[Bug 248409] x11/libX11: update to 1.6.10 - fixed CVE-2020-14344

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 248409] x11/libX11: update to 1.6.10 - fixed CVE-2020-14344

bugzilla-noreply
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248409

            Bug ID: 248409
           Summary: x11/libX11: update to 1.6.10 - fixed CVE-2020-14344
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
               URL: https://lists.x.org/archives/xorg-announce/2020-July/0
                    03050.html
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: [hidden email]
          Reporter: [hidden email]
                CC: [hidden email], [hidden email]
             Flags: maintainer-feedback?([hidden email])
          Assignee: [hidden email]
 Attachment #216934 maintainer-approval?
             Flags:
             Flags: maintainer-feedback?

Created attachment 216934
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=216934&action=edit
update to 1.6.10 - fixed CVE-2020-14344

X.Org security advisory: July 31, 2020

Heap corruption in the X input method client in libX11
======================================================

CVE-2020-14344

The X Input Method (XIM) client implementation in libX11 has some
integer overflows and signed/unsigned comparison issues that can lead
to heap corruption when handling malformed messages from an input
method.

Patches
=======

Patches for these issues have been commited to the libX11 git repository.
libX11 1.6.10 will be released shortly and will include those patches.

https://gitlab.freedesktop.org/xorg/lib/libx11

commit 1703b9f3435079d3c6021e1ee2ec34fd4978103d (HEAD -> master)

    Change the data_len parameter of _XimAttributeToValue() to CARD16

    It's coming from a length in the protocol (unsigned) and passed
    to functions that expect unsigned int parameters (_XCopyToArg()
    and memcpy()).

commit 1a566c9e00e5f35c1f9e7f3d741a02e5170852b2

    Zero out buffers in functions

    It looks like uninitialized stack or heap memory can leak
    out via padding bytes.


commit 2fcfcc49f3b1be854bb9085993a01d17c62acf60

    Fix more unchecked lengths

commit 388b303c62aa35a245f1704211a023440ad2c488

    fix integer overflows in _XimAttributeToValue()


commit 0e6561efcfaa0ae7b5c74eac7e064b76d687544e

    Fix signed length values in _XimGetAttributeID()

    The lengths are unsigned according to the specification. Passing
    negative values can lead to data corruption.

Thanks
======

X.Org thanks Todd Carson for reporting these issues to our security
team and assisting them in understanding them and providing fixes.

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-x11
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

maintainer-feedback requested: [Bug 248409] x11/libX11: update to 1.6.10 - fixed CVE-2020-14344

bugzilla-noreply
Bugzilla Automation <[hidden email]> has asked freebsd-x11 (Nobody)
<[hidden email]> for maintainer-feedback:
Bug 248409: x11/libX11: update to 1.6.10 - fixed CVE-2020-14344
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248409



--- Description ---
X.Org security advisory: July 31, 2020

Heap corruption in the X input method client in libX11
======================================================

CVE-2020-14344

The X Input Method (XIM) client implementation in libX11 has some
integer overflows and signed/unsigned comparison issues that can lead
to heap corruption when handling malformed messages from an input
method.

Patches
=======

Patches for these issues have been commited to the libX11 git repository.
libX11 1.6.10 will be released shortly and will include those patches.

https://gitlab.freedesktop.org/xorg/lib/libx11

commit 1703b9f3435079d3c6021e1ee2ec34fd4978103d (HEAD -> master)

    Change the data_len parameter of _XimAttributeToValue() to CARD16

    It's coming from a length in the protocol (unsigned) and passed
    to functions that expect unsigned int parameters (_XCopyToArg()
    and memcpy()).

commit 1a566c9e00e5f35c1f9e7f3d741a02e5170852b2

    Zero out buffers in functions

    It looks like uninitialized stack or heap memory can leak
    out via padding bytes.


commit 2fcfcc49f3b1be854bb9085993a01d17c62acf60

    Fix more unchecked lengths

commit 388b303c62aa35a245f1704211a023440ad2c488

    fix integer overflows in _XimAttributeToValue()


commit 0e6561efcfaa0ae7b5c74eac7e064b76d687544e

    Fix signed length values in _XimGetAttributeID()

    The lengths are unsigned according to the specification. Passing
    negative values can lead to data corruption.

Thanks
======

X.Org thanks Todd Carson for reporting these issues to our security
team and assisting them in understanding them and providing fixes.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-x11
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

[Bug 248409] x11/libX11: update to 1.6.10 - fixed CVE-2020-14344

bugzilla-noreply
In reply to this post by bugzilla-noreply
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248409

VVD <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|Affects Only Me             |Affects Many People
                 CC|                            |[hidden email]

--- Comment #1 from VVD <[hidden email]> ---
Patch tested on amd64: make check-plist/install, run GUI application.

