Bug 1961822 (CVE-2021-31535)

Summary: CVE-2021-31535 libX11: missing request length checks
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adudiak, ajax, arachman, caillon+fedoraproject, caswilli, clabbe.montjoie, dblechte, dfediuck, dhalasz, eedri, epilatow, hkataria, hvtaifwkbgefbaei, jburrell, jglisse, jsamir, jvasik, jwong, kaycoth, kholdawa, kshier, lcouzens, lveyde, mgoldboi, michal.skrivanek, mperina, mskarbek, nobody, peter.hutterer, rblanco, rhughes, rstrode, sandmann, sbonazzo, sherold, sthirugn, tmeszaro, vkrizan, vmugicag, yozone, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libX11 1.7.1 Doc Type: If docs needed, set a value
Doc Text:
A missing validation flaw was found in libX11. This flaw allows an attacker to inject X11 protocol commands on X clients, and in some cases, also bypass, authenticate (via injection of control characters), or potentially execute arbitrary code with permissions of the application compiled with libX11. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-30 11:57:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1962558, 1962559, 1961823, 1962438, 1962439, 1962440, 1962552, 1962553, 1962554, 1962555, 1962556, 1962557, 1962560, 1962561, 1970762, 2048283    
Bug Blocks: 1961824    

Description Guilherme de Almeida Suckevicz 2021-05-18 19:14:36 UTC 
XLookupColor() and other X libraries function lack proper validation of the length of their string parameters. If those parameters can be controlled by an external application (for instance a color name that can be emitted via a terminal control sequence) it can lead to the emission of extra X protocol requests to the X server.

References:
https://www.openwall.com/lists/oss-security/2021/05/18/2
https://www.openwall.com/lists/oss-security/2021/05/18/3
Comment 1 Guilherme de Almeida Suckevicz 2021-05-18 19:14:56 UTC 
Created libX11 tracking bugs for this issue:

Affects: fedora-all [bug 1961823]
Comment 2 Todd Cullum 2021-05-18 21:59:39 UTC 
Upstream patch: https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02ae650f00c4a53deb625211a0527126c605
Comment 9 Corentin LABBE 2021-07-20 09:40:07 UTC 
Hello
I have backported myself fixes to libX11-1.6.7-3.el7_9 for this CVE but I would like that fixes be in upstream RHEL7/Centos7.
You can find fixes at https://github.com/montjoie/centos-libX11/commits/c7-backport
Regards
Comment 10 Sami Farin 2021-07-24 07:28:06 UTC 
Fedora 33 still has the vulnerable version 1.6.12.
Comment 11 errata-xmlrpc 2021-08-30 08:48:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3296 https://access.redhat.com/errata/RHSA-2021:3296
Comment 12 Product Security DevOps Team 2021-08-30 11:57:23 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-31535
Comment 13 errata-xmlrpc 2021-09-09 09:22:12 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2021:3477 https://access.redhat.com/errata/RHSA-2021:3477
Comment 14 errata-xmlrpc 2021-11-09 18:15:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4326 https://access.redhat.com/errata/RHSA-2021:4326