PT-2021-17198 · Rust · Xcb
Published
2021-02-04
·
Updated
2021-08-25
·
CVE-2021-26957
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
xcb crate through 2021-02-04 for Rust
Description:
The issue concerns a soundness violation in the xcb crate, which can lead to out-of-bounds reads and incorrect type transmutations. Specifically, the
xcb::xproto::change property() function can perform an out-of-bounds read when the format and type arguments do not match the intended use cases. Additionally, the xcb::xproto::GetAtomNameReply::name() function calls std::str::from utf8 unchecked() on unvalidated bytes from an X server, and the xcb::xproto::GetPropertyReply::value() function returns a slice of an unconstrained type parameter, allowing arbitrary return types. The xcb::base::cast event() function also uses std::mem::transmute() to return a reference to an arbitrary type, which can lead to transmutation to an incorrect type.Recommendations:
For xcb crate through 2021-02-04 for Rust:
- Users are advised to only call
xcb::xproto::change property()with the intended argument combinations, such as format = 8 and T = u8, format = 16 and T = u16, or format = 32 and T = u32. - Users should only call
xcb::xproto::GetPropertyReply::value()with the intended types, which are u8, u16, and u32. - As a temporary workaround, consider restricting the use of
xcb::xproto::GetAtomNameReply::name()until the issue is resolved. - Users are advised to only cast to the event structs provided by the xcb crate using
xcb::base::cast event(). At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Out of bounds Read
Unchecked Return Value
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Xcb