Opened 3 years ago
Closed 3 years ago
#15858 closed enhancement (fixed)
XWayland-21.1.4
| Reported by: | Douglas R. Reno | Owned by: | Bruce Dubbs |
|---|---|---|---|
| Priority: | elevated | Milestone: | 11.1 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
New security release:
Please be aware that xorg-server-21.1.2 is on its way to fix the X11 side of things as well.
X.Org Security Advisory: December 14, 2021
Multiple input validation failures in X server extensions
=========================================================
All of the following issues can lead to local privileges elevation on
systems where the X server is running privileged and remote code
execution for ssh X forwarding sessions.
* CVE-2021-4008/ZDI-CAN-14192 SProcRenderCompositeGlyphs out-of-bounds
access
The handler for the CompositeGlyphs request of the Render extension does
not properly validate the request length leading to out of bounds memory
write.
* CVE-2021-4009/ZDI-CAN 14950 SProcXFixesCreatePointerBarrier
out-of-bounds access
The handler for the CreatePointerBarrier request of the XFixes extension
does not properly validate the request length leading to out of bounds
memory write.
* CVE-2021-4010/ZDI-CAN-14951 SProcScreenSaverSuspend out-of-bounds access
The handler for the Suspend request of the Screen Saver extension does
not properly validate the request length leading to out of bounds memory
write.
* CVE-2021-4011/ZDI-CAN-14952 SwapCreateRegister out-of-bounds access
The handlers for the RecordCreateContext and RecordRegisterClients
requests of the Record extension do not properly validate the request
length leading to out of bounds memory write.
Patches
-------
Patches for this issues have been commited to the xorg server git
repository (https://gitlab.freedesktop.org/xorg/xserver). xorg-server
21.1.2 will be released shortly and will include these patches.
commit ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60
render: Fix out of bounds access in SProcRenderCompositeGlyphs()
ZDI-CAN-14192, CVE-2021-4008
This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
commit b5196750099ae6ae582e1f46bd0a6dad29550e02
xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier()
ZDI-CAN-14950, CVE-2021-4009
This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
commit 6c4c53010772e3cb4cb8acd54950c8eec9c00d21
Xext: Fix out of bounds access in SProcScreenSaverSuspend()
ZDI-CAN-14951, CVE-2021-4010
This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
commit e56f61c79fc3cee26d83cda0f84ae56d5979f768
record: Fix out of bounds access in SwapCreateRegister()
ZDI-CAN-14952, CVE-2021-4011
This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Thanks
======
This vulnerability was discovered by Jan-Niklas Sohn working with
Trend Micro Zero Day Initiative.
Note that there are also additional release notes for XWayland-21.1.4.
Impacts: Local Privilege Escalation (Local clients), Remote Code Execution (SSH Forwarding Users).
Change History (2)
comment:1 by , 3 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 3 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
Fixed at commit e9641507e7db2cb6a7e81c6a2c4df27ad4896a77
Package updates. Update to XWayland-21.1.4. Update to xorg-server-21.1.2. Update to harfbuzz-3.2.0. Update to libinput-1.19.3 (Xorg driver).