Created attachment 216934 [details] update to 1.6.10 - fixed CVE-2020-14344 X.Org security advisory: July 31, 2020 Heap corruption in the X input method client in libX11 ====================================================== CVE-2020-14344 The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method. Patches ======= Patches for these issues have been commited to the libX11 git repository. libX11 1.6.10 will be released shortly and will include those patches. https://gitlab.freedesktop.org/xorg/lib/libx11 commit 1703b9f3435079d3c6021e1ee2ec34fd4978103d (HEAD -> master) Change the data_len parameter of _XimAttributeToValue() to CARD16 It's coming from a length in the protocol (unsigned) and passed to functions that expect unsigned int parameters (_XCopyToArg() and memcpy()). commit 1a566c9e00e5f35c1f9e7f3d741a02e5170852b2 Zero out buffers in functions It looks like uninitialized stack or heap memory can leak out via padding bytes. commit 2fcfcc49f3b1be854bb9085993a01d17c62acf60 Fix more unchecked lengths commit 388b303c62aa35a245f1704211a023440ad2c488 fix integer overflows in _XimAttributeToValue() commit 0e6561efcfaa0ae7b5c74eac7e064b76d687544e Fix signed length values in _XimGetAttributeID() The lengths are unsigned according to the specification. Passing negative values can lead to data corruption. Thanks ====== X.Org thanks Todd Carson for reporting these issues to our security team and assisting them in understanding them and providing fixes.
Patch tested on amd64: make check-plist/install, run GUI application.
[ANNOUNCE] libX11 1.6.10 Matthieu Herrb Fri, 31 Jul 2020 06:59:13 -0700 https://www.mail-archive.com/xorg-announce@lists.x.org/msg01261.html
A commit references this bug: Author: zeising Date: Sat Aug 1 14:21:22 UTC 2020 New revision: 543912 URL: https://svnweb.freebsd.org/changeset/ports/543912 Log: x11/libX11: Fix CVE-2020-14347 Add upstream patches to x11/libX11 to fix Heap corruption in the X input method client in libX11. Announcement: https://lists.x.org/archives/xorg-announce/2020-July/003050.html PR: 248409 (based on) Submitted by: VVD MFH: 2020Q3 (implicit, security update) Security: 6faa7feb-d3fa-11ea-9aba-0c9d925bbbc0 Changes: head/x11/libX11/Makefile head/x11/libX11/distinfo
A commit references this bug: Author: zeising Date: Sat Aug 1 14:24:03 UTC 2020 New revision: 543913 URL: https://svnweb.freebsd.org/changeset/ports/543913 Log: MFH: r543911 r543912 x11-servers/xorg-server: Fix CVE-2020-14347 Add upstream patch to fix CVE-2020-14347, Pixel Data Uninitialized Memory Information Disclosure. Announcement: https://lists.x.org/archives/xorg-announce/2020-July/003051.html PR: 248410 (based on) Submitted by: VVD Security: 3c7ba82a-d3fb-11ea-9aba-0c9d925bbbc0 x11/libX11: Fix CVE-2020-14347 Add upstream patches to x11/libX11 to fix Heap corruption in the X input method client in libX11. Announcement: https://lists.x.org/archives/xorg-announce/2020-July/003050.html PR: 248409 (based on) Submitted by: VVD Security: 6faa7feb-d3fa-11ea-9aba-0c9d925bbbc0 Approved by: ports-secteam (implicit, security update) Changes: _U branches/2020Q3/ branches/2020Q3/x11/libX11/Makefile branches/2020Q3/x11/libX11/distinfo branches/2020Q3/x11-servers/xorg-server/Makefile branches/2020Q3/x11-servers/xorg-server/distinfo
A commit references this bug: Author: zeising Date: Sat Aug 1 14:34:36 UTC 2020 New revision: 543914 URL: https://svnweb.freebsd.org/changeset/ports/543914 Log: x11/libX11: Update to 1.6.10 Update x11/libX11 to 1.6.10. Changelog: https://lists.x.org/archives/xorg-announce/2020-July/003052.html PR: 248409 Submitted by: VVD Changes: head/x11/libX11/Makefile head/x11/libX11/distinfo
To ease in merging to the quarterly branch, I chose to do the update in two steps. First I updated the port with just the security fixes, and merged that, then I updated to 1.6.10 with your patch. Thanks for your submission!
A commit references this bug: Author: zeising Date: Mon Aug 17 17:01:51 UTC 2020 New revision: 545175 URL: https://svnweb.freebsd.org/changeset/ports/545175 Log: MFH: r543914 r544154 r544630 r545155 With these changes libX11 in 2020Q3 branch should be mostly up to date with what's in the default ports tree branch. This is needed because the amount of patches fixing various issues started to pile up, and it was hard to merge the needed patches one by one. x11/libX11: Update to 1.6.10 Update x11/libX11 to 1.6.10. Changelog: https://lists.x.org/archives/xorg-announce/2020-July/003052.html PR: 248409 Submitted by: VVD x11/libX11: Fix regression after security fixes Add an upstream patch that fixes regressions after the last round of security updates, and the update to 1.6.10. This regression causes issues with emacs, at least. Reported by: Kevin Oberman x11/libX11: Update to 1.6.11 Update x11/libX11 to 1.6.11. This is effectively a noop, since the only change between 1.6.10 and 1.6.11 has already been included in the port. Bump the version anyway to keep things up to date. x11/libX11: Fix regression with inputh methods Add an upstream patch to fix regressions with input metods, where input method clients can't connect to the input method server. [1] While here, add a patch that removes register keywords and fixes compiles against libX11 headers with C++17. PR: 248549 [1] Reported by: Atsuo Ohki Approved by: ports-secteam (joenum) Changes: _U branches/2020Q3/ branches/2020Q3/x11/libX11/Makefile branches/2020Q3/x11/libX11/distinfo