-------- Forwarded Message --------
Subject: Re: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.12 and Xwayland prior to 23.2.5
Date: Fri, 12 Apr 2024 10:41:28 -0700
From: Alan Coopersmith <[email protected]>
To: [email protected]
CC: [email protected] <[email protected]>
The fix we provided for CVE-2024-31083 introduced a double-free in some
circumstances, which led to X server crashes.
This has been fixed now in xorg-server-21.1.13 and xwayland-23.2.6.
For those applying patches instead of upgrades, see
https://gitlab.freedesktop.org/xorg/xserver/-/commit/337d8d48b618d4fc0168a7b978be4c3447650b04
-Alan Coopersmith- [email protected]
X.Org Security Response Team - [email protected]
On 4/3/24 11:43, Alan Coopersmith wrote:
> X.Org Security Advisory: April 3, 2024
>
> Issues in X.Org X server prior to 21.1.12 and Xwayland prior to 23.2.5
> ======================================================================
>
> Multiple issues have been found in the X server and Xwayland implementations
> published by X.Org for which we are releasing security fixes for in
> xorg-server-21.1.12 and xwayland-23.2.5.
>
> The first 3 can be triggered by a client using a different endianness from
> the X server and making particular requests. The X server replies will use
> the byte-swapped length of the return data, causing the X server to read
> memory values from the heap and write it back to the client, until it
> finally hits an unmapped page and segfaults. The client cannot control
> what portion of the server's heap memory the X server copies into its replies,
> but as the length values are typically small numbers stored into a 32-bit
> integer, the size attempted for the out-of-bounds read may be large.
>
> Xwayland versions 23.1 and later disable support for byte-swapping by default,
> and are thus protected from these issues unless the Xwayland server is started
> with the +byteswappedclients option on the command line. X.Org plans to include
> this change in the next release branch of the other X.Org X servers.
>
> The new xorg-server-21.1.12 release adds the ability to disable byte-swapped
> clients as well, though it retains the current default of leaving them enabled.
> For all of the provided X servers in this release, the command-line option
> -byteswappedclients may be used to disable byte-swapping support for X clients
> with a different endianness than the X server.
> Support for such clients may also be disabled for the Xorg server by
> providing a file in /etc/X11/xorg.conf.d/ containing the contents:
>
> Section "ServerFlags"
> Option "AllowByteSwappedClients" "False"
> EndSection
>
> ------------------------------------------------------------------------
>
> 1) CVE-2024-31080: Heap buffer overread/data leakage in ProcXIGetSelectedEvents
>
> Introduced in: xorg-server-1.7.0 (2009)
> Fixed in: xorg-server-21.1.12 and xwayland-23.2.5
> Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0
> Found by: Alan Coopersmith of Oracle Solaris, while investigating
> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
>
> The ProcXIGetSelectedEvents() function uses the byte-swapped length of the
> return data for the amount of data to return to the client, if the client
> has a different endianness than the X server.
>
> xorg-server-21.1.12 and xwayland-23.2.5 have been patched to fix this issue.
>
>
> 2) CVE-2024-31081: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice
>
> Introduced in: xorg-server-1.7.0 (2009)
> Fixed in: xorg-server-21.1.12 and xwayland-23.2.5
> Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645d
> Found by: Alan Coopersmith of Oracle Solaris
>
> The ProcXIPassiveGrabDevice() function uses the byte-swapped length of the
> return data for the amount of data to return to the client, if the client
> has a different endianness than the X server.
>
> xorg-server-21.1.12 and xwayland-23.2.5 have been patched to fix this issue.
>
>
> 3) CVE-2024-31082: Heap buffer overread/data leakage in ProcAppleDRICreatePixmap
>
> Introduced in: xorg-server-1.12.0 (2012)
> Fixed in: xorg-server-21.1.12
> Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6c684d035c06fd41c727f
> Found by: Alan Coopersmith of Oracle Solaris
>
> The ProcAppleDRICreatePixmap() function uses the byte-swapped length of the
> return data for the amount of data to return to the client, if the client
> has a different endianness than the X server. This function is only found
> in the Xquartz server for MacOS systems, and not in Xwayland, Xorg, or any
> other X servers.
>
> xorg-server-21.1.12 has been patched to fix this issue.
>
> 4) CVE-2024-31083: User-after-free in ProcRenderAddGlyphs
>
> Introduced in: prior to X11R6.7 (2004)
> Fixed in: xorg-server-21.1.12 and xwayland-23.2.5
> Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdca6c3d1f5057eeb3160
> Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
>
> The ProcRenderAddGlyphs() function calls the AllocateGlyph() function
> to store new glyphs sent by the client to the X server. AllocateGlyph()
> would return a new glyph with refcount=0 and a re-used glyph would end up
> not changing the refcount at all. The resulting glyph_new array would thus
> have multiple entries pointing to the same non-refcounted glyphs.
>
> ProcRenderAddGlyphs() may free a glyph, resulting in a use-after-free when
> the same glyph pointer is then later used.
>
> xorg-server-21.1.12 and xwayland-23.2.5 have been patched to fix this issue.
>
> ------------------------------------------------------------------------
>
> X.Org thanks all of those who reported and fixed these issues, and those
> who helped with the review and release of this advisory and these fixes.
>