[ANNOUNCE] X.Org Security Advisory: Buffer overflow in MakeBigReq macro

Alan Coopersmith alan.coopersmith at oracle.com
Tue Apr 14 08:57:18 PDT 2015

X.Org Security Advisory:  April 14, 2015
Buffer overflow in MakeBigReq macro in libX11 prior to 1.6 [CVE-2013-7439]


It's been brought to X.Org's attention that this commit:


which was included in libX11 (1.6 RC1) and later releases fixed 
an issue which may be exploitable when X clients are rendering untrusted 
content, such as in web browsers.

Mitre has thus issued CVE-2013-7439 for tracking this vulnerability.
Further discussion is available in the oss-security thread starting at 
http://seclists.org/oss-sec/2015/q2/73 .

Note that as this affects a macro in a header file, all software using this
macro will need to be recompiled for the fix to take effect.  Since the
Xlibint.h header provides access to the internals of libX11, it should
not be directly accessed by most clients, but nearly all of the Xlib-based
extension libraries are affected, as are some third-party client libraries
and programs who have ill-advisedly relied on libX11 internals.

X.Org software known to use these macros includes:


Some uses of the macros in other software may be found at:
but of course, only a search of your own code base will be exhaustive.

Affected Versions

The off-by-one-word error in the amount of memory to copy was introduced
in the original integration of the BigRequests extension for X11R6.0:
thus X.Org believes all versions of X11R6.x are affected, as are all versions
of the standalone libX11 prior to the libX11 1.6.0 release in June 2013.


As noted above, the fix is already available in this libX11 git commit:
which is also included in libX11 1.6.0 and later module releases from X.Org,
however, for the fix to be effective, all software which references the
MakeBigReq() or SetReqLen() macros from Xlibint.h must be recompiled with
the new header.

        -Alan Coopersmith-              alan.coopersmith at oracle.com
          X.Org Security Response Team - xorg-security at lists.x.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.x.org/archives/xorg-announce/attachments/20150414/f98665fc/attachment.sig>

More information about the xorg-announce mailing list