Fwd: X.Org Security Advisory: July 12, 2022

[Povilas Kanapickas <povilas () radix lt>]

-------- Forwarded Message --------
Subject: X.Org Security Advisory: July 12, 2022
Date: Tue, 12 Jul 2022 15:55:05 +0300
From: Povilas Kanapickas <povilas () radix lt>
To: xorg-announce () lists x org
CC: xorg-devel () lists x org <xorg-devel () lists x org>, xorg () lists x org

X.Org Security Advisory: July 12, 2022

Multiple input validation failures in X server extensions
=========================================================

All theses issues can lead to local privileges elevation on systems
where the X server is running privileged and remote code execution for
ssh X forwarding sessions.

* CVE-2022-2319/ZDI-CAN-16062: X.Org Server ProcXkbSetGeometry Out-Of-Bounds
Access

The handler for the ProcXkbSetGeometry request of the Xkb extension does
not properly validate the request length leading to out of bounds memory
write.

* CVE-2022-2320/ZDI-CAN-16070: X.Org Server ProcXkbSetDeviceInfo 
Out-Of-Bounds
Access

The handler for the ProcXkbSetDeviceInfo request of the Xkb extension
does not properly validate the request length leading to out of bounds
memory write.

Patches
-------

Patches for this issues have been committed to the xorg server git
repository. xorg-server 21.1.4 will be released shortly and will
include these patches.

commit 6907b6ea2b4ce949cb07271f5b678d5966d9df42

    xkb: add request length validation for XkbSetGeometry
        No validation of the various fields on that report were done, so a
    malicious client could send a short request that claims it had N
    sections, or rows, or keys, and the server would process the request
    for N sections, running out of bounds of the actual request data.
        Fix this by adding size checks to ensure our data is valid.
        Fixes ZDI-CAN 16062, CVE-2022-2319.
        This vulnerability was discovered by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative


commit dd8caf39e9e15d8f302e54045dd08d8ebf1025dc

    xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck
        XKB often uses a FooCheck and Foo function pair, the former is
    supposed to check all values in the request and error out on
    BadLength, BadValue, etc. The latter is then called once we're
    confident the values are good (they may still fail on an individual
    device, but that's a different topic).
        In the case of XkbSetDeviceInfo, those functions were incorrectly
    named, with XkbSetDeviceInfo ending up as the checker function and
    XkbSetDeviceInfoCheck as the setter function. As a result, the setter
    function was called before the checker function, accessing request
    data and modifying device state before we ensured that the data is
    valid.
        In particular, the setter function relied on values being already
    byte-swapped. This in turn could lead to potential OOB memory access.
        Fix this by correctly naming the functions and moving the 
length checks
    over to the checker function. These were added in 87c64fc5b0 to the
    wrong function, probably due to the incorrect naming.
        Fixes ZDI-CAN 16070, CVE-2022-2320.
        This vulnerability was discovered by:
    Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
        Introduced in c06e27b2f6fd9f7b9f827623a48876a225264132

Backporting of the security fixes also needs this commit:
f1070c01d616c5f21f939d5ebc533738779451ac.

Thanks
======

The vulnerabilities have been discovered by Jan-Niklas Sohn working with
Trend Micro Zero Day Initiative and fixed by Peter Hutterer.

--
Povilas Kanapickas