Security update for xorg-x11-libX11 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:14748-1 Final 1 1 2021-06-15T11:05:27Z current 2021-06-15T11:05:27Z 2021-06-15T11:05:27Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xorg-x11-libX11 This update for xorg-x11-libX11 fixes the following issues: - Regression in the fix for CVE-2021-31535, causing segfaults for xforms applications like fdesign (bsc#1186643). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sleposp3-xorg-x11-libX11-14748,slessp4-xorg-x11-libX11-14748 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-202114748-1/ Link for SUSE-SU-2021:14748-1 https://lists.suse.com/pipermail/sle-security-updates/2021-June/009017.html E-Mail link for SUSE-SU-2021:14748-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1186643 SUSE Bug 1186643 https://www.suse.com/security/cve/CVE-2021-31535/ SUSE CVE CVE-2021-31535 page SUSE Linux Enterprise Point of Sale 11 SP3 SUSE Linux Enterprise Server 11 SP4-LTSS xorg-x11-libX11-7.4-5.11.72.27.1 xorg-x11-libX11-32bit-7.4-5.11.72.27.1 xorg-x11-libX11-7.4-5.11.72.27.1 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 xorg-x11-libX11-7.4-5.11.72.27.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS xorg-x11-libX11-32bit-7.4-5.11.72.27.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session. CVE-2021-31535 SUSE Linux Enterprise Point of Sale 11 SP3:xorg-x11-libX11-7.4-5.11.72.27.1 SUSE Linux Enterprise Server 11 SP4-LTSS:xorg-x11-libX11-32bit-7.4-5.11.72.27.1 SUSE Linux Enterprise Server 11 SP4-LTSS:xorg-x11-libX11-7.4-5.11.72.27.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114748-1/ https://www.suse.com/security/cve/CVE-2021-31535.html CVE-2021-31535 https://bugzilla.suse.com/1182506 SUSE Bug 1182506 https://bugzilla.suse.com/1191879 SUSE Bug 1191879 https://bugzilla.suse.com/1205051 SUSE Bug 1205051