Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <c8c9ce86-d45d-51e5-cf4a-b33ad24c88f2@radix.lt>
Date: Tue, 12 Jul 2022 15:58:15 +0300
From: Povilas Kanapickas <povilas@...ix.lt>
To: oss-security@...ts.openwall.com
Subject: Fwd: X.Org Security Advisory: July 12, 2022

-------- Forwarded Message --------
Subject: X.Org Security Advisory: July 12, 2022
Date: Tue, 12 Jul 2022 15:55:05 +0300
From: Povilas Kanapickas <povilas@...ix.lt>
To: xorg-announce@...ts.x.org
CC: xorg-devel@...ts.x.org <xorg-devel@...ts.x.org>, xorg@...ts.x.org

X.Org Security Advisory: July 12, 2022

Multiple input validation failures in X server extensions
=========================================================

All theses issues can lead to local privileges elevation on systems
where the X server is running privileged and remote code execution for
ssh X forwarding sessions.

* CVE-2022-2319/ZDI-CAN-16062: X.Org Server ProcXkbSetGeometry Out-Of-Bounds
Access

The handler for the ProcXkbSetGeometry request of the Xkb extension does
not properly validate the request length leading to out of bounds memory
write.

* CVE-2022-2320/ZDI-CAN-16070: X.Org Server ProcXkbSetDeviceInfo 
Out-Of-Bounds
Access

The handler for the ProcXkbSetDeviceInfo request of the Xkb extension
does not properly validate the request length leading to out of bounds
memory write.

Patches
-------

Patches for this issues have been committed to the xorg server git
repository. xorg-server 21.1.4 will be released shortly and will
include these patches.

commit 6907b6ea2b4ce949cb07271f5b678d5966d9df42

     xkb: add request length validation for XkbSetGeometry
         No validation of the various fields on that report were done, so a
     malicious client could send a short request that claims it had N
     sections, or rows, or keys, and the server would process the request
     for N sections, running out of bounds of the actual request data.
         Fix this by adding size checks to ensure our data is valid.
         Fixes ZDI-CAN 16062, CVE-2022-2319.
         This vulnerability was discovered by:
     Jan-Niklas Sohn working with Trend Micro Zero Day Initiative


commit dd8caf39e9e15d8f302e54045dd08d8ebf1025dc

     xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck
         XKB often uses a FooCheck and Foo function pair, the former is
     supposed to check all values in the request and error out on
     BadLength, BadValue, etc. The latter is then called once we're
     confident the values are good (they may still fail on an individual
     device, but that's a different topic).
         In the case of XkbSetDeviceInfo, those functions were incorrectly
     named, with XkbSetDeviceInfo ending up as the checker function and
     XkbSetDeviceInfoCheck as the setter function. As a result, the setter
     function was called before the checker function, accessing request
     data and modifying device state before we ensured that the data is
     valid.
         In particular, the setter function relied on values being already
     byte-swapped. This in turn could lead to potential OOB memory access.
         Fix this by correctly naming the functions and moving the 
length checks
     over to the checker function. These were added in 87c64fc5b0 to the
     wrong function, probably due to the incorrect naming.
         Fixes ZDI-CAN 16070, CVE-2022-2320.
         This vulnerability was discovered by:
     Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
         Introduced in c06e27b2f6fd9f7b9f827623a48876a225264132

Backporting of the security fixes also needs this commit:
f1070c01d616c5f21f939d5ebc533738779451ac.

Thanks
======

The vulnerabilities have been discovered by Jan-Niklas Sohn working with
Trend Micro Zero Day Initiative and fixed by Peter Hutterer.

--
Povilas Kanapickas

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.