#13968: xorg-server-1.20.9 (CVE-2020-14345 CVE-2020-14346 CVE-2020-14361
CVE-2020-2020-1436)
-------------------------+-----------------------
Reporter: renodr | Owner: blfs-book
Type: enhancement | Status: new
Priority: high | Milestone: 10.1
Component: BOOK | Version: SVN
Severity: normal | Keywords:
-------------------------+-----------------------
New security release of xorg-server. Seems to be due to multiple input
validation failures in X server extensions. These issues lead to local
privilege escalation on systems where the X server is running privileged.
{{{
Multiple input validation failures in X server extensions
=========================================================
All theses issuses can lead to local privileges elevation
on systems where the X server is running privileged.
* CVE-2020-14345 / ZDI CAN 11428 XkbSetNames Out-Of-Bounds Access
The handler for the XkbSetNames request does not validate the request
length before accessing its contents.
* CVE-2020-14346 / ZDI CAN 11429 XIChangeHierarchy Integer Underflow
An integer underflow exists in the handler for the XIChangeHierarchy
request.
* CVE-2020-14361 / ZDI CAN 11573 XkbSelectEvents Integer Underflow
An integer underflow exist in the handler for the XkbSelectEvents
request.
* CVE-2020-1436 / ZDI CAN 11574 XRecordRegisterClients Integer Underflow
An integer underflow exist in the handler for the CreateRegister
request of the X record extension.
Patches
-------
Patches for this issues have been commited to the xorg server git
repository. xorg-server 1.20.9 will be released shortly and will
include these patches.
https://gitlab.freedesktop.org/xorg/xserver.git
commit 11f22a3bf694d7061d552c99898d843bcdaf0cf1
Correct bounds checking in XkbSetNames()
CVE-2020-14345 / ZDI 11428
commit 1e3392b07923987c6c9d09cf75b24f397b59bd5e
Fix XIChangeHierarchy() integer underflow
CVE-2020-14346 / ZDI-CAN-11429
commit 90304b3c2018a6b8f4a79de86364d2af15cb9ad8
Fix XkbSelectEvents() integer underflow
CVE-2020-14361 ZDI-CAN 11573
commit 24acad216aa0fc2ac451c67b2b86db057a032050
Fix XRecordRegisterClients() Integer underflow
CVE-2020-14362 ZDI-CAN-11574
Thanks
======
These vulnerabilities have beend discovered by Jan-Niklas Sohn working
with Trend Micro Zero Day Initiative.
--
Matthieu Herrb
}}}
And now the release notes:
{{{
Aaron Ma (1):
xfree86: add drm modes on non-GTF panels
Adam Jackson (2):
linux: Make platform device probe less fragile
linux: Fix platform device PCI detection for complex bus topologies
Alan Coopersmith (2):
Update URL's in man pages
doc: Update URLs in Xserver-DTrace.xml
Alex Goins (1):
randr: Check rrPrivKey in RRHasScanoutPixmap()
Hans de Goede (1):
modesetting: Disable pageflipping when using a swcursor
Huacai Chen (1):
linux: Fix platform device probe for DT-based PCI
Jose Maria Casanova Crespo (1):
modesetting: Fix front_bo leak at drmmode_xf86crtc_resize on XRandR
rotation
Lyude Paul (1):
xwayland: Store xwl_tablet_pad in its own private key
Martin Weber (1):
hw/xfree86: Avoid cursor use after free
Matt Turner (1):
xserver 1.20.9
Matthieu Herrb (5):
fix for ZDI-11426
Correct bounds checking in XkbSetNames()
Fix XIChangeHierarchy() integer underflow
Fix XkbSelectEvents() integer underflow
Fix XRecordRegisterClients() Integer underflow
Michel Dänzer (7):
present/wnmd: Keep pixmap pointer in present_wnmd_clear_window_flip
present/wnmd: Free flip_queue entries in
present_wnmd_clear_window_flip
xwayland: Always use xwl_present_free_event for freeing Present
events
xwayland: Free all remaining events in xwl_present_cleanup
xwayland: Hold a pixmap reference in struct xwl_present_event
xwayland: Propagate damage x1/y1 coordinates in xwl_present_flip
xwayland: Handle NULL xwl_seat in xwl_seat_can_emulate_pointer_warp
Olivier Fourdan (4):
xwayland: Fix infinite loop at startup
xwayland: Clear private on device removal
xwayland: Disable the MIT-SCREEN-SAVER extension when rootless
xwayland: Use a fixed DPI value for core protocol
Roman Gilg (1):
present: Check valid region in window mode flips
Samuel Thibault (1):
dix: do not send focus event when grab actually does not change
Simon Ser (2):
xwayland: import DMA-BUFs with GBM_BO_USE_RENDERING only
xwayland: only use linux-dmabuf if format/modifier was advertised
SimonP (1):
xwayland: Initialise values in xwlVidModeGetGamma()
Sjoerd Simons (1):
xwayland: Fix crashes when there is no pointer
git tag: xorg-server-1.20.9
}}}
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/13968>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
