Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 13 Apr 2021 16:04:32 +0200
From: Matthieu Herrb <>
Subject: X.Org server security advisory: April 13, 2021

X.Org server security advisory: April 13, 2021

Input validation failures in X server XInput extension

Insufficient checks on the lengths of the XInput extension
ChangeFeedbackControl request can lead to out of bounds memory
accesses in the X server.

These issues can lead to privilege escalation for authorized clients
on systems where the X server is running privileged.

* CVE-2021-3472 / ZDI CAN 12549 XChangeFeedbackControl Integer Underflow


A patch for this issue has been committed to the xorg server git
repository. xorg-server 1.20.11 and xwayland 21.1.1 will be released
shortly and will include this patch.

commit 7aaf54a1884f71dc363f0b884e57bcb67407a6cd

Fix XChangeFeedbackControl() request underflow

CVE-2021-3472 / ZDI-CAN-1259


These vulnerabilities have been discovered by Jan-Niklas Sohn working
with Trend Micro Zero Day Initiative.

Matthieu Herrb

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.