Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 829208 (CVE-2021-4008, CVE-2021-4009, CVE-2021-4010, CVE-2021-4011) - <x11-base/xorg-server-{1.20.14,21.1.2} <x11-base/xwayland-21.1.4: Multiple vulnerabilities (CVE-2021-{4008,4009,4010,4011})
Summary: <x11-base/xorg-server-{1.20.14,21.1.2} <x11-base/xwayland-21.1.4: Multiple vu...
Status: RESOLVED FIXED
Alias: CVE-2021-4008, CVE-2021-4009, CVE-2021-4010, CVE-2021-4011
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa+]
Keywords:
Depends on: 829310
Blocks:
  Show dependency tree
 
Reported: 2021-12-14 20:48 UTC by Sam James
Modified: 2023-05-30 02:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-14 20:48:10 UTC
Multiple input validation failures in X server extensions
=========================================================

All of the following issues can lead to local privileges elevation on
systems where the X server is running privileged and remote code
execution for ssh X forwarding sessions.

* CVE-2021-4008/ZDI-CAN-14192 SProcRenderCompositeGlyphs out-of-bounds
access

The handler for the CompositeGlyphs request of the Render extension does
not properly validate the request length leading to out of bounds memory
write.

* CVE-2021-4009/ZDI-CAN 14950 SProcXFixesCreatePointerBarrier
out-of-bounds access

The handler for the CreatePointerBarrier request of the XFixes extension
does not properly validate the request length leading to out of bounds
memory write.

* CVE-2021-4010/ZDI-CAN-14951 SProcScreenSaverSuspend out-of-bounds access

The handler for the Suspend request of the Screen Saver extension does
not properly validate the request length leading to out of bounds memory
write.

* CVE-2021-4011/ZDI-CAN-14952 SwapCreateRegister out-of-bounds access

The handlers for the RecordCreateContext and RecordRegisterClients
requests of the Record extension do not properly validate the request
length leading to out of bounds memory write.

---
Need to bump to both xorg-server 21.1.2 and xwayland 21.1.4.

Hopefully these patches were backported to the older branch too.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-15 23:27:27 UTC
xorg-server-1.20.14 is released with these fixes.
Comment 2 Larry the Git Cow gentoo-dev 2021-12-16 02:37:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82d3645f42413443ed0b010f2927924030a9c3dd

commit 82d3645f42413443ed0b010f2927924030a9c3dd
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2021-12-15 23:27:08 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2021-12-16 02:37:23 +0000

    x11-base/xorg-server: Version bump to 21.1.2
    
    Bug: https://bugs.gentoo.org/829208
    Closes: https://bugs.gentoo.org/827877
    Closes: https://bugs.gentoo.org/828513
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xorg-server/Manifest                  |   1 +
 x11-base/xorg-server/xorg-server-21.1.2.ebuild | 179 +++++++++++++++++++++++++
 2 files changed, 180 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=25f28d4c27bb6d0c290e8280758a0b679fafcfcc

commit 25f28d4c27bb6d0c290e8280758a0b679fafcfcc
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2021-12-15 23:26:01 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2021-12-16 02:37:23 +0000

    x11-base/xorg-server: Version bump to 1.20.14
    
    Bug: https://bugs.gentoo.org/829208
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xorg-server/Manifest                   |   1 +
 x11-base/xorg-server/xorg-server-1.20.14.ebuild | 209 ++++++++++++++++++++++++
 2 files changed, 210 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2021-12-16 02:49:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cf8a9fa537bce705741480e842b6e5cbf1f5b079

commit cf8a9fa537bce705741480e842b6e5cbf1f5b079
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2021-12-16 02:45:53 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2021-12-16 02:49:10 +0000

    x11-base/xwayland: Version bump to 21.1.4
    
    Also remove IUSE=rpc (see commit 72c14cae8f9e for rationale).
    
    Bug: https://bugs.gentoo.org/829208
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xwayland/Manifest               |  1 +
 x11-base/xwayland/xwayland-21.1.4.ebuild | 86 ++++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-16 03:05:36 UTC
Thanks Matt!
Comment 5 Larry the Git Cow gentoo-dev 2021-12-16 03:49:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ea77f4cec864578517b1e11bb325265564db46e4

commit ea77f4cec864578517b1e11bb325265564db46e4
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-12-16 03:47:16 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-16 03:49:42 +0000

    x11-base/xwayland: fix rpc option
    
    Bug: https://bugs.gentoo.org/829208
    Signed-off-by: Sam James <sam@gentoo.org>

 x11-base/xwayland/xwayland-21.1.4.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 Larry the Git Cow gentoo-dev 2021-12-21 04:57:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ed84dffb69131b1b84e1717e2b3bb276c2eb164

commit 4ed84dffb69131b1b84e1717e2b3bb276c2eb164
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2021-12-21 04:57:13 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2021-12-21 04:57:42 +0000

    x11-base/xwayland: Drop old versions
    
    Bug: https://bugs.gentoo.org/829208
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xwayland/Manifest                  |  2 -
 x11-base/xwayland/metadata.xml              |  1 -
 x11-base/xwayland/xwayland-21.1.2-r2.ebuild | 87 -----------------------------
 x11-base/xwayland/xwayland-21.1.3.ebuild    | 87 -----------------------------
 4 files changed, 177 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eb2be09ec249f29c044e37765b515e14a95e8266

commit eb2be09ec249f29c044e37765b515e14a95e8266
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2021-12-21 04:56:14 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2021-12-21 04:56:48 +0000

    x11-base/xorg-server: Drop old versions
    
    Bug: https://bugs.gentoo.org/829208
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xorg-server/Manifest                      |   2 -
 x11-base/xorg-server/xorg-server-1.20.13-r1.ebuild | 219 ---------------------
 x11-base/xorg-server/xorg-server-21.1.1-r2.ebuild  | 180 -----------------
 x11-base/xorg-server/xorg-server-21.1.2-r2.ebuild  | 184 -----------------
 4 files changed, 585 deletions(-)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-29 23:27:56 UTC
GLSA request filed
Comment 8 Larry the Git Cow gentoo-dev 2023-05-30 02:56:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f91a69c129c65b48c349fa74cf96eb46e176c139

commit f91a69c129c65b48c349fa74cf96eb46e176c139
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-30 02:54:51 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-30 02:56:36 +0000

    [ GLSA 202305-30 ] X.Org X server, XWayland: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/829208
    Bug: https://bugs.gentoo.org/877459
    Bug: https://bugs.gentoo.org/885825
    Bug: https://bugs.gentoo.org/893438
    Bug: https://bugs.gentoo.org/903547
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-30.xml | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-30 02:59:41 UTC
GLSA released, all done!