Opened 5 years ago

Closed 5 years ago

#13968 closed enhancement (fixed)

xorg-server-1.20.9 (CVE-2020-14345 CVE-2020-14346 CVE-2020-14361 CVE-2020-1436)

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 10.1
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New security release of xorg-server. Seems to be due to multiple input validation failures in X server extensions. These issues lead to local privilege escalation on systems where the X server is running privileged. 

Multiple input validation failures in X server extensions
=========================================================

All theses issuses  can lead to local privileges elevation
on systems where the X server is running privileged.

* CVE-2020-14345 / ZDI CAN 11428 XkbSetNames Out-Of-Bounds Access

The handler for the XkbSetNames request does not validate the request
length before accessing its contents.

* CVE-2020-14346 / ZDI CAN 11429 XIChangeHierarchy Integer Underflow

An integer underflow exists in the handler for the XIChangeHierarchy
request.

* CVE-2020-14361 / ZDI CAN 11573 XkbSelectEvents Integer Underflow 

An integer underflow exist in the handler for the XkbSelectEvents
request.

* CVE-2020-1436 / ZDI CAN 11574 XRecordRegisterClients Integer Underflow 

An integer underflow exist in the handler for the CreateRegister
request of the X record extension.

Patches
-------

Patches for this issues have been commited to the xorg server git
repository. xorg-server 1.20.9 will be released shortly and will
include these patches.

https://gitlab.freedesktop.org/xorg/xserver.git

commit 11f22a3bf694d7061d552c99898d843bcdaf0cf1

    Correct bounds checking in XkbSetNames()

    CVE-2020-14345 / ZDI 11428

commit 1e3392b07923987c6c9d09cf75b24f397b59bd5e

    Fix XIChangeHierarchy() integer underflow

    CVE-2020-14346 / ZDI-CAN-11429

commit 90304b3c2018a6b8f4a79de86364d2af15cb9ad8

    Fix XkbSelectEvents() integer underflow

    CVE-2020-14361 ZDI-CAN 11573

commit 24acad216aa0fc2ac451c67b2b86db057a032050

    Fix XRecordRegisterClients() Integer underflow

    CVE-2020-14362 ZDI-CAN-11574

Thanks
======

These vulnerabilities have beend discovered by Jan-Niklas Sohn working
with Trend Micro Zero Day Initiative.


-- 
Matthieu Herrb

And now the release notes: 

Aaron Ma (1):
      xfree86: add drm modes on non-GTF panels

Adam Jackson (2):
      linux: Make platform device probe less fragile
      linux: Fix platform device PCI detection for complex bus topologies

Alan Coopersmith (2):
      Update URL's in man pages
      doc: Update URLs in Xserver-DTrace.xml

Alex Goins (1):
      randr: Check rrPrivKey in RRHasScanoutPixmap()

Hans de Goede (1):
      modesetting: Disable pageflipping when using a swcursor

Huacai Chen (1):
      linux: Fix platform device probe for DT-based PCI

Jose Maria Casanova Crespo (1):
      modesetting: Fix front_bo leak at drmmode_xf86crtc_resize on XRandR rotation

Lyude Paul (1):
      xwayland: Store xwl_tablet_pad in its own private key

Martin Weber (1):
      hw/xfree86: Avoid cursor use after free

Matt Turner (1):
      xserver 1.20.9

Matthieu Herrb (5):
      fix for ZDI-11426
      Correct bounds checking in XkbSetNames()
      Fix XIChangeHierarchy() integer underflow
      Fix XkbSelectEvents() integer underflow
      Fix XRecordRegisterClients() Integer underflow

Michel Dänzer (7):
      present/wnmd: Keep pixmap pointer in present_wnmd_clear_window_flip
      present/wnmd: Free flip_queue entries in present_wnmd_clear_window_flip
      xwayland: Always use xwl_present_free_event for freeing Present events
      xwayland: Free all remaining events in xwl_present_cleanup
      xwayland: Hold a pixmap reference in struct xwl_present_event
      xwayland: Propagate damage x1/y1 coordinates in xwl_present_flip
      xwayland: Handle NULL xwl_seat in xwl_seat_can_emulate_pointer_warp

Olivier Fourdan (4):
      xwayland: Fix infinite loop at startup
      xwayland: Clear private on device removal
      xwayland: Disable the MIT-SCREEN-SAVER extension when rootless
      xwayland: Use a fixed DPI value for core protocol

Roman Gilg (1):
      present: Check valid region in window mode flips

Samuel Thibault (1):
      dix: do not send focus event when grab actually does not change

Simon Ser (2):
      xwayland: import DMA-BUFs with GBM_BO_USE_RENDERING only
      xwayland: only use linux-dmabuf if format/modifier was advertised

SimonP (1):
      xwayland: Initialise values in xwlVidModeGetGamma()

Sjoerd Simons (1):
      xwayland: Fix crashes when there is no pointer

git tag: xorg-server-1.20.9

Change History (4)

comment:1 by Douglas R. Reno, 5 years ago

The sed for the security fix right now can be dropped during this upgrade.

comment:2 by Douglas R. Reno, 5 years ago

Summary: xorg-server-1.20.9 (CVE-2020-14345 CVE-2020-14346 CVE-2020-14361 CVE-2020-2020-1436)xorg-server-1.20.9 (CVE-2020-14345 CVE-2020-14346 CVE-2020-14361 CVE-2020-1436)

comment:3 by Douglas R. Reno, 5 years ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:4 by Douglas R. Reno, 5 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r32667

Note: See TracTickets for help on using tickets.