Bug 1174908 – VUL-0: CVE-2020-14360: xorg-x11-server: XkbSetMap Out-Of-Bounds Access Privilege Escalation Vulnerability (ZDI-CAN-11572)

Bug 1174908 - (CVE-2020-14360) VUL-0: CVE-2020-14360: xorg-x11-server: XkbSetMap Out-Of-Bounds Access Privilege Escalation Vulnerability (ZDI-CAN-11572)

(CVE-2020-14360)
Summary:	VUL-0: CVE-2020-14360: xorg-x11-server: XkbSetMap Out-Of-Bounds Access Privi...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/264773/
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-14360:7.8:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2020-08-05 11:52 UTC by Alexandros Toptsoglou
Modified:	2020-12-10 14:04 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
CVE-2020-14360.patch (4.62 KB, patch) 2020-11-13 08:16 UTC, Marcus Meissner	Details \| Diff
patchv2 (4.11 KB, patch) 2020-11-19 10:15 UTC, Alexandros Toptsoglou	Details \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 7 Stefan Dirsch 2020-08-24 10:03:19 UTC

Ok. Thanks!

Comment 10 Stefan Dirsch 2020-09-10 11:29:36 UTC

Any news on this one?

Comment 14 Marcus Meissner 2020-11-13 08:16:48 UTC

Created attachment 843565 [details]
CVE-2020-14360.patch

Avoid out of bounds memory accesses on too short request.                                                                                                                                    
                                                                                                                                                                                             
ZDI-CAN 11572 /  CVE-2020-14360                                                                                                                                                              
                                                                                                                                                                                             
This vulnerability was discovered by:                                                                                                                                                        
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative                                                                                                                                 
                                                                                                                                                                                             
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>

Comment 16 Stefan Dirsch 2020-11-18 10:08:54 UTC

[   61s] xkb.c: In function 'ProcXkbSetMap':
[   61s] xkb.c:2430:27: warning: 'keytype' may be used uninitialized in this function [-Wmaybe-uninitialized]
[   61s]              nSyms = symmap->nSyms;
[   61s]                      ~~~~~~^~~~~~~
[   61s] xkb.c:2389:25: note: 'keytype' was declared here
[   61s]      xkbKeyTypeWireDesc *keytype;

This appears to me to be an issue with the patch. If  

if (req->present & XkbKeyTypesMask) 

does not apply indeed later keytype will remain undefined. Could you verify this, please? If needed with the author. Thanks!

Comment 17 Alexandros Toptsoglou 2020-11-19 10:15:14 UTC

Created attachment 843719 [details]
patchv2

While the multiplications cannot overflow, I think it is possible to
try to overflow the total length, since there can be up to 65536*65536
nested structures in the 'syms' list.

This is very unlikely to be practically doable, since it means
transmitting almost UINT32_MAX bytes of data.

The following new version of the patch checks at each step that the
total length is not overflowing UINT32_MAX.

Comment 18 Stefan Dirsch 2020-11-19 10:47:13 UTC

Hmm. Maybe I'm blind and/or stupid, but I don't see my issue addressed with that patch. keytype may still be undefined. Could you double check or try to explain?

Comment 20 Stefan Dirsch 2020-11-19 11:01:59 UTC

I see. Just double checked with the updated patch for sure. Still the same issue.

[   59s] xkb.c: In function 'ProcXkbSetMap':
[   59s] xkb.c:2427:27: warning: 'keytype' may be used uninitialized in this function [-Wmaybe-uninitialized]
[   59s]              nSyms = symmap->nSyms;
[   59s]                      ~~~~~~^~~~~~~
[   59s] xkb.c:2393:25: note: 'keytype' was declared here
[   59s]      xkbKeyTypeWireDesc *keytype;

Comment 25 Stefan Dirsch 2020-11-20 14:00:32 UTC

Thanks a lot. Patch is now warning-free and makes sense to me. I just submitted the packages.

Comment 27 Alexandros Toptsoglou 2020-12-01 15:21:14 UTC

now public through oss 

* CVE-2020-14360 / ZDI CAN 11572 XkbSetMap Out-Of-Bounds Access

Insufficient checks on the lengths of the XkbSetMap request can lead to
out of bounds memory accesses in the X server.

Comment 28 Stefan Dirsch 2020-12-01 17:25:42 UTC

Just submitted to factory/TW. Reassigning.

Comment 29 OBSbugzilla Bot 2020-12-01 17:40:06 UTC

This is an autogenerated message for OBS integration:
This bug (1174908) was mentioned in
https://build.opensuse.org/request/show/852408 Factory / xorg-x11-server

Comment 30 Swamp Workflow Management 2020-12-01 20:17:23 UTC

SUSE-SU-2020:3588-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.16.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.16.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 31 Swamp Workflow Management 2020-12-01 20:18:26 UTC

SUSE-SU-2020:3589-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xorg-x11-server-1.19.6-8.27.1
SUSE Linux Enterprise Server 15-LTSS (src):    xorg-x11-server-1.19.6-8.27.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xorg-x11-server-1.19.6-8.27.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xorg-x11-server-1.19.6-8.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 32 Swamp Workflow Management 2020-12-01 20:19:32 UTC

SUSE-SU-2020:3582-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xorg-x11-server-1.19.6-4.19.1
SUSE OpenStack Cloud 9 (src):    xorg-x11-server-1.19.6-4.19.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xorg-x11-server-1.19.6-4.19.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xorg-x11-server-1.19.6-4.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 33 Swamp Workflow Management 2020-12-01 20:20:38 UTC

SUSE-SU-2020:3587-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xorg-x11-server-1.19.6-10.20.1
SUSE Linux Enterprise Server 12-SP5 (src):    xorg-x11-server-1.19.6-10.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 34 Swamp Workflow Management 2020-12-01 20:22:42 UTC

SUSE-SU-2020:3586-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.13.1
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.13.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 35 Swamp Workflow Management 2020-12-01 20:23:54 UTC

SUSE-SU-2020:3585-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE OpenStack Cloud 8 (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE OpenStack Cloud 7 (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE Enterprise Storage 5 (src):    xorg-x11-server-7.6_1.18.3-76.37.1
HPE Helion Openstack 8 (src):    xorg-x11-server-7.6_1.18.3-76.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 36 Swamp Workflow Management 2020-12-01 20:25:05 UTC

SUSE-SU-2020:14553-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xorg-x11-server-7.4-27.122.37.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xorg-x11-server-7.4-27.122.37.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xorg-x11-server-7.4-27.122.37.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xorg-x11-server-7.4-27.122.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 37 Swamp Workflow Management 2020-12-02 11:16:49 UTC

openSUSE-SU-2020:2147-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xorg-x11-server-1.20.3-lp152.8.12.1

Comment 38 Swamp Workflow Management 2020-12-07 14:18:27 UTC

openSUSE-SU-2020:2186-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    xorg-x11-server-1.20.3-lp151.4.9.1

Comment 39 Wolfgang Frisch 2020-12-10 14:04:27 UTC

Released.