 by sending specially-crafted messages to the X Input Method (XIM) client implementation.
Are there any remedies available for CVE-2020-14344?
Yes, there are remedies available for CVE-2020-14344. Please refer to the provided references for more information.
- collector/nvd-index
- collector/ibm-support
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-14344
- agent/software-canonical-lookup
- agent/severity
- agent/remedy
- agent/references
- agent/description
- collector/nvd-cve
- source/NVD
- collector/security-tracker-debian
- source/Debian
- agent/weakness
- agent/tags
- agent/softwarecombine
- agent/event
- collector/usn-cve
- source/Ubuntu
- vendor/x.org
- canonical/x.org libx11
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/20.04
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- version/opensuse leap/15.2
- vendor/ibm
- canonical/ibm cloud pak for security (cp4s)
- version/ibm cloud pak for security (cp4s)/1.7.2.0
- version/ibm cloud pak for security (cp4s)/1.7.1.0
- version/ibm cloud pak for security (cp4s)/1.7.0.0
- package-manager/redhat
- package-manager/debian
- package-manager/ubuntu