X.Org Security Advisory: Issues in X.Org X server prior to 21.1.12 and Xwayland prior to 23.2.5

Alan Coopersmith alan.coopersmith at oracle.com
Wed Apr 3 18:43:34 UTC 2024 

X.Org Security Advisory: April 3, 2024

Issues in X.Org X server prior to 21.1.12 and Xwayland prior to 23.2.5
======================================================================

Multiple issues have been found in the X server and Xwayland implementations
published by X.Org for which we are releasing security fixes for in
xorg-server-21.1.12 and xwayland-23.2.5.

The first 3 can be triggered by a client using a different endianness from
the X server and making particular requests.   The X server replies will use
the byte-swapped length of the return data, causing the X server to read
memory values from the heap and write it back to the client, until it
finally hits an unmapped page and segfaults.  The client cannot control
what portion of the server's heap memory the X server copies into its replies,
but as the length values are typically small numbers stored into a 32-bit
integer, the size attempted for the out-of-bounds read may be large.

Xwayland versions 23.1 and later disable support for byte-swapping by default,
and are thus protected from these issues unless the Xwayland server is started
with the +byteswappedclients option on the command line. X.Org plans to include
this change in the next release branch of the other X.Org X servers.

The new xorg-server-21.1.12 release adds the ability to disable byte-swapped
clients as well, though it retains the current default of leaving them enabled.
For all of the provided X servers in this release, the command-line option
-byteswappedclients may be used to disable byte-swapping support for X clients
with a different endianness than the X server.
Support for such clients may also be disabled for the Xorg server by
providing a file in /etc/X11/xorg.conf.d/ containing the contents:

Section "ServerFlags"
     Option "AllowByteSwappedClients" "False"
EndSection

------------------------------------------------------------------------

1) CVE-2024-31080: Heap buffer overread/data leakage in ProcXIGetSelectedEvents

Introduced in: xorg-server-1.7.0 (2009)
Fixed in: xorg-server-21.1.12 and xwayland-23.2.5
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0
Found by: Alan Coopersmith of Oracle Solaris, while investigating
       https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762

The ProcXIGetSelectedEvents() function uses the byte-swapped length of the
return data for the amount of data to return to the client, if the client
has a different endianness than the X server.

xorg-server-21.1.12 and xwayland-23.2.5 have been patched to fix this issue.


2) CVE-2024-31081: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice

Introduced in: xorg-server-1.7.0 (2009)
Fixed in: xorg-server-21.1.12 and xwayland-23.2.5
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645d
Found by: Alan Coopersmith of Oracle Solaris

The ProcXIPassiveGrabDevice() function uses the byte-swapped length of the
return data for the amount of data to return to the client, if the client
has a different endianness than the X server.

xorg-server-21.1.12 and xwayland-23.2.5 have been patched to fix this issue.


3) CVE-2024-31082: Heap buffer overread/data leakage in ProcAppleDRICreatePixmap

Introduced in: xorg-server-1.12.0 (2012)
Fixed in: xorg-server-21.1.12
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6c684d035c06fd41c727f
Found by: Alan Coopersmith of Oracle Solaris

The ProcAppleDRICreatePixmap() function uses the byte-swapped length of the
return data for the amount of data to return to the client, if the client
has a different endianness than the X server.  This function is only found
in the Xquartz server for MacOS systems, and not in Xwayland, Xorg, or any
other X servers.

xorg-server-21.1.12 has been patched to fix this issue.

4) CVE-2024-31083: User-after-free in ProcRenderAddGlyphs

Introduced in: prior to X11R6.7 (2004)
Fixed in: xorg-server-21.1.12 and xwayland-23.2.5
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdca6c3d1f5057eeb3160
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

The ProcRenderAddGlyphs() function calls the AllocateGlyph() function
to store new glyphs sent by the client to the X server.  AllocateGlyph()
would return a new glyph with refcount=0 and a re-used glyph would end up
not changing the refcount at all. The resulting glyph_new array would thus
have multiple entries pointing to the same non-refcounted glyphs.

ProcRenderAddGlyphs() may free a glyph, resulting in a use-after-free when
the same glyph pointer is then later used.

xorg-server-21.1.12 and xwayland-23.2.5 have been patched to fix this issue.

------------------------------------------------------------------------

X.Org thanks all of those who reported and fixed these issues, and those
who helped with the review and release of this advisory and these fixes.

-- 
          -Alan Coopersmith-              alan.coopersmith at oracle.com
            X.Org Security Response Team - xorg-security at lists.x.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xA2FB9E081F2D130E.asc
Type: application/pgp-keys
Size: 8712 bytes
Desc: OpenPGP public key
URL: <https://lists.x.org/archives/xorg-announce/attachments/20240403/bff2fae2/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.x.org/archives/xorg-announce/attachments/20240403/bff2fae2/attachment-0001.sig>

More information about the xorg-announce mailing list