Multiple input validation failures in X server extensions ========================================================= All of the following issues can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions. * CVE-2021-4008/ZDI-CAN-14192 SProcRenderCompositeGlyphs out-of-bounds access The handler for the CompositeGlyphs request of the Render extension does not properly validate the request length leading to out of bounds memory write. * CVE-2021-4009/ZDI-CAN 14950 SProcXFixesCreatePointerBarrier out-of-bounds access The handler for the CreatePointerBarrier request of the XFixes extension does not properly validate the request length leading to out of bounds memory write. * CVE-2021-4010/ZDI-CAN-14951 SProcScreenSaverSuspend out-of-bounds access The handler for the Suspend request of the Screen Saver extension does not properly validate the request length leading to out of bounds memory write. * CVE-2021-4011/ZDI-CAN-14952 SwapCreateRegister out-of-bounds access The handlers for the RecordCreateContext and RecordRegisterClients requests of the Record extension do not properly validate the request length leading to out of bounds memory write. --- Need to bump to both xorg-server 21.1.2 and xwayland 21.1.4. Hopefully these patches were backported to the older branch too.
xorg-server-1.20.14 is released with these fixes.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82d3645f42413443ed0b010f2927924030a9c3dd commit 82d3645f42413443ed0b010f2927924030a9c3dd Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2021-12-15 23:27:08 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2021-12-16 02:37:23 +0000 x11-base/xorg-server: Version bump to 21.1.2 Bug: https://bugs.gentoo.org/829208 Closes: https://bugs.gentoo.org/827877 Closes: https://bugs.gentoo.org/828513 Signed-off-by: Matt Turner <mattst88@gentoo.org> x11-base/xorg-server/Manifest | 1 + x11-base/xorg-server/xorg-server-21.1.2.ebuild | 179 +++++++++++++++++++++++++ 2 files changed, 180 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=25f28d4c27bb6d0c290e8280758a0b679fafcfcc commit 25f28d4c27bb6d0c290e8280758a0b679fafcfcc Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2021-12-15 23:26:01 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2021-12-16 02:37:23 +0000 x11-base/xorg-server: Version bump to 1.20.14 Bug: https://bugs.gentoo.org/829208 Signed-off-by: Matt Turner <mattst88@gentoo.org> x11-base/xorg-server/Manifest | 1 + x11-base/xorg-server/xorg-server-1.20.14.ebuild | 209 ++++++++++++++++++++++++ 2 files changed, 210 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cf8a9fa537bce705741480e842b6e5cbf1f5b079 commit cf8a9fa537bce705741480e842b6e5cbf1f5b079 Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2021-12-16 02:45:53 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2021-12-16 02:49:10 +0000 x11-base/xwayland: Version bump to 21.1.4 Also remove IUSE=rpc (see commit 72c14cae8f9e for rationale). Bug: https://bugs.gentoo.org/829208 Signed-off-by: Matt Turner <mattst88@gentoo.org> x11-base/xwayland/Manifest | 1 + x11-base/xwayland/xwayland-21.1.4.ebuild | 86 ++++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+)
Thanks Matt!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ea77f4cec864578517b1e11bb325265564db46e4 commit ea77f4cec864578517b1e11bb325265564db46e4 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-12-16 03:47:16 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-16 03:49:42 +0000 x11-base/xwayland: fix rpc option Bug: https://bugs.gentoo.org/829208 Signed-off-by: Sam James <sam@gentoo.org> x11-base/xwayland/xwayland-21.1.4.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ed84dffb69131b1b84e1717e2b3bb276c2eb164 commit 4ed84dffb69131b1b84e1717e2b3bb276c2eb164 Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2021-12-21 04:57:13 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2021-12-21 04:57:42 +0000 x11-base/xwayland: Drop old versions Bug: https://bugs.gentoo.org/829208 Signed-off-by: Matt Turner <mattst88@gentoo.org> x11-base/xwayland/Manifest | 2 - x11-base/xwayland/metadata.xml | 1 - x11-base/xwayland/xwayland-21.1.2-r2.ebuild | 87 ----------------------------- x11-base/xwayland/xwayland-21.1.3.ebuild | 87 ----------------------------- 4 files changed, 177 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eb2be09ec249f29c044e37765b515e14a95e8266 commit eb2be09ec249f29c044e37765b515e14a95e8266 Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2021-12-21 04:56:14 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2021-12-21 04:56:48 +0000 x11-base/xorg-server: Drop old versions Bug: https://bugs.gentoo.org/829208 Signed-off-by: Matt Turner <mattst88@gentoo.org> x11-base/xorg-server/Manifest | 2 - x11-base/xorg-server/xorg-server-1.20.13-r1.ebuild | 219 --------------------- x11-base/xorg-server/xorg-server-21.1.1-r2.ebuild | 180 ----------------- x11-base/xorg-server/xorg-server-21.1.2-r2.ebuild | 184 ----------------- 4 files changed, 585 deletions(-)
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=f91a69c129c65b48c349fa74cf96eb46e176c139 commit f91a69c129c65b48c349fa74cf96eb46e176c139 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-30 02:54:51 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-05-30 02:56:36 +0000 [ GLSA 202305-30 ] X.Org X server, XWayland: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/829208 Bug: https://bugs.gentoo.org/877459 Bug: https://bugs.gentoo.org/885825 Bug: https://bugs.gentoo.org/893438 Bug: https://bugs.gentoo.org/903547 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202305-30.xml | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+)
GLSA released, all done!
