Bug 1174633 (CVE-2020-14347)

Summary: VUL-0: CVE-2020-14347: xorg-x11-server: Leak of uninitialized heap memory from the X server to clients on pixmap allocation (ZDI-CAN-11426)
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P2 - High CC: sndirsch, wolfgang.frisch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/264446/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-14347:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 5 Alexandros Toptsoglou 2020-07-29 11:26:55 UTC
Tracked as affected: 

SLE11-SP1,SP3
SLE12-SP2,SP4,SP5
SLE15, SLE15-SP1,SP2
Comment 9 Stefan Dirsch 2020-07-30 14:29:34 UTC
(In reply to Alexandros Toptsoglou from comment #5)
> Tracked as affected: 
> 
> SLE11-SP1,SP3
> SLE12-SP2,SP4,SP5
> SLE15, SLE15-SP1,SP2

https://build.suse.de/request/show/223221

I will take care of factory/TW tomorrow due to CRD.
Comment 16 Alexandros Toptsoglou 2020-07-31 14:13:03 UTC
now public through 
Date: Fri, 31 Jul 2020 15:44:44 +0200
From: Matthieu Herrb <matthieu@herrb.eu>
To: xorg-announce@lists.x.org
Cc: xorg-devel@lists.x.org
Subject: X.Org security advisory: July 31, 2020: Xserver

X.Org security advisory: July 31, 2020

X Server Pixel Data Uninitialized Memory Information Disclosure 
===============================================================

CVE-2020-14347

Allocation for pixmap data in AllocatePixmap() does not initialize the
memory in xserver, it leads to leak uninitialize heap memory to
clients. When the X server runs with elevated privileges.

This flaw can lead to ASLR bypass, which when combined with other
flaws (known/unknown) could lead to lead to privilege elevation in the
client.

Patch
=====

A patch for this issue has been commited to the xorg server git
repository.  xorg-server 1.20.9 will be released shortly and will
include this patch.

https://gitlab.freedesktop.org/xorg/xserver.git

diff --git a/dix/pixmap.c b/dix/pixmap.c
index 1186d7dbb..5a0146bbb 100644
--- a/dix/pixmap.c
+++ b/dix/pixmap.c
@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize)
     if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize)
         return NullPixmap;
 
-    pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize);
+    pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize);
     if (!pPixmap)
         return NullPixmap;
    
Thanks
======

This vulnerability was discovered by Jan-Niklas Sohn working with
Trend Micro Zero Day Initiative.
Comment 17 OBSbugzilla Bot 2020-07-31 20:50:06 UTC
This is an autogenerated message for OBS integration:
This bug (1174633) was mentioned in
https://build.opensuse.org/request/show/823797 Factory / xorg-x11-server
Comment 20 Swamp Workflow Management 2020-08-25 22:14:15 UTC
SUSE-SU-2020:2242-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xorg-x11-server-1.19.6-10.8.1
SUSE Linux Enterprise Server 12-SP5 (src):    xorg-x11-server-1.19.6-10.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2020-08-25 22:15:18 UTC
SUSE-SU-2020:14463-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174633,1174635
CVE References: CVE-2020-14345,CVE-2020-14347
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xorg-x11-server-7.4-27.122.26.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xorg-x11-server-7.4-27.122.26.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xorg-x11-server-7.4-27.122.26.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xorg-x11-server-7.4-27.122.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2020-08-25 22:16:23 UTC
SUSE-SU-2020:2325-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xorg-x11-server-1.19.6-4.8.1
SUSE OpenStack Cloud 9 (src):    xorg-x11-server-1.19.6-4.8.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xorg-x11-server-1.19.6-4.8.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xorg-x11-server-1.19.6-4.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2020-08-25 22:17:28 UTC
SUSE-SU-2020:2240-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Swamp Workflow Management 2020-08-25 22:18:43 UTC
SUSE-SU-2020:2326-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1120999,1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xorg-x11-server-1.19.6-8.16.1
SUSE Linux Enterprise Server 15-LTSS (src):    xorg-x11-server-1.19.6-8.16.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xorg-x11-server-1.19.6-8.16.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xorg-x11-server-1.19.6-8.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Swamp Workflow Management 2020-08-25 22:19:48 UTC
SUSE-SU-2020:2241-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.1
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Swamp Workflow Management 2020-08-26 13:14:22 UTC
SUSE-SU-2020:2331-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE OpenStack Cloud 8 (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE OpenStack Cloud 7 (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE Enterprise Storage 5 (src):    xorg-x11-server-7.6_1.18.3-76.26.1
HPE Helion Openstack 8 (src):    xorg-x11-server-7.6_1.18.3-76.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Alexandros Toptsoglou 2020-08-27 13:27:01 UTC
Done
Comment 28 Swamp Workflow Management 2020-08-29 13:13:27 UTC
openSUSE-SU-2020:1279-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    xorg-x11-server-1.20.3-lp151.4.3.1
Comment 29 Swamp Workflow Management 2020-08-31 04:18:13 UTC
openSUSE-SU-2020:1302-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xorg-x11-server-1.20.3-lp152.8.3.1