CVE-2021-31535: Input Validation
First published: Tue May 18 2021(Updated: )
LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/redhat-virtualization-host | <0:4.3.18-20210903.0.el7_9 | 0:4.3.18-20210903.0.el7_9 |
| debian/libx11 | <=2:1.7.0-2<=2:1.6.7-1<=2:1.6.7-1+deb10u1 | 2:1.6.7-1+deb10u2 2:1.7.1-1 |
| X.Org libX11 | <1.7.1 | |
| X.org X Window System | <=x11r7.7 | |
| Fedoraproject Fedora | =33 | |
| debian/libx11 | 2:1.6.7-1+deb10u2 2:1.6.7-1+deb10u4 2:1.7.2-1+deb11u1 2:1.7.2-1+deb11u2 2:1.8.4-2+deb12u1 2:1.8.4-2+deb12u2 2:1.8.7-1 |
Remedy
xterm should not be used to display less trusted data, e.g. from SSH connections to less trusted remote machines. To avoid attacks via .Xdefaults on kiosk type machines, where graphical user has no permission to execute arbitrary operating system commands or sometimes not even to send hardware keyboard keystrokes, the .Xdefaults must not be modifiable by the user.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-31535 https://nvd.nist.gov/vuln/detail/CVE-2021-31535 https://unparalleled.eu/blog/2021/20210518-using-xterm-to-navigate-the-huge-color-space/ https://unparalleled.eu/publications/2021/advisory-unpar-2021-1.txt
- https://bugzilla.redhat.com/show_bug.cgi?id=1961822
- https://access.redhat.com/errata/RHBA-2021:3472
- https://access.redhat.com/errata/RHSA-2021:3296
- https://access.redhat.com/errata/RHSA-2021:4326
- https://access.redhat.com/errata/RHSA-2021:3477
- https://access.redhat.com/security/cve/cve-2021-31535
- https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02ae650f00c4a53deb625211a0527126c605
- https://www.openwall.com/lists/oss-security/2021/05/18/2
- https://www.openwall.com/lists/oss-security/2021/05/18/3
- https://unparalleled.eu/publications/2021/advisory-unpar-2021-1.txt
- https://unparalleled.eu/blog/2021/20210518-using-xterm-to-navigate-the-huge-color-space/
- https://security-tracker.debian.org/tracker/CVE-2021-31535
- http://packetstormsecurity.com/files/162737/libX11-Insufficient-Length-Check-Injection.html
- http://seclists.org/fulldisclosure/2021/May/52
- http://www.openwall.com/lists/oss-security/2021/05/18/2
- https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/05/msg00021.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEOT4RLB76RVPJQKGGTIKTBIOLHX2NR6/
- https://lists.freedesktop.org/archives/xorg/
- https://lists.x.org/archives/xorg-announce/2021-May/003088.html
- https://security.gentoo.org/glsa/202105-16
- https://security.netapp.com/advisory/ntap-20210813-0001/
- https://www.debian.org/security/2021/dsa-4920
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31535
- https://bugzilla.suse.com/show_bug.cgi?id=1182506
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988737
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1961823
- https://github.com/montjoie/centos-libX11/commits/c7-backport
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEOT4RLB76RVPJQKGGTIKTBIOLHX2NR6/
- https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-31535?
CVE-2021-31535 is a vulnerability in libX11 that allows remote attackers to execute arbitrary code.
How severe is CVE-2021-31535?
CVE-2021-31535 has a severity rating of 9.8 (critical).
What software is affected by CVE-2021-31535?
The libX11 package with versions before 1.7.1 on Red Hat, libX11 package with various versions on Debian, X.Org libX11 with versions before 1.7.1, X.org X Window System up to inclusive x11r7.7, and Fedoraproject Fedora 33 are affected.
How can I fix CVE-2021-31535?
To fix CVE-2021-31535, update libX11 to version 1.7.1 on Red Hat, update libX11 to the recommended versions on Debian, and update X.Org libX11 to version 1.7.1.
Where can I find more information about CVE-2021-31535?
More information about CVE-2021-31535 can be found at the following references: [Reference 1], [Reference 2], [Reference 3]
- collector/redhat-cve
- collector/security-tracker-debian
- collector/nvd-index
- collector/debian-bugs
- alias/CVE-2021-31535
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/references
- agent/remedy
- agent/severity
- agent/weakness
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- package-manager/debian
- vendor/x.org
- canonical/x.org libx11
- canonical/x.org x window system
- version/x.org x window system/x11r7.7
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33