Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 790824 (CVE-2021-31535)

Summary: <x11-libs/libX11-1.7.1: missing request length checks (CVE-2021-31535)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: atoth, x11
Priority: Normal Flags: nattka: sanity-check-
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa+ cve]
Package list:
x11-libs/libX11-1.7.1 x11-misc/compose-tables-1.7.1
Runtime testing required: ---

Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-18 15:10:41 UTC
Missing request length checks in libX11
=======================================

CVE-2021-31535

XLookupColor() and other X libraries function lack proper validation
of the length of their string parameters. If those parameters can be
controlled by an external application (for instance a color name that
can be emitted via a terminal control sequence) it can lead to the
emission of extra X protocol requests to the X server.

Patch
-----

A patch for XLookupColor() and other potentially vulnerable functions
has been committed to libX11. libX11 1.7.1 will be released shortly
and contains a fix for this issue.

https://gitlab.freedesktop.org/xorg/lib/libx11

commit: 8d2e02ae650f00c4a53deb625211a0527126c605

   Reject string longer than USHRT_MAX before sending them on the wire

XTerm version 367 contains extra validation for the length of color
names passed to XLookupColor() from terminal control sequences.  XTerm
version 366 and earlier are vulnerable.

Tests conducted by Roman Fiedler on other terminal emulator
applications have not found other cases of passing un-checked color
names to XLookupColor().

Thanks
======

This vulnerability has been discovered by Roman Fiedler from
Unparalleled IT Services e.U.
Comment 2 Larry the Git Cow gentoo-dev 2021-05-18 16:48:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c67547773c3ff747213bf9c464273f1030ed27a8

commit c67547773c3ff747213bf9c464273f1030ed27a8
Author:     Piotr Karbowski <slashbeast@gentoo.org>
AuthorDate: 2021-05-18 16:47:15 +0000
Commit:     Piotr Karbowski <slashbeast@gentoo.org>
CommitDate: 2021-05-18 16:47:15 +0000

    x11-libs/libX11: 1.7.1 version bump.
    
    Bug: https://bugs.gentoo.org/790824
    Signed-off-by: Piotr Karbowski <slashbeast@gentoo.org>

 x11-libs/libX11/Manifest            |  1 +
 x11-libs/libX11/libX11-1.7.1.ebuild | 39 +++++++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)
Comment 3 Rolf Eike Beer archtester 2021-05-21 20:51:40 UTC
sparc stable
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-22 01:29:56 UTC
amd64 done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-22 01:30:25 UTC
x86 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-22 01:31:57 UTC
arm64 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-22 01:32:03 UTC
arm done
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2021-05-24 15:54:39 UTC
New GLSA request filed.
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-25 12:34:02 UTC
ppc64 done
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 08:56:04 UTC
This issue was resolved and addressed in
 GLSA 202105-16 at https://security.gentoo.org/glsa/202105-16
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2021-05-26 08:58:02 UTC
Re-opening for remaining architectures.
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-27 19:22:34 UTC
ppc done

all arches done
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-27 19:41:35 UTC
Please cleanup.
Comment 14 NATTkA bot gentoo-dev 2021-07-26 07:16:59 UTC
Unable to check for sanity:

> no match for package: x11-libs/libX11-1.7.1
Comment 15 Matt Turner gentoo-dev 2021-07-26 07:29:40 UTC
Cleaned.
Comment 16 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-26 14:46:36 UTC
Thanks, all done!