Various XInput extension calls do not check that the lengths and/or indexes sent by the client are within the bounds specified by the caller or the bounds of the memory allocated to hold the request read from the client, so could read or write past the bounds of allocated memory while processing the request. These calls all occur only after a client has successfully authenticated itself. Affected functions: SProcXChangeDeviceControl(), ProcXChangeDeviceControl(), ProcXChangeFeedbackControl(), ProcXSendExtensionEvent(), SProcXIAllowEvents(), SProcXIChangeCursor(), ProcXIChangeHierarchy(), SProcXIGetClientPointer(), SProcXIGrabDevice(), SProcXIUngrabDevice(), ProcXIUngrabDevice(), SProcXIPassiveGrabDevice(), ProcXIPassiveGrabDevice(), SProcXIPassiveUngrabDevice(), ProcXIPassiveUngrabDevice(), SProcXListDeviceProperties(), SProcXDeleteDeviceProperty(), SProcXIListProperties(), SProcXIDeleteProperty(), SProcXIGetProperty(), SProcXIQueryDevice(), SProcXIQueryPointer(), SProcXISelectEvents(), SProcXISetClientPointer(), SProcXISetFocus(), SProcXIGetFocus(), SProcXIWarpPointer() Introduced in X11R4 (1989).
Created attachment 962133 [details] 0008-Xi_unvalidated_lengths_in_Xinput_extension_CVE-2014-8095.patch
Authenticated client can cause integer overflow on the server which later results in OOB read and consequent crash.
External References: http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2014:1982 https://rhn.redhat.com/errata/RHSA-2014-1982.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2014:1983 https://rhn.redhat.com/errata/RHSA-2014-1983.html