#13871 closed enhancement (fixed)

xorg-server: Fix CVE-2020-14347

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 10.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version

X.Org security advisory: July 31, 2020

X Server Pixel Data Uninitialized Memory Information Disclosure 
===============================================================

CVE-2020-14347

Allocation for pixmap data in AllocatePixmap() does not initialize the
memory in xserver, it leads to leak uninitialize heap memory to
clients. When the X server runs with elevated privileges.

This flaw can lead to ASLR bypass, which when combined with other
flaws (known/unknown) could lead to lead to privilege elevation in the
client.

Patch
=====

A patch for this issue has been commited to the xorg server git
repository.  xorg-server 1.20.9 will be released shortly and will
include this patch.

https://gitlab.freedesktop.org/xorg/xserver.git

diff --git a/dix/pixmap.c b/dix/pixmap.c
index 1186d7dbb..5a0146bbb 100644
--- a/dix/pixmap.c
+++ b/dix/pixmap.c
@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize)
     if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize)
         return NullPixmap;
 
-    pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize);
+    pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize);
     if (!pPixmap)
         return NullPixmap;
    
Thanks
======

This vulnerability was discovered by Jan-Niklas Sohn working with
Trend Micro Zero Day Initiative.

-- 
Matthieu Herrb

Change History (4)

comment:1 by Douglas R. Reno, 14 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 14 months ago

I think I'm going to fix this with a sed. This has been sitting a while, and there are two weeks worth of MRs backed up for 1.20.9.

This sed made the required code change for me:

sed -i 's/malloc(pScreen/calloc(1, pScreen/' dix/pixmap.c 

comment:3 by Douglas R. Reno, 14 months ago

Summary: xorg-server-1.20.9 (Upcoming) - CVE-2020-14347xorg-server: Fix CVE-2020-14347

comment:4 by Douglas R. Reno, 14 months ago

Resolution: fixed
Status: assignedclosed

Fixed at r23492

Note: See TracTickets for help on using tickets.