CVE-2021-26956

Name of the Vulnerable Software and Affected Versions: xcb crate versions through 2021-02-04

Description: The issue concerns a soundness violation in the xcb crate for Rust, where bytes from an X server can be interpreted as any data type returned by xcb::xproto::GetPropertyReply::value(). This is due to the function returning a slice of type T, where T is an unconstrained type parameter, allowing the raw bytes received from the X11 server to be interpreted as the requested type. Additionally, xcb::xproto::GetAtomNameReply::name() calls std::str::from utf8 unchecked() on unvalidated bytes from an X server, and there is an out-of-bounds read in xcb::xproto::change property() when the format and type arguments do not match the intended use. The xcb::base::cast event() function also uses std::mem::transmute() to return a reference to an arbitrary type, which can lead to transmutation to an incorrect type.

Recommendations: For versions through 2021-02-04, users are advised to only call xcb::xproto::GetPropertyReply::value() with the intended types, which are u8, u16, and u32. For xcb::xproto::GetAtomNameReply::name(), consider validating the bytes received from the X server before calling std::str::from utf8 unchecked(). For xcb::xproto::change property(), ensure that the format and type arguments match the intended use to avoid out-of-bounds reads. For xcb::base::cast event(), only cast to the event structs provided by the xcb crate to minimize the risk of transmutation to an incorrect type. At the moment, there is no information about a newer version that contains a fix for this vulnerability.