Bug 248409 - x11/libX11: update to 1.6.10 - fixed CVE-2020-14344
Summary: x11/libX11: update to 1.6.10 - fixed CVE-2020-14344
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-x11 (Nobody)
URL: https://lists.x.org/archives/xorg-ann...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-01 11:23 UTC by VVD
Modified: 2020-08-17 17:02 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (x11)
vvd: maintainer-feedback?


Attachments
update to 1.6.10 - fixed CVE-2020-14344 (809 bytes, patch)
2020-08-01 11:23 UTC, VVD
vvd: maintainer-approval?
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description VVD 2020-08-01 11:23:28 UTC
Created attachment 216934 [details]
update to 1.6.10 - fixed CVE-2020-14344

X.Org security advisory: July 31, 2020

Heap corruption in the X input method client in libX11
======================================================

CVE-2020-14344

The X Input Method (XIM) client implementation in libX11 has some
integer overflows and signed/unsigned comparison issues that can lead
to heap corruption when handling malformed messages from an input
method.

Patches
=======

Patches for these issues have been commited to the libX11 git repository.
libX11 1.6.10 will be released shortly and will include those patches.

https://gitlab.freedesktop.org/xorg/lib/libx11

commit 1703b9f3435079d3c6021e1ee2ec34fd4978103d (HEAD -> master)

    Change the data_len parameter of _XimAttributeToValue() to CARD16
    
    It's coming from a length in the protocol (unsigned) and passed
    to functions that expect unsigned int parameters (_XCopyToArg()
    and memcpy()).
    
commit 1a566c9e00e5f35c1f9e7f3d741a02e5170852b2

    Zero out buffers in functions
    
    It looks like uninitialized stack or heap memory can leak
    out via padding bytes.
    

commit 2fcfcc49f3b1be854bb9085993a01d17c62acf60

    Fix more unchecked lengths
    
commit 388b303c62aa35a245f1704211a023440ad2c488

    fix integer overflows in _XimAttributeToValue()
    

commit 0e6561efcfaa0ae7b5c74eac7e064b76d687544e

    Fix signed length values in _XimGetAttributeID()
    
    The lengths are unsigned according to the specification. Passing
    negative values can lead to data corruption.
    
Thanks
======

X.Org thanks Todd Carson for reporting these issues to our security
team and assisting them in understanding them and providing fixes.
Comment 1 VVD 2020-08-01 11:25:37 UTC
Patch tested on amd64: make check-plist/install, run GUI application.
Comment 2 VVD 2020-08-01 11:28:00 UTC
[ANNOUNCE] libX11 1.6.10
Matthieu Herrb Fri, 31 Jul 2020 06:59:13 -0700

https://www.mail-archive.com/xorg-announce@lists.x.org/msg01261.html
Comment 3 commit-hook freebsd_committer 2020-08-01 14:22:02 UTC
A commit references this bug:

Author: zeising
Date: Sat Aug  1 14:21:22 UTC 2020
New revision: 543912
URL: https://svnweb.freebsd.org/changeset/ports/543912

Log:
  x11/libX11: Fix CVE-2020-14347

  Add upstream patches to x11/libX11 to fix Heap corruption in the X input
  method client in libX11.
  Announcement:
  https://lists.x.org/archives/xorg-announce/2020-July/003050.html

  PR:		248409 (based on)
  Submitted by:	VVD
  MFH:		2020Q3 (implicit, security update)
  Security:	6faa7feb-d3fa-11ea-9aba-0c9d925bbbc0

Changes:
  head/x11/libX11/Makefile
  head/x11/libX11/distinfo
Comment 4 commit-hook freebsd_committer 2020-08-01 14:25:05 UTC
A commit references this bug:

Author: zeising
Date: Sat Aug  1 14:24:03 UTC 2020
New revision: 543913
URL: https://svnweb.freebsd.org/changeset/ports/543913

