Opened 4 years ago

Closed 4 years ago

#13871 closed enhancement (fixed)

xorg-server: Fix CVE-2020-14347

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 10.0
Component: BOOK Version: SVN
Severity: normal Keywords:


New point version

X.Org security advisory: July 31, 2020

X Server Pixel Data Uninitialized Memory Information Disclosure 


Allocation for pixmap data in AllocatePixmap() does not initialize the
memory in xserver, it leads to leak uninitialize heap memory to
clients. When the X server runs with elevated privileges.

This flaw can lead to ASLR bypass, which when combined with other
flaws (known/unknown) could lead to lead to privilege elevation in the


A patch for this issue has been commited to the xorg server git
repository.  xorg-server 1.20.9 will be released shortly and will
include this patch.

diff --git a/dix/pixmap.c b/dix/pixmap.c
index 1186d7dbb..5a0146bbb 100644
--- a/dix/pixmap.c
+++ b/dix/pixmap.c
@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize)
     if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize)
         return NullPixmap;
-    pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize);
+    pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize);
     if (!pPixmap)
         return NullPixmap;

This vulnerability was discovered by Jan-Niklas Sohn working with
Trend Micro Zero Day Initiative.

Matthieu Herrb

Change History (4)

comment:1 by Douglas R. Reno, 4 years ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 4 years ago

I think I'm going to fix this with a sed. This has been sitting a while, and there are two weeks worth of MRs backed up for 1.20.9.

This sed made the required code change for me:

sed -i 's/malloc(pScreen/calloc(1, pScreen/' dix/pixmap.c 

comment:3 by Douglas R. Reno, 4 years ago

Summary: xorg-server-1.20.9 (Upcoming) - CVE-2020-14347xorg-server: Fix CVE-2020-14347

comment:4 by Douglas R. Reno, 4 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r23492

Note: See TracTickets for help on using tickets.