PT-2021-17199 · Xcb · Xcb
Published
2021-02-04
·
Updated
2021-08-25
·
CVE-2021-26958
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
xcb crate through 2021-02-04 for Rust
Description:
The issue concerns a soundness violation in the xcb crate, which can lead to transmutation to the wrong type after using
std::mem::transmute to return a reference to an arbitrary type. Specifically, the functions xcb::xproto::GetPropertyReply::value() and xcb::xproto::GetAtomNameReply::name() are affected. The value() function returns a slice of type T where T is an unconstrained type parameter, and the raw bytes received from the X11 server are interpreted as the requested type. The name() function calls std::str::from utf8 unchecked() on unvalidated bytes from an X server. Additionally, there is an out-of-bounds read in xcb::xproto::change property() when the format and type arguments do not match the intended use.Recommendations:
For the xcb crate through 2021-02-04 for Rust:
- As a temporary workaround, consider restricting the use of the
xcb::xproto::GetPropertyReply::value()function to only call it with the intended types, which areu8,u16, andu32. - Avoid using the
xcb::xproto::GetAtomNameReply::name()function until the issue is resolved. - Restrict the use of the
xcb::xproto::change property()function to only call it with one of the intended argument combinations, which are format = 8 andT = u8, format = 16 andT = u16, or format = 32 andT = u32. - Users are advised to only cast to the event structs provided by the
xcbcrate using thexcb::base::cast event()function. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Out of bounds Read
Unchecked Return Value
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Xcb