Bug 1862255 (CVE-2020-14344)

Summary: CVE-2020-14344 libX11: Heap overflow in the X input method client
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ajax, caillon+fedoraproject, jglisse, john.j5live, peter.hutterer, rhughes, rstrode, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libX11 1.6.10 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libX11. An integer overflow leading to a heap-buffer overflow occurs when setuid programs call XIM client functions while running with elevated privileges. The highest threat from this vulnerability are to data confidentiality and integrity as well as system vulnerability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 14:35:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1862313, 1862314, 1862519    
Bug Blocks: 1862265    

Description Pedro Sampaio 2020-07-30 20:06:48 UTC 
The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method.
Comment 1 Adam Jackson 2020-07-30 20:42:35 UTC 
This bug is in libX11, not xorg-x11-server.
Comment 3 Huzaifa S. Sidhpurwala 2020-07-31 03:02:45 UTC 
Acknowledgments:

Name: X.org project
Upstream: Todd Carson
Comment 5 msiddiqu 2020-07-31 15:34:36 UTC 
Public via:

https://www.openwall.com/lists/oss-security/2020/07/31/1
Comment 6 msiddiqu 2020-07-31 15:35:07 UTC 
Created libX11 tracking bugs for this issue:

Affects: fedora-all [bug 1862519]


Created xorg-x11-server tracking bugs for this issue:

Affects: fedora-all [bug 1862518]
Comment 7 Huzaifa S. Sidhpurwala 2020-08-01 05:28:41 UTC 
External References:

https://lists.x.org/archives/xorg-announce/2020-July/003050.html
Comment 8 Huzaifa S. Sidhpurwala 2020-08-03 07:17:04 UTC 
Upstream patches:

https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1703b9f3435079d3c6021e1ee2ec34fd4978103d
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/2fcfcc49f3b1be854bb9085993a01d17c62acf60
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/388b303c62aa35a245f1704211a023440ad2c488
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/0e6561efcfaa0ae7b5c74eac7e064b76d687544e

Note: https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/388b303c62aa35a245f1704211a023440ad2c488 introduces a regression which has been fixed via: https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/40
Comment 10 Product Security DevOps Team 2021-05-18 14:35:19 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14344
Comment 11 errata-xmlrpc 2021-05-18 15:11:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1804 https://access.redhat.com/errata/RHSA-2021:1804