Log:
  MFH: r543911 r543912

  x11-servers/xorg-server: Fix CVE-2020-14347

  Add upstream patch to fix CVE-2020-14347, Pixel Data Uninitialized Memory
  Information Disclosure.
  Announcement:
  https://lists.x.org/archives/xorg-announce/2020-July/003051.html

  PR:		248410 (based on)
  Submitted by:	VVD
  Security:	3c7ba82a-d3fb-11ea-9aba-0c9d925bbbc0

  x11/libX11: Fix CVE-2020-14347

  Add upstream patches to x11/libX11 to fix Heap corruption in the X input
  method client in libX11.
  Announcement:
  https://lists.x.org/archives/xorg-announce/2020-July/003050.html

  PR:		248409 (based on)
  Submitted by:	VVD
  Security:	6faa7feb-d3fa-11ea-9aba-0c9d925bbbc0

  Approved by:	ports-secteam (implicit, security update)

Changes:
_U  branches/2020Q3/
  branches/2020Q3/x11/libX11/Makefile
  branches/2020Q3/x11/libX11/distinfo
  branches/2020Q3/x11-servers/xorg-server/Makefile
  branches/2020Q3/x11-servers/xorg-server/distinfo
Comment 5 commit-hook freebsd_committer 2020-08-01 14:35:09 UTC
A commit references this bug:

Author: zeising
Date: Sat Aug  1 14:34:36 UTC 2020
New revision: 543914
URL: https://svnweb.freebsd.org/changeset/ports/543914

Log:
  x11/libX11: Update to 1.6.10

  Update x11/libX11 to 1.6.10.
  Changelog:
  https://lists.x.org/archives/xorg-announce/2020-July/003052.html

  PR:		248409
  Submitted by:	VVD

Changes:
  head/x11/libX11/Makefile
  head/x11/libX11/distinfo
Comment 6 Niclas Zeising freebsd_committer 2020-08-01 14:36:13 UTC
To ease in merging to the quarterly branch, I chose to do the update in two steps.  First I updated the port with just the security fixes, and merged that, then I updated to 1.6.10 with your patch.
Thanks for your submission!
Comment 7 commit-hook freebsd_committer 2020-08-17 17:02:35 UTC
A commit references this bug:

Author: zeising
Date: Mon Aug 17 17:01:51 UTC 2020
New revision: 545175
URL: https://svnweb.freebsd.org/changeset/ports/545175

Log:
  MFH: r543914 r544154 r544630 r545155

  With these changes libX11 in 2020Q3 branch should be mostly up to date with
  what's in the default ports tree branch.

  This is needed because the amount of patches fixing various issues started to
  pile up, and it was hard to merge the needed patches one by one.

  x11/libX11: Update to 1.6.10

  Update x11/libX11 to 1.6.10.
  Changelog:
  https://lists.x.org/archives/xorg-announce/2020-July/003052.html

  PR:		248409
  Submitted by:	VVD

  x11/libX11: Fix regression after security fixes

  Add an upstream patch that fixes regressions after the last round of
  security updates, and the update to 1.6.10.
  This regression causes issues with emacs, at least.

  Reported by:	Kevin Oberman

  x11/libX11: Update to 1.6.11

  Update x11/libX11 to 1.6.11.
  This is effectively a noop, since the only change between 1.6.10 and 1.6.11
  has already been included in the port.
  Bump the version anyway to keep things up to date.

  x11/libX11: Fix regression with inputh methods

  Add an upstream patch to fix regressions with input metods, where input
  method clients can't connect to the input method server. [1]
  While here, add a patch that removes register keywords and fixes compiles
  against libX11 headers with C++17.

  PR:		248549 [1]
  Reported by:	Atsuo Ohki

  Approved by:	ports-secteam (joenum)

Changes:
_U  branches/2020Q3/
  branches/2020Q3/x11/libX11/Makefile
  branches/2020Q3/x11/libX11/distinfo