Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <2ce44453-1d45-4c1a-a2a8-daf7f9d246bc@oracle.com>
Date: Fri, 12 Apr 2024 10:43:24 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Re: Fwd: X.Org Security Advisory: Issues in X.Org X server prior to
 21.1.12 and Xwayland prior to 23.2.5

-------- Forwarded Message --------
Subject: Re: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.12 and Xwayland prior to 23.2.5
Date: Fri, 12 Apr 2024 10:41:28 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: xorg-announce@...ts.x.org
CC: xorg@...ts.x.org <xorg@...ts.x.org>

The fix we provided for CVE-2024-31083 introduced a double-free in some
circumstances, which led to X server crashes.

This has been fixed now in xorg-server-21.1.13 and xwayland-23.2.6.

For those applying patches instead of upgrades, see
https://gitlab.freedesktop.org/xorg/xserver/-/commit/337d8d48b618d4fc0168a7b978be4c3447650b04

          -Alan Coopersmith-              alan.coopersmith@...cle.com
            X.Org Security Response Team - xorg-security@...ts.x.org

On 4/3/24 11:43, Alan Coopersmith wrote:
> X.Org Security Advisory: April 3, 2024
> 
> Issues in X.Org X server prior to 21.1.12 and Xwayland prior to 23.2.5
> ======================================================================
> 
> Multiple issues have been found in the X server and Xwayland implementations
> published by X.Org for which we are releasing security fixes for in
> xorg-server-21.1.12 and xwayland-23.2.5.
> 
> The first 3 can be triggered by a client using a different endianness from
> the X server and making particular requests.   The X server replies will use
> the byte-swapped length of the return data, causing the X server to read
> memory values from the heap and write it back to the client, until it
> finally hits an unmapped page and segfaults.  The client cannot control
> what portion of the server's heap memory the X server copies into its replies,
> but as the length values are typically small numbers stored into a 32-bit
> integer, the size attempted for the out-of-bounds read may be large.
> 
> Xwayland versions 23.1 and later disable support for byte-swapping by default,
> and are thus protected from these issues unless the Xwayland server is started
> with the +byteswappedclients option on the command line. X.Org plans to include
> this change in the next release branch of the other X.Org X servers.
> 
> The new xorg-server-21.1.12 release adds the ability to disable byte-swapped
> clients as well, though it retains the current default of leaving them enabled.
> For all of the provided X servers in this release, the command-line option
> -byteswappedclients may be used to disable byte-swapping support for X clients
> with a different endianness than the X server.
> Support for such clients may also be disabled for the Xorg server by
> providing a file in /etc/X11/xorg.conf.d/ containing the contents:
> 
> Section "ServerFlags"
>      Option "AllowByteSwappedClients" "False"
> EndSection
> 
> ------------------------------------------------------------------------
> 
> 1) CVE-2024-31080: Heap buffer overread/data leakage in ProcXIGetSelectedEvents
> 
> Introduced in: xorg-server-1.7.0 (2009)
> Fixed in: xorg-server-21.1.12 and xwayland-23.2.5
> Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0
> Found by: Alan Coopersmith of Oracle Solaris, while investigating
>        https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
> 
> The ProcXIGetSelectedEvents() function uses the byte-swapped length of the
> return data for the amount of data to return to the client, if the client
> has a different endianness than the X server.
> 
> xorg-server-21.1.12 and xwayland-23.2.5 have been patched to fix this issue.
> 
> 
> 2) CVE-2024-31081: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice
> 
> Introduced in: xorg-server-1.7.0 (2009)
> Fixed in: xorg-server-21.1.12 and xwayland-23.2.5
> Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645d
> Found by: Alan Coopersmith of Oracle Solaris
> 
> The ProcXIPassiveGrabDevice() function uses the byte-swapped length of the
> return data for the amount of data to return to the client, if the client
> has a different endianness than the X server.
> 
> xorg-server-21.1.12 and xwayland-23.2.5 have been patched to fix this issue.
> 
> 
> 3) CVE-2024-31082: Heap buffer overread/data leakage in ProcAppleDRICreatePixmap
> 
> Introduced in: xorg-server-1.12.0 (2012)
> Fixed in: xorg-server-21.1.12
> Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6c684d035c06fd41c727f
> Found by: Alan Coopersmith of Oracle Solaris
> 
> The ProcAppleDRICreatePixmap() function uses the byte-swapped length of the
> return data for the amount of data to return to the client, if the client
> has a different endianness than the X server.  This function is only found
> in the Xquartz server for MacOS systems, and not in Xwayland, Xorg, or any
> other X servers.
> 
> xorg-server-21.1.12 has been patched to fix this issue.
> 
> 4) CVE-2024-31083: User-after-free in ProcRenderAddGlyphs
> 
> Introduced in: prior to X11R6.7 (2004)
> Fixed in: xorg-server-21.1.12 and xwayland-23.2.5
> Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdca6c3d1f5057eeb3160
> Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> 
> The ProcRenderAddGlyphs() function calls the AllocateGlyph() function
> to store new glyphs sent by the client to the X server.  AllocateGlyph()
> would return a new glyph with refcount=0 and a re-used glyph would end up
> not changing the refcount at all. The resulting glyph_new array would thus
> have multiple entries pointing to the same non-refcounted glyphs.
> 
> ProcRenderAddGlyphs() may free a glyph, resulting in a use-after-free when
> the same glyph pointer is then later used.
> 
> xorg-server-21.1.12 and xwayland-23.2.5 have been patched to fix this issue.
> 
> ------------------------------------------------------------------------
> 
> X.Org thanks all of those who reported and fixed these issues, and those
> who helped with the review and release of this advisory and these fixes.
> 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.