Libx11 Library Vulnerability Discovered

X.org library, known for providing the client implementation of the x11 protocol, has been found vulnerable. The vulnerability, identified as CVE-2023-3138, can potentially harm the memory of the client application if it communicates with a malicious X-server or an intermediate proxy under the attacker’s control.

The flaw resides in the Initext.c file of the library, where transmitted values are not being properly verified for admissibility. As a result, an array element can be overwritten by an attacker by using the X-server identifiers of the request, events, and errors. However, preliminary assessment suggests that vulnerability is restricted to the emergency completion of the process, as the field with the identifier’s size is limited by only one byte.

The X.org community quickly dealt with the problem and has fixed the issue in the latest release of libx11 1.8.6. Users are advised to update to the latest version of the library to avoid the risks associated with the vulnerability.

Note that interested readers can read the original sources of this report from the X.org mailing list or Debian Security Tracker.

/Reports, release notes, official announcements.