[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [FD] Null pointer dereference in Xedit
From: Alan Coopersmith <alan.coopersmith () oracle ! com>
Date: 2024-01-26 17:46:52
Message-ID: a40d1cb0-f4c6-436b-b693-b08904cf7b2b () oracle ! com
[Download RAW message or body]
On 1/19/24 19:48, Meng Ruijie wrote:
> [Vulnerability description]
> A NULL pointer dereference in the component /X11/xedit/lisp of Xedit v1.2.3 allows attackers \
> to cause a Denial of Service (DoS) via a crafted lisp.lsp file.
> [VulnerabilityType Other]
> null pointer deference
>
> [Vendor of Product]
> Xedit
>
> [Affected Product Code Base]
> Xedit - 1.2.3
>
> [Reference]
> https://gitlab.freedesktop.org/xorg/app/xedit/-/issues/1
>
> [CVE Reference]
> The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name \
> CVE-2023-45916 to this vulnerability.
I will be asking that this CVE be withdrawn on behalf of the X.Org security team.
While it is a low-priority bug, we did not see any security exposure
when this bug was first brought to our attention because there is no
way for an attacker to change the contents of the lisp.lsp file or to
cause a *.lsp file to be loaded for another user.
The bug report states "replace /usr/local/lib/X11/xedit/lisp/lisp.lsp with
the attached version," and if you can do that, you can just replace the
xedit binary with a version containing whatever code you want.
Please do not waste everyone's time requesting CVE's for other people's projects
without their knowledge or consent.
--
-Alan Coopersmith- alan.coopersmith@oracle.com
X.Org Security Response Team - xorg-security@lists.x.org
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic