X.Org Server 1.20.11 Released Due To New Security Advisory
Written by Michael Larabel in X.Org on 13 April 2021 at 11:02 AM EDT. 35 Comments
X.ORG --
Trend Micro's Zero Day Initiative has uncovered another security issue with the X.Org Server.

Trend Micro security researchers found that shortcomings in the X.Org Server's X Input extension input validation could ultimately lead to privilege escalation for authorized clients.

CVE-2021-3472 involves insufficient checks on the lengths of an X Input request could lead to out-of-bounds memory accesses in the X.Org Server. If the X.Org Server is running with privileged rights, this could lead to privilege escalation for authorized X11 clients.

This patch fixes the XChangeFeedbackControl() request underflow.

Going along with today's security advisory is X.Org Server 1.20.11 that has this fix plus other accumulated patches.

X.Org Server 1.20.11 is predominantly made up of many back-ported XQuartz fixes, Meson build fix with KMS depending on DRI2, and other fixes. See the change-log but overall not too exciting outside of this security fix and many XQuartz back-ports.

There still is no sign of X.Org Server 1.21 as the next feature release and meanwhile the XWayland standalone work continues. Speaking of which, XWayland 21.1.1 was also issued today with this X Input security fix.
Related News
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Popular News This Week