Gentoo update for xkbcommon
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 11 |
| CVE-ID | CVE-2018-15853 CVE-2018-15854 CVE-2018-15855 CVE-2018-15856 CVE-2018-15857 CVE-2018-15858 CVE-2018-15859 CVE-2018-15861 CVE-2018-15862 CVE-2018-15863 CVE-2018-15864 |
| CWE-ID | CWE-20 CWE-476 CWE-835 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Gentoo Linux Operating systems & Components / Operating system |
| Vendor | Gentoo |
Security Bulletin
This security bulletin contains information about 11 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU15753
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-15853
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to endless recursion exists in xkbcomp/expr.c during insufficient validation of user-supplied input. A local attacker can supply a specially crafted keymap file, trigger boolean negation and cause the application to crash.
MitigationUpdate the affected packages.
x11-libs/libxkbcommon to version: 0.8.2
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201810-05
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Null pointer dereference
EUVDB-ID: #VU15816
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-15854
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to unchecked NULL pointer usage condition when the XkbFile is mishandled. A local attacker can submit a specially crafted keymap file that submits malicious input, trigger NULL pointer dereference and cause the application to crash.
MitigationUpdate the affected packages.
x11-libs/libxkbcommon to version: 0.8.2
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201810-05
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Null pointer dereference
EUVDB-ID: #VU15815
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-15855
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to unchecked NULL pointer usage condition when the XkbFile is mishandled. A local attacker can submit a specially crafted keymap file that submits malicious input, trigger NULL pointer dereference and cause the application to crash.
MitigationUpdate the affected packages.
x11-libs/libxkbcommon to version: 0.8.2
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201810-05
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Infinite loop
EUVDB-ID: #VU15814
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-15856
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an infinite loop condition during insufficient validation of user-supplied input. A local attacker can submit a specially crafted keymap file that submits malicious input, trigger infinite loop and cause the application to crash.
MitigationUpdate the affected packages.
x11-libs/libxkbcommon to version: 0.8.2
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201810-05
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper input validation
EUVDB-ID: #VU15817
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-15857
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an invalid-free error in the ExprAppendMultiKeysymList function, as defined in the xkbcomp/ast-build.c source code file. A local attacker can submit a specially crafted keymap file that submits malicious input and cause the application to crash.
MitigationUpdate the affected packages.
x11-libs/libxkbcommon to version: 0.8.2
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201810-05
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Null pointer dereference
EUVDB-ID: #VU15926
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-15858
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer usage condition by the CopyKeyAliasesToKeymap function, as defined in the xkbcomp/keycodes.c source code file. A local attacker can submit a specially crafted keymap file that submits malicious input, trigger NULL pointer dereference and cause the application to crash.
MitigationUpdate the affected packages.
x11-libs/libxkbcommon to version: 0.8.2
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201810-05
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Null pointer dereference
EUVDB-ID: #VU15925
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-15859
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer usage condition by the ExprResolveLhs function, as defined in the xkbcomp/expr.c source code file. A local attacker can submit a specially crafted keymap file that submits malicious input, trigger NULL pointer dereference and cause the application to crash.
MitigationUpdate the affected packages.
x11-libs/libxkbcommon to version: 0.8.2
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201810-05
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Null pointer dereference
EUVDB-ID: #VU15927
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-15861
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer usage condition by the ExprResolveLhs function, as defined in the xkbcomp/expr.c source code file. A local attacker can submit a specially crafted keymap file that submits malicious input, trigger an xkb_intern_atom failure and cause the application to crash.
MitigationUpdate the affected packages.
x11-libs/libxkbcommon to version: 0.8.2
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201810-05
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Null pointer dereference
EUVDB-ID: #VU15928
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-15862
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer usage condition by the LookupModMask function, as defined in the xkbcomp/expr.c source code file. A local attacker can submit a specially crafted keymap file that submits malicious input to an affected system with invalid virtual modifiers, trigger NULL pointer dereference and cause the application to crash.
MitigationUpdate the affected packages.
x11-libs/libxkbcommon to version: 0.8.2
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201810-05
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Null pointer dereference
EUVDB-ID: #VU15929
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-15863
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer usage condition by the ResolveStateAndPredicate function, as defined in the xkbcomp/compat.c source code file. A local attacker can submit a specially crafted keymap file that submits malicious input to an affected system with a no-op modmaskexpression, trigger NULL pointer dereference and cause the application to crash.
MitigationUpdate the affected packages.
x11-libs/libxkbcommon to version: 0.8.2
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201810-05
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Null pointer dereference
EUVDB-ID: #VU15930
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-15864
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer usage condition by the resolve_keysym function, as defined in the xkbcomp/parser.y source code file. A local attacker can submit a specially crafted keymap file that submits malicious input to an affected system with a no-op modmaskexpression, trigger NULL pointer dereference and cause the application to crash.
MitigationUpdate the affected packages.
x11-libs/libxkbcommon to version: 0.8.2
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201810-05
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
