07a0acd246
The _XkbSetCompatMap() function attempts to resize the `sym_interpret` buffer. However, It didn't update its size properly. It updated `num_si` only, without updating `size_si`. This may lead to local privilege escalation if the server is run as root or remote code execution (e.g. x11 over ssh). CVE-2024-9632, ZDI-CAN-24756 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Tested-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: José Expósito <jexposit@redhat.com> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1733> |
||
|---|---|---|
| .. | ||
| README.compiled | ||
| XKBAlloc.c | ||
| XKBGAlloc.c | ||
| XKBMAlloc.c | ||
| XKBMisc.c | ||
| XKM_file_format.txt | ||
| ddxBeep.c | ||
| ddxCtrls.c | ||
| ddxKillSrv.c | ||
| ddxLEDs.c | ||
| ddxLoad.c | ||
| ddxPrivate.c | ||
| ddxVT.c | ||
| maprules.c | ||
| meson.build | ||
| xkb-procs.h | ||
| xkb.c | ||
| xkbAccessX.c | ||
| xkbActions.c | ||
| xkbDflts.h | ||
| xkbEvents.c | ||
| xkbInit.c | ||
| xkbLEDs.c | ||
| xkbPrKeyEv.c | ||
| xkbSwap.c | ||
| xkbUtils.c | ||
| xkbfmisc.c | ||
| xkbgeom.h | ||
| xkbout.c | ||
| xkbsrv_priv.h | ||
| xkbtext.c | ||
| xkbtext_priv.h | ||
| xkmread.c | ||
The X server uses this directory to store the compiled version of the
current keymap and/or any scratch keymaps used by clients. The X server
or some other tool might destroy or replace the files in this directory,
so it is not a safe place to store compiled keymaps for long periods of
time. The default keymap for any server is usually stored in:
X<num>-default.xkm
where <num> is the display number of the server in question, which makes
it possible for several servers *on the same host* to share the same
directory.
Unless the X server is modified, sharing this directory between servers on
different hosts could cause problems.