X.Org Security Advisory: July 12, 2022 Multiple input validation failures in X server extensions ======================================================== All theses issues can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions. * CVE-2022-2319/ZDI-CAN-16062: X.Org Server ProcXkbSetGeometry Out-Of-Bounds Access The handler for the ProcXkbSetGeometry request of the Xkb extension does not properly validate the request length leading to out of bounds memory write. * CVE-2022-2320/ZDI-CAN-16070: X.Org Server ProcXkbSetDeviceInfo Out-Of-Bounds Access The handler for the ProcXkbSetDeviceInfo request of the Xkb extension does not properly validate the request length leading to out of bounds memory write. Patches ------- Patches for this issues have been committed to the xorg server git repository. xorg-server 21.1.4 will be released shortly and will include these patches. commit 6907b6ea2b4ce949cb07271f5b678d5966d9df42 xkb: add request length validation for XkbSetGeometry No validation of the various fields on that report were done, so a malicious client could send a short request that claims it had N sections, or rows, or keys, and the server would process the request for N sections, running out of bounds of the actual request data. Fix this by adding size checks to ensure our data is valid. Fixes ZDI-CAN 16062, CVE-2022-2319. This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative commit dd8caf39e9e15d8f302e54045dd08d8ebf1025dc xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck XKB often uses a FooCheck and Foo function pair, the former is supposed to check all values in the request and error out on BadLength, BadValue, etc. The latter is then called once we're confident the values are good (they may still fail on an individual device, but that's a different topic). In the case of XkbSetDeviceInfo, those functions were incorrectly named, with XkbSetDeviceInfo ending up as the checker function and XkbSetDeviceInfoCheck as the setter function. As a result, the setter function was called before the checker function, accessing request data and modifying device state before we ensured that the data is valid. In particular, the setter function relied on values being already byte-swapped. This in turn could lead to potential OOB memory access. Fix this by correctly naming the functions and moving the length checks over to the checker function. These were added in 87c64fc5b0 to the wrong function, probably due to the incorrect naming. Fixes ZDI-CAN 16070, CVE-2022-2320. This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Introduced in c06e27b2f6fd9f7b9f827623a48876a225264132 Backporting of the security fixes also needs this commit: f1070c01d616c5f21f939d5ebc533738779451ac. Thanks ===== The vulnerabilities have been discovered by Jan-Niklas Sohn working with Trend Micro Zero Day Initiative and fixed by Peter Hutterer. -- Povilas Kanapickas