X marks the Linux security hole

News

X marks the Linux security hole

The X.Org Foundation and several Linux suppliers have released security fixes for the X Window System technology on which most Linux graphical front-ends are based, patching serious holes in a graphics-manipulation component.

X.Org said a number of bugs in the libXpm library used for manipulating pixmaps could allow an attacker to execute malicious code on a Linux system. The bugs, including integer overflows, out-of-bounds memory accesses, insecure path traversal and an endless loop, could be exploited by tricking a user into viewing a specially crafted pixmap file with one of the many applications that rely on libXpm.

A patch was published by the foundation last week, and Novell's Suse division, Red Hat and the Gentoo Foundation have followed suit with their own patches.

The flawed library is found in both XFree86 and X.Org, two separate implementations of the X Window System. Danish security firm Secunia, which maintains a database of vulnerabilities, rated the bugs as "highly critical", its second-highest ranking out of five.

The bugs are related to earlier problems with libXpm that surfaced last month, which prompted "a more extensive security audit" by X.Org. The bugs affect X.Org releases up to and including 6.8.1, and are likely to affect any other products that include the library, such as lesstif and OpenMotif.

Many imaging-related flaws have surfaced this year, including bugs in the Mozilla Foundation's browsers, a serious Microsoft vulnerability in decoding Jpeg images, and further bugs in the imlib library, Qt and Internet Explorer.

Matthew Broersma writes for Techworld


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy