X.Org Security Advisory: December 14, 2021

Povilas Kanapickas povilas at radix.lt
Tue Dec 14 13:11:35 UTC 2021 

X.Org Security Advisory: December 14, 2021

Multiple input validation failures in X server extensions
=========================================================

All of the following issues can lead to local privileges elevation on
systems where the X server is running privileged and remote code
execution for ssh X forwarding sessions.

* CVE-2021-4008/ZDI-CAN-14192 SProcRenderCompositeGlyphs out-of-bounds
access

The handler for the CompositeGlyphs request of the Render extension does
not properly validate the request length leading to out of bounds memory
write.

* CVE-2021-4009/ZDI-CAN 14950 SProcXFixesCreatePointerBarrier
out-of-bounds access

The handler for the CreatePointerBarrier request of the XFixes extension
does not properly validate the request length leading to out of bounds
memory write.

* CVE-2021-4010/ZDI-CAN-14951 SProcScreenSaverSuspend out-of-bounds access

The handler for the Suspend request of the Screen Saver extension does
not properly validate the request length leading to out of bounds memory
write.

* CVE-2021-4011/ZDI-CAN-14952 SwapCreateRegister out-of-bounds access

The handlers for the RecordCreateContext and RecordRegisterClients
requests of the Record extension do not properly validate the request
length leading to out of bounds memory write.

Patches
-------

Patches for this issues have been commited to the xorg server git
repository (https://gitlab.freedesktop.org/xorg/xserver). xorg-server
21.1.2 will be released shortly and will include these patches.

commit ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60

    render: Fix out of bounds access in SProcRenderCompositeGlyphs()

    ZDI-CAN-14192, CVE-2021-4008

    This vulnerability was discovered and the fix was suggested by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

commit b5196750099ae6ae582e1f46bd0a6dad29550e02

    xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier()

    ZDI-CAN-14950, CVE-2021-4009

    This vulnerability was discovered and the fix was suggested by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

commit 6c4c53010772e3cb4cb8acd54950c8eec9c00d21

    Xext: Fix out of bounds access in SProcScreenSaverSuspend()

    ZDI-CAN-14951, CVE-2021-4010

    This vulnerability was discovered and the fix was suggested by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

commit e56f61c79fc3cee26d83cda0f84ae56d5979f768

    record: Fix out of bounds access in SwapCreateRegister()

    ZDI-CAN-14952, CVE-2021-4011

    This vulnerability was discovered and the fix was suggested by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Thanks
======

This vulnerability was discovered by Jan-Niklas Sohn working with
Trend Micro Zero Day Initiative.

--
Povilas Kanapickas

More information about the xorg mailing list