Matthieu Herrb
2021-05-18 14:04:06 UTC
X.Org libX11 security advisory: May 18, 2021
Missing request length checks in libX11
=======================================
CVE-2021-31535
XLookupColor() and other X libraries function lack proper validation
of the length of their string parameters. If those parameters can be
controlled by an external application (for instance a color name that
can be emitted via a terminal control sequence) it can lead to the
emission of extra X protocol requests to the X server.
Patch
-----
A patch for XLookupColor() and other potentially vulnerable functions
has been committed to libX11. libX11 1.7.1 will be released shortly
and contains a fix for this issue.
https://gitlab.freedesktop.org/xorg/lib/libx11
commit: 8d2e02ae650f00c4a53deb625211a0527126c605
Reject string longer than USHRT_MAX before sending them on the wire
XTerm version 367 contains extra validation for the length of color
names passed to XLookupColor() from terminal control sequences. XTerm
version 366 and earlier are vulnerable.
Tests conducted by Roman Fiedler on other terminal emulator
applications have not found other cases of passing un-checked color
names to XLookupColor().
Thanks
======
This vulnerability has been discovered by Roman Fiedler from
Unparalleled IT Services e.U.
Missing request length checks in libX11
=======================================
CVE-2021-31535
XLookupColor() and other X libraries function lack proper validation
of the length of their string parameters. If those parameters can be
controlled by an external application (for instance a color name that
can be emitted via a terminal control sequence) it can lead to the
emission of extra X protocol requests to the X server.
Patch
-----
A patch for XLookupColor() and other potentially vulnerable functions
has been committed to libX11. libX11 1.7.1 will be released shortly
and contains a fix for this issue.
https://gitlab.freedesktop.org/xorg/lib/libx11
commit: 8d2e02ae650f00c4a53deb625211a0527126c605
Reject string longer than USHRT_MAX before sending them on the wire
XTerm version 367 contains extra validation for the length of color
names passed to XLookupColor() from terminal control sequences. XTerm
version 366 and earlier are vulnerable.
Tests conducted by Roman Fiedler on other terminal emulator
applications have not found other cases of passing un-checked color
names to XLookupColor().
Thanks
======
This vulnerability has been discovered by Roman Fiedler from
Unparalleled IT Services e.U.
--
Matthieu Herrb
Matthieu Herrb