X.Org security advisory: July 31, 2020: libX11
matthieu at herrb.eu
Fri Jul 31 13:37:55 UTC 2020
X.Org security advisory: July 31, 2020
Heap corruption in the X input method client in libX11
The X Input Method (XIM) client implementation in libX11 has some
integer overflows and signed/unsigned comparison issues that can lead
to heap corruption when handling malformed messages from an input
Patches for these issues have been commited to the libX11 git repository.
libX11 1.6.10 will be released shortly and will include those patches.
commit 1703b9f3435079d3c6021e1ee2ec34fd4978103d (HEAD -> master)
Change the data_len parameter of _XimAttributeToValue() to CARD16
It's coming from a length in the protocol (unsigned) and passed
to functions that expect unsigned int parameters (_XCopyToArg()
Zero out buffers in functions
It looks like uninitialized stack or heap memory can leak
out via padding bytes.
Fix more unchecked lengths
fix integer overflows in _XimAttributeToValue()
Fix signed length values in _XimGetAttributeID()
The lengths are unsigned according to the specification. Passing
negative values can lead to data corruption.
X.Org thanks Todd Carson for reporting these issues to our security
team and assisting them in understanding them and providing fixes.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 793 bytes
Desc: not available
More information about the xorg-devel