Created attachment 216935 [details] fix CVE-2020-14347 X.Org security advisory: July 31, 2020 X Server Pixel Data Uninitialized Memory Information Disclosure =============================================================== CVE-2020-14347 Allocation for pixmap data in AllocatePixmap() does not initialize the memory in xserver, it leads to leak uninitialize heap memory to clients. When the X server runs with elevated privileges. This flaw can lead to ASLR bypass, which when combined with other flaws (known/unknown) could lead to lead to privilege elevation in the client. Patch ===== A patch for this issue has been commited to the xorg server git repository. xorg-server 1.20.9 will be released shortly and will include this patch. https://gitlab.freedesktop.org/xorg/xserver.git diff --git a/dix/pixmap.c b/dix/pixmap.c index 1186d7dbb..5a0146bbb 100644 --- a/dix/pixmap.c +++ b/dix/pixmap.c @@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize) if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize) return NullPixmap; - pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize); + pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize); if (!pPixmap) return NullPixmap; Thanks ====== This vulnerability was discovered by Jan-Niklas Sohn working with Trend Micro Zero Day Initiative. Patch tested on 12.1 amd64: make check-plist/install. I didn't restart xorg-server after this upgrade.
A commit references this bug: Author: zeising Date: Sat Aug 1 14:17:09 UTC 2020 New revision: 543911 URL: https://svnweb.freebsd.org/changeset/ports/543911 Log: x11-servers/xorg-server: Fix CVE-2020-14347 Add upstream patch to fix CVE-2020-14347, Pixel Data Uninitialized Memory Information Disclosure. Announcement: https://lists.x.org/archives/xorg-announce/2020-July/003051.html PR: 248410 (based on) Submitted by: VVD MFH: 2020Q3 (implicit, security update) Security: 3c7ba82a-d3fb-11ea-9aba-0c9d925bbbc0 Changes: head/x11-servers/xorg-server/Makefile head/x11-servers/xorg-server/distinfo
A commit references this bug: Author: zeising Date: Sat Aug 1 14:24:02 UTC 2020 New revision: 543913 URL: https://svnweb.freebsd.org/changeset/ports/543913 Log: MFH: r543911 r543912 x11-servers/xorg-server: Fix CVE-2020-14347 Add upstream patch to fix CVE-2020-14347, Pixel Data Uninitialized Memory Information Disclosure. Announcement: https://lists.x.org/archives/xorg-announce/2020-July/003051.html PR: 248410 (based on) Submitted by: VVD Security: 3c7ba82a-d3fb-11ea-9aba-0c9d925bbbc0 x11/libX11: Fix CVE-2020-14347 Add upstream patches to x11/libX11 to fix Heap corruption in the X input method client in libX11. Announcement: https://lists.x.org/archives/xorg-announce/2020-July/003050.html PR: 248409 (based on) Submitted by: VVD Security: 6faa7feb-d3fa-11ea-9aba-0c9d925bbbc0 Approved by: ports-secteam (implicit, security update) Changes: _U branches/2020Q3/ branches/2020Q3/x11/libX11/Makefile branches/2020Q3/x11/libX11/distinfo branches/2020Q3/x11-servers/xorg-server/Makefile branches/2020Q3/x11-servers/xorg-server/distinfo
Committed and merged to quarterly branch. Thank you!