Date: Tue, 18 May 2021 16:32:26 +0200 From: Matthieu Herrb <matthieu@...rb.eu> To: oss-security@...ts.openwall.com Subject: libX11 security advisory: May 18, 2021 X.Org libX11 security advisory: May 18, 2021 Missing request length checks in libX11 ======================================= CVE-2021-31535 XLookupColor() and other X libraries function lack proper validation of the length of their string parameters. If those parameters can be controlled by an external application (for instance a color name that can be emitted via a terminal control sequence) it can lead to the emission of extra X protocol requests to the X server. Patch ----- A patch for XLookupColor() and other potentially vulnerable functions has been committed to libX11. libX11 1.7.1 will be released shortly and contains a fix for this issue. https://gitlab.freedesktop.org/xorg/lib/libx11 commit: 8d2e02ae650f00c4a53deb625211a0527126c605 Reject string longer than USHRT_MAX before sending them on the wire XTerm version 367 contains extra validation for the length of color names passed to XLookupColor() from terminal control sequences. XTerm version 366 and earlier are vulnerable. Tests conducted by Roman Fiedler on other terminal emulator applications have not found other cases of passing un-checked color names to XLookupColor(). Thanks ====== This vulnerability has been discovered by Roman Fiedler from Unparalleled IT Services e.U. -- Matthieu Herrb Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.