Multiple input validation failures in X server extensions
All theses issues can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions.
- CVE-2021-4008/ZDI-CAN-14192 SProcRenderCompositeGlyphs out-of-bounds access
The handler for the CompositeGlyphs request of the Render extension does not properly validate the request length leading to out of bounds memory write.
- CVE-2021-4009/ZDI-CAN 14950 SProcXFixesCreatePointerBarrier out-of-bounds access
The handler for the CreatePointerBarrier request of the XFixes extension does not properly validate the request length leading to out of bounds memory write.
- CVE-2021-4010/ZDI-CAN-14951 SProcScreenSaverSuspend out-of-bounds access
The handler for the Suspend request of the Screen Saver extension does not properly validate the request length leading to out of bounds memory write.
- CVE-2021-4011/ZDI-CAN-14952 SwapCreateRegister out-of-bounds access
The handlers for the RecordCreateContext and RecordRegisterClients requests of the Record extension do not properly validate the request length leading to out of bounds memory write.
Thanks
This vulnerability was discovered by Jan-Niklas Sohn working with Trend Micro Zero Day Initiative.