<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
	<channel>
		<atom:link href="http://dev1galaxy.org/extern.php?action=feed&amp;tid=5125&amp;type=rss" rel="self" type="application/rss+xml" />
		<title><![CDATA[Dev1 Galaxy Forum / X.Org Security Advisory: July 12, 2022]]></title>
		<link>http://dev1galaxy.org/viewtopic.php?id=5125</link>
		<description><![CDATA[The most recent posts in X.Org Security Advisory: July 12, 2022.]]></description>
		<lastBuildDate>Wed, 13 Jul 2022 14:35:25 +0000</lastBuildDate>
		<generator>FluxBB</generator>
		<item>
			<title><![CDATA[X.Org Security Advisory: July 12, 2022]]></title>
			<link>http://dev1galaxy.org/viewtopic.php?pid=36615#p36615</link>
			<description><![CDATA[<p>Hello:</p><p>Good to know someone took over at X.Org.<br />Kudos to Kanapickas!&#160; 8^)</p><p>Just received this in my mbox:</p><p>---</p><p>X.Org Security Advisory: July 12, 2022</p><p>Multiple input validation failures in X server extensions<br />=========================================================</p><p>All theses issues can lead to local privileges elevation on systems<br />where the X server is running privileged and remote code execution for<br />ssh X forwarding sessions.</p><p>* CVE-2022-2319/ZDI-CAN-16062: X.Org Server ProcXkbSetGeometry Out-Of-Bounds<br />Access</p><p>The handler for the ProcXkbSetGeometry request of the Xkb extension does<br />not properly validate the request length leading to out of bounds memory<br />write.</p><p>* CVE-2022-2320/ZDI-CAN-16070: X.Org Server ProcXkbSetDeviceInfo Out-Of-Bounds<br />Access</p><p>The handler for the ProcXkbSetDeviceInfo request of the Xkb extension<br />does not properly validate the request length leading to out of bounds<br />memory write.</p><p>Patches<br />-------</p><p>Patches for this issues have been committed to the xorg server git<br />repository. xorg-server 21.1.4 will be released shortly and will<br />include these patches.</p><p>commit 6907b6ea2b4ce949cb07271f5b678d5966d9df42</p><p>&#160; &#160; &#160;xkb: add request length validation for XkbSetGeometry<br />&#160; &#160; &#160;<br />&#160; &#160; &#160;No validation of the various fields on that report were done, so a<br />&#160; &#160; &#160;malicious client could send a short request that claims it had N<br />&#160; &#160; &#160;sections, or rows, or keys, and the server would process the request<br />&#160; &#160; &#160;for N sections, running out of bounds of the actual request data.<br />&#160; &#160; &#160;<br />&#160; &#160; &#160;Fix this by adding size checks to ensure our data is valid.<br />&#160; &#160; &#160;<br />&#160; &#160; &#160;Fixes ZDI-CAN 16062, CVE-2022-2319.<br />&#160; &#160; &#160;<br />&#160; &#160; &#160;This vulnerability was discovered by:<br />&#160; &#160; &#160;Jan-Niklas Sohn working with Trend Micro Zero Day Initiative</p><p>commit dd8caf39e9e15d8f302e54045dd08d8ebf1025dc</p><p>&#160; &#160; &#160;xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck<br />&#160; &#160; &#160;<br />&#160; &#160; &#160;XKB often uses a FooCheck and Foo function pair, the former is<br />&#160; &#160; &#160;supposed to check all values in the request and error out on<br />&#160; &#160; &#160;BadLength, BadValue, etc. The latter is then called once we&#039;re<br />&#160; &#160; &#160;confident the values are good (they may still fail on an individual<br />&#160; &#160; &#160;device, but that&#039;s a different topic).<br />&#160; &#160; &#160;<br />&#160; &#160; &#160;In the case of XkbSetDeviceInfo, those functions were incorrectly<br />&#160; &#160; &#160;named, with XkbSetDeviceInfo ending up as the checker function and<br />&#160; &#160; &#160;XkbSetDeviceInfoCheck as the setter function. As a result, the setter<br />&#160; &#160; &#160;function was called before the checker function, accessing request<br />&#160; &#160; &#160;data and modifying device state before we ensured that the data is<br />&#160; &#160; &#160;valid.<br />&#160; &#160; &#160;<br />&#160; &#160; &#160;In particular, the setter function relied on values being already<br />&#160; &#160; &#160;byte-swapped. This in turn could lead to potential OOB memory access.<br />&#160; &#160; &#160;<br />&#160; &#160; &#160;Fix this by correctly naming the functions and moving the length checks<br />&#160; &#160; &#160;over to the checker function. These were added in 87c64fc5b0 to the<br />&#160; &#160; &#160;wrong function, probably due to the incorrect naming.<br />&#160; &#160; &#160;<br />&#160; &#160; &#160;Fixes ZDI-CAN 16070, CVE-2022-2320.<br />&#160; &#160; &#160;<br />&#160; &#160; &#160;This vulnerability was discovered by:<br />&#160; &#160; &#160;Jan-Niklas Sohn working with Trend Micro Zero Day Initiative<br />&#160; &#160; &#160;<br />&#160; &#160; &#160;Introduced in c06e27b2f6fd9f7b9f827623a48876a225264132</p><p>Backporting of the security fixes also needs this commit:<br />f1070c01d616c5f21f939d5ebc533738779451ac.</p><p>Thanks<br />======</p><p>The vulnerabilities have been discovered by Jan-Niklas Sohn working with<br />Trend Micro Zero Day Initiative and fixed by Peter Hutterer.</p><p>--<br />Povilas Kanapickas</p><p>-----</p><p>Best,</p><p>O.</p>]]></description>
			<author><![CDATA[dummy@example.com (Altoid)]]></author>
			<pubDate>Wed, 13 Jul 2022 14:35:25 +0000</pubDate>
			<guid>http://dev1galaxy.org/viewtopic.php?pid=36615#p36615</guid>
		</item>
	</channel>
</rss>
