Bug 1961822 (CVE-2021-31535) - CVE-2021-31535 libX11: missing request length checks
Summary: CVE-2021-31535 libX11: missing request length checks
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-31535
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1962558 1962559 1961823 1962438 1962439 1962440 1962552 1962553 1962554 1962555 1962556 1962557 1962560 1962561 1970762 2048283
Blocks: 1961824
TreeView+ depends on / blocked
 
Reported: 2021-05-18 19:14 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-11-08 12:13 UTC (History)
22 users (show)

Fixed In Version: libX11 1.7.1
Doc Type: If docs needed, set a value
Doc Text:
A missing validation flaw was found in libX11. This flaw allows an attacker to inject X11 protocol commands on X clients, and in some cases, also bypass, authenticate (via injection of control characters), or potentially execute arbitrary code with permissions of the application compiled with libX11. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-08-30 11:57:23 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:3309 0 None None None 2021-08-30 12:25:42 UTC
Red Hat Product Errata RHBA-2021:3310 0 None None None 2021-08-30 13:03:51 UTC
Red Hat Product Errata RHBA-2021:3311 0 None None None 2021-08-30 13:09:24 UTC
Red Hat Product Errata RHBA-2021:3313 0 None None None 2021-08-30 13:30:18 UTC
Red Hat Product Errata RHBA-2021:3389 0 None None None 2021-08-31 12:38:49 UTC
Red Hat Product Errata RHBA-2021:3390 0 None None None 2021-08-31 12:39:19 UTC
Red Hat Product Errata RHBA-2021:3391 0 None None None 2021-08-31 12:40:03 UTC
Red Hat Product Errata RHBA-2021:3406 0 None None None 2021-09-01 14:58:15 UTC
Red Hat Product Errata RHBA-2021:3409 0 None None None 2021-09-01 23:46:49 UTC
Red Hat Product Errata RHBA-2021:3410 0 None None None 2021-09-02 09:40:46 UTC
Red Hat Product Errata RHBA-2021:3412 0 None None None 2021-09-02 15:10:21 UTC
Red Hat Product Errata RHBA-2021:3480 0 None None None 2021-09-09 12:51:57 UTC
Red Hat Product Errata RHBA-2021:3551 0 None None None 2021-09-15 15:29:45 UTC
Red Hat Product Errata RHBA-2021:3560 0 None None None 2021-09-20 12:52:49 UTC
Red Hat Product Errata RHBA-2021:3651 0 None None None 2021-09-23 11:07:43 UTC
Red Hat Product Errata RHBA-2021:3693 0 None None None 2021-09-29 13:07:40 UTC
Red Hat Product Errata RHSA-2021:3296 0 None None None 2021-08-30 08:48:35 UTC
Red Hat Product Errata RHSA-2021:3477 0 None None None 2021-09-09 09:22:13 UTC
Red Hat Product Errata RHSA-2021:4326 0 None None None 2021-11-09 18:15:33 UTC

Description Guilherme de Almeida Suckevicz 2021-05-18 19:14:36 UTC 
XLookupColor() and other X libraries function lack proper validation of the length of their string parameters. If those parameters can be controlled by an external application (for instance a color name that can be emitted via a terminal control sequence) it can lead to the emission of extra X protocol requests to the X server.

References:
https://www.openwall.com/lists/oss-security/2021/05/18/2
https://www.openwall.com/lists/oss-security/2021/05/18/3
Comment 1 Guilherme de Almeida Suckevicz 2021-05-18 19:14:56 UTC 
Created libX11 tracking bugs for this issue:

Affects: fedora-all [bug 1961823]
Comment 2 Todd Cullum 2021-05-18 21:59:39 UTC 
Upstream patch: https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02ae650f00c4a53deb625211a0527126c605
Comment 9 Corentin LABBE 2021-07-20 09:40:07 UTC 
Hello
I have backported myself fixes to libX11-1.6.7-3.el7_9 for this CVE but I would like that fixes be in upstream RHEL7/Centos7.
You can find fixes at https://github.com/montjoie/centos-libX11/commits/c7-backport
Regards
Comment 10 Sami Farin 2021-07-24 07:28:06 UTC 
Fedora 33 still has the vulnerable version 1.6.12.
Comment 11 errata-xmlrpc 2021-08-30 08:48:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3296 https://access.redhat.com/errata/RHSA-2021:3296
Comment 12 Product Security DevOps Team 2021-08-30 11:57:23 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-31535
Comment 13 errata-xmlrpc 2021-09-09 09:22:12 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2021:3477 https://access.redhat.com/errata/RHSA-2021:3477
Comment 14 errata-xmlrpc 2021-11-09 18:15:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4326 https://access.redhat.com/errata/RHSA-2021:4326
Note You need to log in before you can comment on or make changes to this bug.