X.Org's Latest Security Woes Are Bugs In LibX11, Xserver

Written by Michael Larabel in X.Org on 31 July 2020 at 09:54 AM EDT. 38 Comments
X.ORG
The X.Org/X11 Server has been hit by many security vulnerabilities over the past decade as security researchers eye more open-source software. Some of these vulnerabilities date back to even the 80's and 90's given how X11 has built up over time. The X.Org Server security was previously characterized as being even worse than it looks while today the latest vulnerabilities have been made public.

CVE-2020-14344 is now public and covers multiple integer overflows and signed/unsigned comparison issues within the X Input Method implementation in the libX11 library. These issues can lead to heap corruption when handling malformed messages from an input method.

Several patches are now in libX11 Git for addressing these overflows and bad sign comparisons. LibX11 1.6.10 will be released shortly with these fixes.

More details on today's disclosure via the xorg-devel list.

Update: Further security issues are also being made public today... CVE-2020-14347 is public too as a bug in the pixmap data code leading to uninitialized heap memory being leaked to clients. In turn when paired with other flows and running the xorg-server as root could potentially lead to privilege escalation. X.Org Server 1.20.9 to be released soon with this fix, which was discovered as part of the Trend Micro Zero Day Initiative.
38 Comments
Related News
xcompmgr 1.1.10 Released For Classic "Eye Candy" Compositor On X.Org
Local Privilege Escalation Vulnerability Affecting X.Org Server For 18 Years
It's Taken Until 2024 To Add FreeBSD To X.Org Continuous Integration Testing
libX11 1.8.10 Brings Memory Safety Fixes
X.Org Testing Ground Expands Its Scope To Illumos/OpenIndiana
X.Org Server Patches Look To Cleanup VRR Handling, Make It Xinerama-Aware
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd
KDE Starts December By Landing A Number Of New Features
NTSYNC Linux Patches Revived To Help Boost Steam Play Gaming Performance
Rust-Based, Memory-Safe PNG Decoders "Vastly Outperform" C-Based PNG Libraries