Source: x11-xkb-utils Version: 7.7+9 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 7.7+7
Hi, The following vulnerabilities were published for x11-xkb-utils (specifically in xkbcomp). CVE-2018-15853[0]: | Endless recursion exists in xkbcomp/expr.c in xkbcommon and | libxkbcommon before 0.8.1, which could be used by local attackers to | crash xkbcommon users by supplying a crafted keymap file that | triggers boolean negation. CVE-2018-15859[1]: | Unchecked NULL pointer usage when parsing invalid atoms in | ExprResolveLhs in xkbcomp/expr.c in xkbcommon before 0.8.2 could be | used by local attackers to crash (NULL pointer dereference) the | xkbcommon parser by supplying a crafted keymap file, because lookup | failures are mishandled. CVE-2018-15861[2]: | Unchecked NULL pointer usage in ExprResolveLhs in xkbcomp/expr.c in | xkbcommon before 0.8.2 could be used by local attackers to crash | (NULL pointer dereference) the xkbcommon parser by supplying a | crafted keymap file that triggers an xkb_intern_atom failure. CVE-2018-15863[3]: | Unchecked NULL pointer usage in ResolveStateAndPredicate in | xkbcomp/compat.c in xkbcommon before 0.8.2 could be used by local | attackers to crash (NULL pointer dereference) the xkbcommon parser | by supplying a crafted keymap file with a no-op modmask expression. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-15853 https://www.cve.org/CVERecord?id=CVE-2018-15853 [1] https://security-tracker.debian.org/tracker/CVE-2018-15859 https://www.cve.org/CVERecord?id=CVE-2018-15859 [2] https://security-tracker.debian.org/tracker/CVE-2018-15861 https://www.cve.org/CVERecord?id=CVE-2018-15861 [3] https://security-tracker.debian.org/tracker/CVE-2018-15863 https://www.cve.org/CVERecord?id=CVE-2018-15863 [4] https://www.openwall.com/lists/oss-security/2025/12/03/1 Regards, Salvatore
