Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALAS-2024-2510

Related Vulnerabilities: CVE-2024-31080   CVE-2024-31081   CVE-2024-31083  

A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads. (CVE-2024-31080) A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIPassiveGrabDevice() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads. (CVE-2024-31081) The ProcRenderAddGlyphs() function calls the AllocateGlyph() function to store new glyphs sent by the client to the X server. AllocateGlyph() would return a new glyph with refcount=0 and a re-used glyph would end up not changing the refcount at all. The resulting glyph_new array would thus have multiple entries pointing to the same non-refcounted glyphs. ProcRenderAddGlyphs() may free a glyph, resulting in a use-after-free when the same glyph pointer is then later used. (CVE-2024-31083)

Source

ALAS-2024-2510

Amazon Linux 2 Security Advisory: ALAS-2024-2510
Advisory Release Date: 2024-04-11 01:07 Pacific
Advisory Updated Date: 2024-04-15 12:00 Pacific
Severity: Important
Issue Overview:

A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads. (CVE-2024-31080)

A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIPassiveGrabDevice() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads. (CVE-2024-31081)

The ProcRenderAddGlyphs() function calls the AllocateGlyph() function to store new glyphs sent by the client to the X server. AllocateGlyph() would return a new glyph with refcount=0 and a re-used glyph would end up not changing the refcount at all. The resulting glyph_new array would thus have multiple entries pointing to the same non-refcounted glyphs.

ProcRenderAddGlyphs() may free a glyph, resulting in a use-after-free when the same glyph pointer is then later used. (CVE-2024-31083)


Affected Packages:

tigervnc


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update tigervnc to update your system.

New Packages:
aarch64:
    tigervnc-1.8.0-24.amzn2.0.3.aarch64
    tigervnc-server-1.8.0-24.amzn2.0.3.aarch64
    tigervnc-server-minimal-1.8.0-24.amzn2.0.3.aarch64
    tigervnc-server-module-1.8.0-24.amzn2.0.3.aarch64
    tigervnc-debuginfo-1.8.0-24.amzn2.0.3.aarch64

i686:
    tigervnc-1.8.0-24.amzn2.0.3.i686
    tigervnc-server-1.8.0-24.amzn2.0.3.i686
    tigervnc-server-minimal-1.8.0-24.amzn2.0.3.i686
    tigervnc-server-module-1.8.0-24.amzn2.0.3.i686
    tigervnc-debuginfo-1.8.0-24.amzn2.0.3.i686

noarch:
    tigervnc-server-applet-1.8.0-24.amzn2.0.3.noarch
    tigervnc-license-1.8.0-24.amzn2.0.3.noarch
    tigervnc-icons-1.8.0-24.amzn2.0.3.noarch

src:
    tigervnc-1.8.0-24.amzn2.0.3.src

x86_64:
    tigervnc-1.8.0-24.amzn2.0.3.x86_64
    tigervnc-server-1.8.0-24.amzn2.0.3.x86_64
    tigervnc-server-minimal-1.8.0-24.amzn2.0.3.x86_64
    tigervnc-server-module-1.8.0-24.amzn2.0.3.x86_64
    tigervnc-debuginfo-1.8.0-24.amzn2.0.3.x86_64

Additional References

Red Hat: CVE-2024-31080, CVE-2024-31081, CVE-2024-31083

Mitre: CVE-2024-31080, CVE-2024-31081, CVE-2024-31083

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started