Bug 1174908 (CVE-2020-14360)

Summary: VUL-0: CVE-2020-14360: xorg-x11-server: XkbSetMap Out-Of-Bounds Access Privilege Escalation Vulnerability (ZDI-CAN-11572)
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: atoptsoglou, sndirsch, tiwai, wolfgang.frisch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/264773/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-14360:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: CVE-2020-14360.patch
patchv2

Comment 7 Stefan Dirsch 2020-08-24 10:03:19 UTC 
Ok. Thanks!
Comment 10 Stefan Dirsch 2020-09-10 11:29:36 UTC 
Any news on this one?
Comment 14 Marcus Meissner 2020-11-13 08:16:48 UTC 
Created attachment 843565 [details]
CVE-2020-14360.patch

Avoid out of bounds memory accesses on too short request.                                                                                                                                    
                                                                                                                                                                                             
ZDI-CAN 11572 /  CVE-2020-14360                                                                                                                                                              
                                                                                                                                                                                             
This vulnerability was discovered by:                                                                                                                                                        
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative                                                                                                                                 
                                                                                                                                                                                             
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
Comment 16 Stefan Dirsch 2020-11-18 10:08:54 UTC 
[   61s] xkb.c: In function 'ProcXkbSetMap':
[   61s] xkb.c:2430:27: warning: 'keytype' may be used uninitialized in this function [-Wmaybe-uninitialized]
[   61s]              nSyms = symmap->nSyms;
[   61s]                      ~~~~~~^~~~~~~
[   61s] xkb.c:2389:25: note: 'keytype' was declared here
[   61s]      xkbKeyTypeWireDesc *keytype;

This appears to me to be an issue with the patch. If  

if (req->present & XkbKeyTypesMask) 

does not apply indeed later keytype will remain undefined. Could you verify this, please? If needed with the author. Thanks!
Comment 17 Alexandros Toptsoglou 2020-11-19 10:15:14 UTC 
Created attachment 843719 [details]
patchv2

While the multiplications cannot overflow, I think it is possible to
try to overflow the total length, since there can be up to 65536*65536
nested structures in the 'syms' list.

This is very unlikely to be practically doable, since it means
transmitting almost UINT32_MAX bytes of data.

The following new version of the patch checks at each step that the
total length is not overflowing UINT32_MAX.
Comment 18 Stefan Dirsch 2020-11-19 10:47:13 UTC 
Hmm. Maybe I'm blind and/or stupid, but I don't see my issue addressed with that patch. keytype may still be undefined. Could you double check or try to explain?
Comment 20 Stefan Dirsch 2020-11-19 11:01:59 UTC 
I see. Just double checked with the updated patch for sure. Still the same issue.

[   59s] xkb.c: In function 'ProcXkbSetMap':
[   59s] xkb.c:2427:27: warning: 'keytype' may be used uninitialized in this function [-Wmaybe-uninitialized]
[   59s]              nSyms = symmap->nSyms;
[   59s]                      ~~~~~~^~~~~~~
[   59s] xkb.c:2393:25: note: 'keytype' was declared here
[   59s]      xkbKeyTypeWireDesc *keytype;
Comment 25 Stefan Dirsch 2020-11-20 14:00:32 UTC 
Thanks a lot. Patch is now warning-free and makes sense to me. I just submitted the packages.
Comment 27 Alexandros Toptsoglou 2020-12-01 15:21:14 UTC 
now public through oss 

* CVE-2020-14360 / ZDI CAN 11572 XkbSetMap Out-Of-Bounds Access

Insufficient checks on the lengths of the XkbSetMap request can lead to
out of bounds memory accesses in the X server.
Comment 28 Stefan Dirsch 2020-12-01 17:25:42 UTC 
Just submitted to factory/TW. Reassigning.
Comment 29 OBSbugzilla Bot 2020-12-01 17:40:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1174908) was mentioned in
https://build.opensuse.org/request/show/852408 Factory / xorg-x11-server
Comment 30 Swamp Workflow Management 2020-12-01 20:17:23 UTC 
SUSE-SU-2020:3588-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.16.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.16.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Swamp Workflow Management 2020-12-01 20:18:26 UTC 
SUSE-SU-2020:3589-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xorg-x11-server-1.19.6-8.27.1
SUSE Linux Enterprise Server 15-LTSS (src):    xorg-x11-server-1.19.6-8.27.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xorg-x11-server-1.19.6-8.27.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xorg-x11-server-1.19.6-8.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 32 Swamp Workflow Management 2020-12-01 20:19:32 UTC 
SUSE-SU-2020:3582-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xorg-x11-server-1.19.6-4.19.1
SUSE OpenStack Cloud 9 (src):    xorg-x11-server-1.19.6-4.19.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xorg-x11-server-1.19.6-4.19.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xorg-x11-server-1.19.6-4.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 33 Swamp Workflow Management 2020-12-01 20:20:38 UTC 
SUSE-SU-2020:3587-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xorg-x11-server-1.19.6-10.20.1
SUSE Linux Enterprise Server 12-SP5 (src):    xorg-x11-server-1.19.6-10.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 34 Swamp Workflow Management 2020-12-01 20:22:42 UTC 
SUSE-SU-2020:3586-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.13.1
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.13.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 35 Swamp Workflow Management 2020-12-01 20:23:54 UTC 
SUSE-SU-2020:3585-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE OpenStack Cloud 8 (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE OpenStack Cloud 7 (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE Enterprise Storage 5 (src):    xorg-x11-server-7.6_1.18.3-76.37.1
HPE Helion Openstack 8 (src):    xorg-x11-server-7.6_1.18.3-76.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 36 Swamp Workflow Management 2020-12-01 20:25:05 UTC 
SUSE-SU-2020:14553-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xorg-x11-server-7.4-27.122.37.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xorg-x11-server-7.4-27.122.37.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xorg-x11-server-7.4-27.122.37.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xorg-x11-server-7.4-27.122.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 37 Swamp Workflow Management 2020-12-02 11:16:49 UTC 
openSUSE-SU-2020:2147-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xorg-x11-server-1.20.3-lp152.8.12.1
Comment 38 Swamp Workflow Management 2020-12-07 14:18:27 UTC 
openSUSE-SU-2020:2186-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    xorg-x11-server-1.20.3-lp151.4.9.1
Comment 39 Wolfgang Frisch 2020-12-10 14:04:27 UTC 
Released.