Skip to content

Multiple input validation failures in X server extensions

All theses issues can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions.

  • CVE-2021-4008/ZDI-CAN-14192 SProcRenderCompositeGlyphs out-of-bounds access

The handler for the CompositeGlyphs request of the Render extension does not properly validate the request length leading to out of bounds memory write.

  • CVE-2021-4009/ZDI-CAN 14950 SProcXFixesCreatePointerBarrier out-of-bounds access

The handler for the CreatePointerBarrier request of the XFixes extension does not properly validate the request length leading to out of bounds memory write.

  • CVE-2021-4010/ZDI-CAN-14951 SProcScreenSaverSuspend out-of-bounds access

The handler for the Suspend request of the Screen Saver extension does not properly validate the request length leading to out of bounds memory write.

  • CVE-2021-4011/ZDI-CAN-14952 SwapCreateRegister out-of-bounds access

The handlers for the RecordCreateContext and RecordRegisterClients requests of the Record extension do not properly validate the request length leading to out of bounds memory write.

Thanks

This vulnerability was discovered by Jan-Niklas Sohn working with Trend Micro Zero Day Initiative.

Merge request reports