X.Org Security Advisory: Issues in X.Org X server prior to 21.1.12 and Xwayland prior to 23.2.5

Alan Coopersmith alan.coopersmith at oracle.com
Fri Apr 12 17:41:28 UTC 2024 

The fix we provided for CVE-2024-31083 introduced a double-free in some
circumstances, which led to X server crashes.

This has been fixed now in xorg-server-21.1.13 and xwayland-23.2.6.

For those applying patches instead of upgrades, see
https://gitlab.freedesktop.org/xorg/xserver/-/commit/337d8d48b618d4fc0168a7b978be4c3447650b04

          -Alan Coopersmith-              alan.coopersmith at oracle.com
            X.Org Security Response Team - xorg-security at lists.x.org

On 4/3/24 11:43, Alan Coopersmith wrote:
> X.Org Security Advisory: April 3, 2024
> 
> Issues in X.Org X server prior to 21.1.12 and Xwayland prior to 23.2.5
> ======================================================================
> 
> Multiple issues have been found in the X server and Xwayland implementations
> published by X.Org for which we are releasing security fixes for in
> xorg-server-21.1.12 and xwayland-23.2.5.
> 
> The first 3 can be triggered by a client using a different endianness from
> the X server and making particular requests.   The X server replies will use
> the byte-swapped length of the return data, causing the X server to read
> memory values from the heap and write it back to the client, until it
> finally hits an unmapped page and segfaults.  The client cannot control
> what portion of the server's heap memory the X server copies into its replies,
> but as the length values are typically small numbers stored into a 32-bit
> integer, the size attempted for the out-of-bounds read may be large.
> 
> Xwayland versions 23.1 and later disable support for byte-swapping by default,
> and are thus protected from these issues unless the Xwayland server is started
> with the +byteswappedclients option on the command line. X.Org plans to include
> this change in the next release branch of the other X.Org X servers.
> 
> The new xorg-server-21.1.12 release adds the ability to disable byte-swapped
> clients as well, though it retains the current default of leaving them enabled.
> For all of the provided X servers in this release, the command-line option
> -byteswappedclients may be used to disable byte-swapping support for X clients
> with a different endianness than the X server.
> Support for such clients may also be disabled for the Xorg server by
> providing a file in /etc/X11/xorg.conf.d/ containing the contents:
> 
> Section "ServerFlags"
>      Option "AllowByteSwappedClients" "False"
> EndSection
> 
> ------------------------------------------------------------------------
> 
> 1) CVE-2024-31080: Heap buffer overread/data leakage in ProcXIGetSelectedEvents
> 
> Introduced in: xorg-server-1.7.0 (2009)
> Fixed in: xorg-server-21.1.12 and xwayland-23.2.5
> Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0
> Found by: Alan Coopersmith of Oracle Solaris, while investigating
>        https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
> 
> The ProcXIGetSelectedEvents() function uses the byte-swapped length of the
> return data for the amount of data to return to the client, if the client
> has a different endianness than the X server.
> 
> xorg-server-21.1.12 and xwayland-23.2.5 have been patched to fix this issue.
> 
> 
> 2) CVE-2024-31081: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice
> 
> Introduced in: xorg-server-1.7.0 (2009)
> Fixed in: xorg-server-21.1.12 and xwayland-23.2.5
> Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645d
> Found by: Alan Coopersmith of Oracle Solaris
> 
> The ProcXIPassiveGrabDevice() function uses the byte-swapped length of the
> return data for the amount of data to return to the client, if the client
> has a different endianness than the X server.
> 
> xorg-server-21.1.12 and xwayland-23.2.5 have been patched to fix this issue.
> 
> 
> 3) CVE-2024-31082: Heap buffer overread/data leakage in ProcAppleDRICreatePixmap
> 
> Introduced in: xorg-server-1.12.0 (2012)
> Fixed in: xorg-server-21.1.12
> Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6c684d035c06fd41c727f
> Found by: Alan Coopersmith of Oracle Solaris
> 
> The ProcAppleDRICreatePixmap() function uses the byte-swapped length of the
> return data for the amount of data to return to the client, if the client
> has a different endianness than the X server.  This function is only found
> in the Xquartz server for MacOS systems, and not in Xwayland, Xorg, or any
> other X servers.
> 
> xorg-server-21.1.12 has been patched to fix this issue.
> 
> 4) CVE-2024-31083: User-after-free in ProcRenderAddGlyphs
> 
> Introduced in: prior to X11R6.7 (2004)
> Fixed in: xorg-server-21.1.12 and xwayland-23.2.5
> Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdca6c3d1f5057eeb3160
> Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> 
> The ProcRenderAddGlyphs() function calls the AllocateGlyph() function
> to store new glyphs sent by the client to the X server.  AllocateGlyph()
> would return a new glyph with refcount=0 and a re-used glyph would end up
> not changing the refcount at all. The resulting glyph_new array would thus
> have multiple entries pointing to the same non-refcounted glyphs.
> 
> ProcRenderAddGlyphs() may free a glyph, resulting in a use-after-free when
> the same glyph pointer is then later used.
> 
> xorg-server-21.1.12 and xwayland-23.2.5 have been patched to fix this issue.
> 
> ------------------------------------------------------------------------
> 
> X.Org thanks all of those who reported and fixed these issues, and those
> who helped with the review and release of this advisory and these fixes.
>

More information about the xorg-announce mailing list