Bug 248409 - x11/libX11: update to 1.6.10 - fixed CVE-2020-14344
Summary: x11/libX11: update to 1.6.10 - fixed CVE-2020-14344
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-x11 (Nobody)
URL: https://lists.x.org/archives/xorg-ann...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-01 11:23 UTC by VVD
Modified: 2020-08-01 14:36 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (x11)
vvd: maintainer-feedback?


Attachments
update to 1.6.10 - fixed CVE-2020-14344 (809 bytes, patch)
2020-08-01 11:23 UTC, VVD
vvd: maintainer-approval?
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description VVD 2020-08-01 11:23:28 UTC
Created attachment 216934 [details]
update to 1.6.10 - fixed CVE-2020-14344

X.Org security advisory: July 31, 2020

Heap corruption in the X input method client in libX11
======================================================

CVE-2020-14344

The X Input Method (XIM) client implementation in libX11 has some
integer overflows and signed/unsigned comparison issues that can lead
to heap corruption when handling malformed messages from an input
method.

Patches
=======

Patches for these issues have been commited to the libX11 git repository.
libX11 1.6.10 will be released shortly and will include those patches.

https://gitlab.freedesktop.org/xorg/lib/libx11

commit 1703b9f3435079d3c6021e1ee2ec34fd4978103d (HEAD -> master)

    Change the data_len parameter of _XimAttributeToValue() to CARD16
    
    It's coming from a length in the protocol (unsigned) and passed
    to functions that expect unsigned int parameters (_XCopyToArg()
    and memcpy()).
    
commit 1a566c9e00e5f35c1f9e7f3d741a02e5170852b2

    Zero out buffers in functions
    
    It looks like uninitialized stack or heap memory can leak
    out via padding bytes.
    

commit 2fcfcc49f3b1be854bb9085993a01d17c62acf60

    Fix more unchecked lengths
    
commit 388b303c62aa35a245f1704211a023440ad2c488

    fix integer overflows in _XimAttributeToValue()
    

commit 0e6561efcfaa0ae7b5c74eac7e064b76d687544e

    Fix signed length values in _XimGetAttributeID()
    
    The lengths are unsigned according to the specification. Passing
    negative values can lead to data corruption.
    
Thanks
======

X.Org thanks Todd Carson for reporting these issues to our security
team and assisting them in understanding them and providing fixes.
Comment 1 VVD 2020-08-01 11:25:37 UTC
Patch tested on amd64: make check-plist/install, run GUI application.
Comment 2 VVD 2020-08-01 11:28:00 UTC
[ANNOUNCE] libX11 1.6.10
Matthieu Herrb Fri, 31 Jul 2020 06:59:13 -0700

https://www.mail-archive.com/xorg-announce@lists.x.org/msg01261.html
Comment 3 commit-hook freebsd_committer 2020-08-01 14:22:02 UTC
A commit references this bug:

Author: zeising
Date: Sat Aug  1 14:21:22 UTC 2020
New revision: 543912
URL: https://svnweb.freebsd.org/changeset/ports/543912

Log:
  x11/libX11: Fix CVE-2020-14347

  Add upstream patches to x11/libX11 to fix Heap corruption in the X input
  method client in libX11.
  Announcement:
  https://lists.x.org/archives/xorg-announce/2020-July/003050.html

  PR:		248409 (based on)
  Submitted by:	VVD
  MFH:		2020Q3 (implicit, security update)
  Security:	6faa7feb-d3fa-11ea-9aba-0c9d925bbbc0

Changes:
  head/x11/libX11/Makefile
  head/x11/libX11/distinfo
Comment 4 commit-hook freebsd_committer 2020-08-01 14:25:05 UTC
A commit references this bug:

Author: zeising
Date: Sat Aug  1 14:24:03 UTC 2020
New revision: 543913
URL: https://svnweb.freebsd.org/changeset/ports/543913

Log:
  MFH: r543911 r543912

  x11-servers/xorg-server: Fix CVE-2020-14347

  Add upstream patch to fix CVE-2020-14347, Pixel Data Uninitialized Memory
  Information Disclosure.
  Announcement:
  https://lists.x.org/archives/xorg-announce/2020-July/003051.html

  PR:		248410 (based on)
  Submitted by:	VVD
  Security:	3c7ba82a-d3fb-11ea-9aba-0c9d925bbbc0

  x11/libX11: Fix CVE-2020-14347

  Add upstream patches to x11/libX11 to fix Heap corruption in the X input
  method client in libX11.
  Announcement:
  https://lists.x.org/archives/xorg-announce/2020-July/003050.html

  PR:		248409 (based on)
  Submitted by:	VVD
  Security:	6faa7feb-d3fa-11ea-9aba-0c9d925bbbc0

  Approved by:	ports-secteam (implicit, security update)

Changes:
_U  branches/2020Q3/
  branches/2020Q3/x11/libX11/Makefile
  branches/2020Q3/x11/libX11/distinfo
  branches/2020Q3/x11-servers/xorg-server/Makefile
  branches/2020Q3/x11-servers/xorg-server/distinfo
Comment 5 commit-hook freebsd_committer 2020-08-01 14:35:09 UTC
A commit references this bug:

Author: zeising
Date: Sat Aug  1 14:34:36 UTC 2020
New revision: 543914
URL: https://svnweb.freebsd.org/changeset/ports/543914

Log:
  x11/libX11: Update to 1.6.10

  Update x11/libX11 to 1.6.10.
  Changelog:
  https://lists.x.org/archives/xorg-announce/2020-July/003052.html

  PR:		248409
  Submitted by:	VVD

Changes:
  head/x11/libX11/Makefile
  head/x11/libX11/distinfo
Comment 6 Niclas Zeising freebsd_committer 2020-08-01 14:36:13 UTC
To ease in merging to the quarterly branch, I chose to do the update in two steps.  First I updated the port with just the security fixes, and merged that, then I updated to 1.6.10 with your patch.
Thanks for your submission!