xorg-server-21.1.14

[Bruce Dubbs]

New point version.

[Douglas R. Reno]

Release notes:

This release contains the fix for the issue reported in today's security
advisory: https://lists.x.org/archives/xorg-announce/2024-October/003545.html

 * CVE-2024-9632

Additionally, it also contains several other fixes for glamor, Xnest,
compilation warnings with newer compilers, FreeBSD issues and more.

Alan Coopersmith (11):
      dix: check for calloc() failure in Xi event conversion routines
      dix: PolyText: fully initialize local_closure
      dix: SetFontPath: don't set errorValue on Success
      dix: enterleave.c: fix implicit fallthrough warnings
      dix: CreateScratchGC: avoid dereference of pointer we just set to NULL
      dix: InitPredictableAccelerationScheme: avoid memory leak on failure
      dix: dixChangeWindowProperty: don't call memcpy if malloc failed
      dix: ProcListProperties: skip unneeded work if numProps is 0
      dix: HashResourceID: use unsigned integers for bit shifting
      dix: GetPairedDevice: check if GetMaster returned NULL
      dix: FindBestPixel: fix implicit fallthrough warning

Alexey (1):
      Fixed mirrored glyphs on big-endian machines

Enrico Weigelt, metux IT consult (2):
      Xnest: cursor: fix potentially uninitialized memory
      Xnest: fix broken exposure events

José Expósito (2):
      ephyr: Fix incompatible pointer type build error
      xserver 21.1.14

Konstantin (1):
      glamor: make use of GL_EXT_texture_format_BGRA8888

Matthieu Herrb (4):
      Don't crash if the client argv or argv[0] is NULL.
      Return NULL in *cmdname if the client argv or argv[0] is NULL
      Fix a double-free on syntax error without a new line.
      xkb: Fix buffer overflow in _XkbSetCompatMap()

Olivier Fourdan (1):
      build: Drop libxcvt requirement from SDK_REQUIRED_MODULES

Peter Hutterer (1):
      dix: fix valuator copy/paste error in the DeviceStateNotify event

git tag: xorg-server-21.1.14

Security Advisory

X.Org Security Advisory: October 29, 2024

Issues in X.Org X server prior to 21.1.14 and Xwayland prior to 24.1.4
========================================================================

An issue has been found in the X server and Xwayland implementations
published by X.Org for which we are releasing security fixes for in
xorg-server-21.1.14 and xwayland-24.1.4.

1) CVE-2024-9632 can be triggered by providing a modified bitmap to the
X.Org server.

------------------------------------------------------------------------

1) CVE-2024-9632: Heap-based buffer overflow privilege escalation in
_XkbSetCompatMap

Introduced in: xorg-server-1.1.1 (2006)
Fixed in: xorg-server-21.1.14 and xwayland-24.1.4
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/85b776571487f52e756f68a069c768757369bfe3
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
buffer.

However, It didn't update its size properly. It updated `num_si` only,
without updating `size_si`.

This may lead to local privilege escalation if the server is run as root
or remote code execution (e.g. x11 over ssh).

xorg-server-21.1.14 and xwayland-24.1.4 have been patched to fix this issue.

Note that this allows for remote code execution if you are using SSH X Forwarding.

[Douglas R. Reno]

Fixed at 3fabec942c5400bef8365e702dd02ab2594fdc0b

SA-12.2-029 issued