FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

xorg-server -- Pixel Data Uninitialized Memory Information Disclosure

Affected packages
xorg-server < 1.20.8_3,1
xephyr < 1.20.8_3,1
xorg-vfbserver < 1.20.8_3,1
xorg-nestserver < 1.20.8_3,1
xwayland < 1.20.8_3,1
xorg-dmx < 1.20.8_3,1

Details

VuXML ID 3c7ba82a-d3fb-11ea-9aba-0c9d925bbbc0
Discovery 2020-07-31
Entry 2020-08-01

The X.org project reports:

Allocation for pixmap data in AllocatePixmap() does not initialize the memory in xserver, it leads to leak uninitialize heap memory to clients. When the X server runs with elevated privileges.

This flaw can lead to ASLR bypass, which when combined with other flaws (known/unknown) could lead to lead to privilege elevation in the client.

References

CVE Name CVE-2020-14347
URL https://lists.x.org/archives/xorg-announce/2020-July/003051.html