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-x11
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

[Bug 248409] x11/libX11: update to 1.6.10 - fixed CVE-2020-14344

bugzilla-noreply
In reply to this post by bugzilla-noreply
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248409

--- Comment #2 from VVD <[hidden email]> ---
[ANNOUNCE] libX11 1.6.10
Matthieu Herrb Fri, 31 Jul 2020 06:59:13 -0700

https://www.mail-archive.com/xorg-announce@.../msg01261.html

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-x11
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

[Bug 248409] x11/libX11: update to 1.6.10 - fixed CVE-2020-14344

bugzilla-noreply
In reply to this post by bugzilla-noreply
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248409

--- Comment #3 from [hidden email] ---
A commit references this bug:

Author: zeising
Date: Sat Aug  1 14:21:22 UTC 2020
New revision: 543912
URL: https://svnweb.freebsd.org/changeset/ports/543912

Log:
  x11/libX11: Fix CVE-2020-14347

  Add upstream patches to x11/libX11 to fix Heap corruption in the X input
  method client in libX11.
  Announcement:
  https://lists.x.org/archives/xorg-announce/2020-July/003050.html

  PR:           248409 (based on)
  Submitted by: VVD
  MFH:          2020Q3 (implicit, security update)
  Security:     6faa7feb-d3fa-11ea-9aba-0c9d925bbbc0

Changes:
  head/x11/libX11/Makefile
  head/x11/libX11/distinfo

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-x11
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

[Bug 248409] x11/libX11: update to 1.6.10 - fixed CVE-2020-14344

bugzilla-noreply
In reply to this post by bugzilla-noreply
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248409

--- Comment #4 from [hidden email] ---
A commit references this bug:

Author: zeising
Date: Sat Aug  1 14:24:03 UTC 2020
New revision: 543913
URL: https://svnweb.freebsd.org/changeset/ports/543913

Log:
  MFH: r543911 r543912

  x11-servers/xorg-server: Fix CVE-2020-14347

  Add upstream patch to fix CVE-2020-14347, Pixel Data Uninitialized Memory
  Information Disclosure.
  Announcement:
  https://lists.x.org/archives/xorg-announce/2020-July/003051.html

  PR:           248410 (based on)
  Submitted by: VVD
  Security:     3c7ba82a-d3fb-11ea-9aba-0c9d925bbbc0

  x11/libX11: Fix CVE-2020-14347

  Add upstream patches to x11/libX11 to fix Heap corruption in the X input
  method client in libX11.
  Announcement:
  https://lists.x.org/archives/xorg-announce/2020-July/003050.html

  PR:           248409 (based on)
  Submitted by: VVD
  Security:     6faa7feb-d3fa-11ea-9aba-0c9d925bbbc0

  Approved by:  ports-secteam (implicit, security update)

Changes:
_U  branches/2020Q3/
  branches/2020Q3/x11/libX11/Makefile
  branches/2020Q3/x11/libX11/distinfo
  branches/2020Q3/x11-servers/xorg-server/Makefile
  branches/2020Q3/x11-servers/xorg-server/distinfo

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-x11
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

[Bug 248409] x11/libX11: update to 1.6.10 - fixed CVE-2020-14344

bugzilla-noreply
In reply to this post by bugzilla-noreply
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248409

--- Comment #5 from [hidden email] ---
A commit references this bug:

Author: zeising
Date: Sat Aug  1 14:34:36 UTC 2020
New revision: 543914
URL: https://svnweb.freebsd.org/changeset/ports/543914

Log:
  x11/libX11: Update to 1.6.10

  Update x11/libX11 to 1.6.10.
  Changelog:
  https://lists.x.org/archives/xorg-announce/2020-July/003052.html

  PR:           248409
  Submitted by: VVD

Changes:
  head/x11/libX11/Makefile
  head/x11/libX11/distinfo

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-x11
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

[Bug 248409] x11/libX11: update to 1.6.10 - fixed CVE-2020-14344

bugzilla-noreply
In reply to this post by bugzilla-noreply
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248409

Niclas Zeising <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|New                         |Closed
         Resolution|---                         |FIXED
                 CC|                            |[hidden email]

--- Comment #6 from Niclas Zeising <[hidden email]> ---
To ease in merging to the quarterly branch, I chose to do the update in two
steps.  First I updated the port with just the security fixes, and merged that,
then I updated to 1.6.10 with your patch.
Thanks for your submission!

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-x11
To unsubscribe, send any mail to "[hidden email]"