942465 – (CVE-2024-9632) <x11-base/xwayland-24.1.4, <x11-base/xorg-server-21.1.14: Heap-based buffer overflow privilege escalation in _XkbSetCompatMap

Bug 942465 (CVE-2024-9632) - <x11-base/xwayland-24.1.4, <x11-base/xorg-server-21.1.14: Heap-based buffer overflow privilege escalation in _XkbSetCompatMap

Summary: <x11-base/xwayland-24.1.4, <x11-base/xorg-server-21.1.14: Heap-based buffer o...

Status:	CONFIRMED

Alias:	CVE-2024-9632

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major
Assignee:	Gentoo Security

URL:	https://lists.x.org/archives/xorg-ann...
Whiteboard:	B1 [stable glsa]
Keywords:

Depends on:	942571 942570
Blocks:
	Show dependency tree

Reported:	2024-10-29 17:55 UTC by Christopher Fore
Modified:	2024-11-11 09:19 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Fore 2024-10-29 17:55:07 UTC

CVE-2024-9632:

The _XkbSetCompatMap() function attempts to resize the `sym_interpret` buffer.

However, It didn't update its size properly. It updated `num_si` only, without updating `size_si`.

This may lead to local privilege escalation if the server is run as root or remote code execution (e.g. x11 over ssh).



The above is fixed in:
x11-base/xwayland: 24.1.4
x11-base/xorg-server: 21.1.14

Comment 1 Larry the Git Cow gentoo-dev

2024-10-30 01:48:05 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=72261e947621455a03db89d1aa060be54db21227

commit 72261e947621455a03db89d1aa060be54db21227
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2024-10-30 01:42:46 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2024-10-30 01:45:27 +0000

    x11-base/xorg-server: Version bump to 21.1.14
    
    Bug: https://bugs.gentoo.org/942465
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xorg-server/Manifest                   |   1 +
 x11-base/xorg-server/xorg-server-21.1.14.ebuild | 195 ++++++++++++++++++++++++
 2 files changed, 196 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd8904d352fb971fc3d1c9fb78e2b54f0c572c82

commit bd8904d352fb971fc3d1c9fb78e2b54f0c572c82
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2024-10-30 01:40:43 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2024-10-30 01:40:51 +0000

    x11-base/xwayland: Version bump to 24.1.4
    
    Bug: https://bugs.gentoo.org/942465
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xwayland/Manifest               |   1 +
 x11-base/xwayland/xwayland-24.1.4.ebuild | 133 +++++++++++++++++++++++++++++++
 2 files changed, 134 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2024-11-06 01:22:04 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d79b2d4b8afe72c02518708d428ec96fe80b3dd1

commit d79b2d4b8afe72c02518708d428ec96fe80b3dd1
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2024-11-06 01:18:05 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2024-11-06 01:21:39 +0000

    x11-base/xorg-server: Drop old versions
    
    Bug: https://bugs.gentoo.org/942465
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xorg-server/Manifest                      |   1 -
 .../files/xorg-server-21.1.10-fix-c99-32bit.patch  |  54 ------
 x11-base/xorg-server/xorg-server-21.1.13-r1.ebuild | 197 ---------------------
 3 files changed, 252 deletions(-)