Bug 248410 - x11-servers/xorg-server: fix CVE-2020-14347 (release 1.20.9 soon)
Summary: x11-servers/xorg-server: fix CVE-2020-14347 (release 1.20.9 soon)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: freebsd-x11 (Nobody)
URL: https://lists.x.org/archives/xorg-ann...
Keywords: needs-qa, security
Depends on:
Blocks:
 
Reported: 2020-08-01 11:39 UTC by VVD
Modified: 2020-08-01 14:27 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (x11)
koobs: merge-quarterly?


Attachments
fix CVE-2020-14347 (967 bytes, patch)
2020-08-01 11:39 UTC, VVD
vvd: maintainer-approval?
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description VVD 2020-08-01 11:39:26 UTC
Created attachment 216935 [details]
fix CVE-2020-14347

X.Org security advisory: July 31, 2020

X Server Pixel Data Uninitialized Memory Information Disclosure 
===============================================================

CVE-2020-14347

Allocation for pixmap data in AllocatePixmap() does not initialize the
memory in xserver, it leads to leak uninitialize heap memory to
clients. When the X server runs with elevated privileges.

This flaw can lead to ASLR bypass, which when combined with other
flaws (known/unknown) could lead to lead to privilege elevation in the
client.

Patch
=====

A patch for this issue has been commited to the xorg server git
repository.  xorg-server 1.20.9 will be released shortly and will
include this patch.

https://gitlab.freedesktop.org/xorg/xserver.git

diff --git a/dix/pixmap.c b/dix/pixmap.c
index 1186d7dbb..5a0146bbb 100644
--- a/dix/pixmap.c
+++ b/dix/pixmap.c
@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize)
     if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize)
         return NullPixmap;
 
-    pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize);
+    pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize);
     if (!pPixmap)
         return NullPixmap;
    
Thanks
======

This vulnerability was discovered by Jan-Niklas Sohn working with
Trend Micro Zero Day Initiative.


Patch tested on 12.1 amd64: make check-plist/install.
I didn't restart xorg-server after this upgrade.
Comment 1 commit-hook freebsd_committer 2020-08-01 14:17:59 UTC
A commit references this bug:

Author: zeising
Date: Sat Aug  1 14:17:09 UTC 2020
New revision: 543911
URL: https://svnweb.freebsd.org/changeset/ports/543911

Log:
  x11-servers/xorg-server: Fix CVE-2020-14347

  Add upstream patch to fix CVE-2020-14347, Pixel Data Uninitialized Memory
  Information Disclosure.
  Announcement:
  https://lists.x.org/archives/xorg-announce/2020-July/003051.html

  PR:		248410 (based on)
  Submitted by:	VVD
  MFH:		2020Q3 (implicit, security update)
  Security:	3c7ba82a-d3fb-11ea-9aba-0c9d925bbbc0

Changes:
  head/x11-servers/xorg-server/Makefile
  head/x11-servers/xorg-server/distinfo
Comment 2 commit-hook freebsd_committer 2020-08-01 14:25:04 UTC
A commit references this bug:

Author: zeising
Date: Sat Aug  1 14:24:02 UTC 2020
New revision: 543913
URL: https://svnweb.freebsd.org/changeset/ports/543913

Log:
  MFH: r543911 r543912

  x11-servers/xorg-server: Fix CVE-2020-14347

  Add upstream patch to fix CVE-2020-14347, Pixel Data Uninitialized Memory
  Information Disclosure.
  Announcement:
  https://lists.x.org/archives/xorg-announce/2020-July/003051.html

  PR:		248410 (based on)
  Submitted by:	VVD
  Security:	3c7ba82a-d3fb-11ea-9aba-0c9d925bbbc0

  x11/libX11: Fix CVE-2020-14347

  Add upstream patches to x11/libX11 to fix Heap corruption in the X input
  method client in libX11.
  Announcement:
  https://lists.x.org/archives/xorg-announce/2020-July/003050.html

  PR:		248409 (based on)
  Submitted by:	VVD
  Security:	6faa7feb-d3fa-11ea-9aba-0c9d925bbbc0

  Approved by:	ports-secteam (implicit, security update)

Changes:
_U  branches/2020Q3/
  branches/2020Q3/x11/libX11/Makefile
  branches/2020Q3/x11/libX11/distinfo
  branches/2020Q3/x11-servers/xorg-server/Makefile
  branches/2020Q3/x11-servers/xorg-server/distinfo
Comment 3 Niclas Zeising freebsd_committer 2020-08-01 14:27:44 UTC
Committed and merged to quarterly branch.
Thank you!