[Bug 248410] x11-servers/xorg-server: fix CVE-2020-14347 (release 1.20.9 soon)

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sat Aug 1 11:39:27 UTC 2020 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248410

            Bug ID: 248410
           Summary: x11-servers/xorg-server: fix CVE-2020-14347 (release
                    1.20.9 soon)
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
               URL: https://lists.x.org/archives/xorg-announce/2020-July/0
                    03051.html
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: x11 at FreeBSD.org
          Reporter: vvd at unislabs.com
                CC: joneum at FreeBSD.org, ports-secteam at FreeBSD.org
          Assignee: x11 at FreeBSD.org
             Flags: maintainer-feedback?(x11 at FreeBSD.org)
 Attachment #216935 maintainer-approval?
             Flags:
             Flags: maintainer-feedback?

Created attachment 216935
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=216935&action=edit
fix CVE-2020-14347

X.Org security advisory: July 31, 2020

X Server Pixel Data Uninitialized Memory Information Disclosure 
===============================================================

CVE-2020-14347

Allocation for pixmap data in AllocatePixmap() does not initialize the
memory in xserver, it leads to leak uninitialize heap memory to
clients. When the X server runs with elevated privileges.

This flaw can lead to ASLR bypass, which when combined with other
flaws (known/unknown) could lead to lead to privilege elevation in the
client.

Patch
=====

A patch for this issue has been commited to the xorg server git
repository.  xorg-server 1.20.9 will be released shortly and will
include this patch.

https://gitlab.freedesktop.org/xorg/xserver.git

diff --git a/dix/pixmap.c b/dix/pixmap.c
index 1186d7dbb..5a0146bbb 100644
--- a/dix/pixmap.c
+++ b/dix/pixmap.c
@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize)
     if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize)
         return NullPixmap;

-    pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize);
+    pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize);
     if (!pPixmap)
         return NullPixmap;

Thanks
======

This vulnerability was discovered by Jan-Niklas Sohn working with
Trend Micro Zero Day Initiative.


Patch tested on 12.1 amd64: make check-plist/install.
I didn't restart xorg-server after this upgrade.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list