Headline
CVE-2020-14344: X.Org security advisory: July 31, 2020: libX11
An integer overflow leading to a heap-buffer overflow was found in The X Input Method (XIM) client was implemented in libX11 before version 1.6.10. As per upstream this is security relevant when setuid programs call XIM client functions while running with elevated privileges. No such programs are shipped with Red Hat Enterprise Linux.
Matthieu Herrb matthieu at herrb.eu
Fri Jul 31 13:37:55 UTC 2020
- Previous message (by thread): xkbcomp is correctly applied to remap keyboard but it often gets reverted?
- Next message (by thread): X.Org security advisory: July 31, 2020: Xserver
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
X.Org security advisory: July 31, 2020
Heap corruption in the X input method client in libX11
CVE-2020-14344
The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method.
Patches
Patches for these issues have been commited to the libX11 git repository. libX11 1.6.10 will be released shortly and will include those patches.
https://gitlab.freedesktop.org/xorg/lib/libx11
commit 1703b9f3435079d3c6021e1ee2ec34fd4978103d (HEAD -> master)
Change the data\_len parameter of \_XimAttributeToValue() to CARD16
It's coming from a length in the protocol (unsigned) and passed
to functions that expect unsigned int parameters (\_XCopyToArg()
and memcpy()).
commit 1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
Zero out buffers in functions
It looks like uninitialized stack or heap memory can leak
out via padding bytes.
commit 2fcfcc49f3b1be854bb9085993a01d17c62acf60
Fix more unchecked lengths
commit 388b303c62aa35a245f1704211a023440ad2c488
fix integer overflows in \_XimAttributeToValue()
commit 0e6561efcfaa0ae7b5c74eac7e064b76d687544e
Fix signed length values in \_XimGetAttributeID()
The lengths are unsigned according to the specification. Passing
negative values can lead to data corruption.
Thanks
X.Org thanks Todd Carson for reporting these issues to our security team and assisting them in understanding them and providing fixes.
– Matthieu Herrb -------------- next part -------------- A non-text attachment was scrubbed… Name: signature.asc Type: application/pgp-signature Size: 793 bytes Desc: not available URL: https://lists.x.org/archives/xorg-announce/attachments/20200731/85b6848d/attachment.sig\
- Previous message (by thread): xkbcomp is correctly applied to remap keyboard but it often gets reverted?
- Next message (by thread): X.Org security advisory: July 31, 2020: Xserver
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the xorg-announce mailing list
Related news
Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.1.0.0.5.394 contain a plain-text password storage vulnerability. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.