====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN648
_____________________________________________________________________

DATE                : 02/12/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running X.Org server versions prior to
                                      1.20.10.

=====================================================================
https://lists.x.org/archives/xorg-announce/2020-December/003066.html
_____________________________________________________________________

Multiple input validation failures in X server XKB extension
============================================================

These issues can lead to privileges elevations for authorized clients
on systems where the X server is running privileged.

* CVE-2020-14360 / ZDI CAN 11572 XkbSetMap Out-Of-Bounds Access

Insufficient checks on the lengths of the XkbSetMap request can lead to
out of bounds memory accesses in the X server.

* CVE-2020-25712 / ZDI-CAN-11839 XkbSetDeviceInfo Heap-based Buffer Overflow

Insufficient checks on input of the XkbSetDeviceInfo request can lead
to a buffer overflow on the head in the X server.

Patches
-------

Patches for these issues have been committed to the xorg server git
repository. xorg-server 1.20.10 will be released shortly and will
include these patches.


https://gitlab.freedesktop.org/xorg/xserver.git

commit 446ff2d3177087b8173fa779fa5b77a2a128988b

    Check SetMap request length carefully.

    Avoid out of bounds memory accesses on too short request.

    ZDI-CAN 11572 /  CVE-2020-14360


commit 87c64fc5b0db9f62f4e361444f4b60501ebf67b9

    Fix XkbSetDeviceInfo() and SetDeviceIndicators() heap overflows

    ZDI-CAN 11389 / CVE-2020-25712


Thanks
======

These vulnerabilities have been discovered by Jan-Niklas Sohn working
with Trend Micro Zero Day Initiative.


-- 
Matthieu Herrb

_______________________________________________________________________

Alex Goins (1):
      glamor: Update pixmap's devKind when making it exportable

Arthur Williams (1):
      include: Increase the number of max. input devices to 256.

Bernhard Übelacker (1):
      os: Fix instruction pointer written in xorg_backtrace

Greg V (1):
      xwayland: use drmGetNodeTypeFromFd for checking if a node is a
render one

Kishore Kadiyala (1):
      modesetting: keep going if a modeset fails on EnterVT

Martin Peres (1):
      modesetting: check the kms state on EnterVT

Matt Turner (1):
      xserver 1.20.10

Matthieu Herrb (2):
      Fix XkbSetDeviceInfo() and SetDeviceIndicators() heap overflows
      Check SetMap request length carefully.

Michel Dänzer (10):
      glamor: Fix glamor_poly_fill_rect_gl xRectangle::width/height handling
      xfree86: Take second reference for SavedCursor in xf86CursorSetCursor
      present/wnmd: Can't use page flipping for windows clipped by children
      xwayland: Check window pixmap in xwl_present_check_flip2
      present/wnmd: Remove dead check from present_wnmd_check_flip
      present: Move flip target_msc adjustment out of present_vblank_create
      present: Add present_vblank::exec_msc field
      present/wnmd: Move up present_wnmd_queue_vblank
      present/wnmd: Execute copies at target_msc-1 already
      present/wnmd: Translate update region to screen space

Olivier Fourdan (8):
      Revert "linux: Fix platform device probe for DT-based PCI"
      Revert "linux: Fix platform device PCI detection for complex bus
topologies"
      Revert "linux: Make platform device probe less fragile"
      xwayland: Do not discard frame callbacks on allow commits
      xwayland: Remove pending stream reference when freeing
      xwayland: non-rootless requires the wl_shell protocol
      xwayland: Create an xwl_window for toplevel only
      configure: Build hashtable for Xres and glvnd

git tag: xorg-server-1.20.10

https://xorg.freedesktop.org/archive/individual/xserver/xorg-server-1.20.10.tar.bz2
SHA256: 977420c082450dc808de301ef56af4856d653eea71519a973c3490a780cb7c99
 xorg-server-1.20.10.tar.bz2
SHA512:
a07bee380bb72f2117fe6f831a6e4aded19bea1f2b36e42a019a30348e98d6fe65c0617cf819be9c6b405502f88cafb829df30aab32393774b71f1418a4cefae
 xorg-server-1.20.10.tar.bz2
PGP:
https://xorg.freedesktop.org/archive/individual/xserver/xorg-server-1.20.10.tar.bz2.sig

https://xorg.freedesktop.org/archive/individual/xserver/xorg-server-1.20.10.tar.gz
SHA256: 02f2198608b6191b7f8c65158bd4613734ec1c5c3d6784c5177f41b5cd2d30a3
 xorg-server-1.20.10.tar.gz
SHA512:
76fc1c6d45494800500aac4d4a584790750db31d96c79cff60a76d78f7375ffd845412879f77510b283685e6918cef6e48fb466b7c549a962c12e154dd848413
 xorg-server-1.20.10.tar.gz
PGP:
https://xorg.freedesktop.org/archive/individual/xserver/xorg-server-1.20.10.tar.gz.sig


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================