| Name | CVE-2020-14344 |
| Description | An integer overflow leading to a heap-buffer overflow was found in The X Input Method (XIM) client was implemented in libX11 before version 1.6.10. As per upstream this is security relevant when setuid programs call XIM client functions while running with elevated privileges. No such programs are shipped with Red Hat Enterprise Linux. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-2312-1, ELA-255-1 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| libx11 (PTS) | jessie, jessie (lts) | 2:1.6.2-3+deb8u7 | fixed |
| stretch (security) | 2:1.6.4-3+deb9u4 | fixed | |
| stretch (lts), stretch | 2:1.6.4-3+deb9u6 | fixed | |
| buster (security), buster, buster (lts) | 2:1.6.7-1+deb10u4 | fixed | |
| bullseye (security), bullseye | 2:1.7.2-1+deb11u2 | fixed | |
| bookworm (security), bookworm | 2:1.8.4-2+deb12u2 | fixed | |
| sid, trixie | 2:1.8.10-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| libx11 | source | jessie | 2:1.6.2-3+deb8u3 | ELA-255-1 | ||
| libx11 | source | stretch | 2:1.6.4-3+deb9u2 | DLA-2312-1 | ||
| libx11 | source | buster | 2:1.6.7-1+deb10u1 | |||
| libx11 | source | (unstable) | 2:1.6.10-1 |
https://lists.x.org/archives/xorg-announce/2020-July/003050.html
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/0e6561efcfaa0ae7b5c74eac7e064b76d687544e
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/388b303c62aa35a245f1704211a023440ad2c488
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/2fcfcc49f3b1be854bb9085993a01d17c62acf60
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1703b9f3435079d3c6021e1ee2ec34fd4978103d
Original patchset introduces regression: https://bugs.debian.org/966691 and https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/116
Follow-up for regression: https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/93fce3f4e79cbc737d6468a4f68ba3de1b83953b