Hi folks, I've released XQuartz-2.8.1_rc1. The primary motivation for this release was to get out a fix for CVE-2021-3472. I've attached the X.org security advisory for this issue. In addition to this fix, rc1 also includes a fix to properly set the fontdir when the server starts. If there are no major regressions reported in the next week, I'll ship this out as 2.8.1. Thanks Jeremy https://www.xquartz.org/releases/XQuartz-2.8.1_rc1.html |
--- Begin Message ---X.Org server security advisory: April 13, 2021Input validation failures in X server XInput extension ====================================================== Insufficient checks on the lengths of the XInput extension ChangeFeedbackControl request can lead to out of bounds memory accesses in the X server. These issues can lead to privilege escalation for authorized clients on systems where the X server is running privileged. * CVE-2021-3472 / ZDI CAN 12549 XChangeFeedbackControl Integer Underflow Patch ----- A patch for this issue has been committed to the xorg server git repository. xorg-server 1.20.11 and xwayland 21.1.1 will be released shortly and will include this patch. https://gitlab.freedesktop.org/xorg/xserver.git commit 7aaf54a1884f71dc363f0b884e57bcb67407a6cd Fix XChangeFeedbackControl() request underflow CVE-2021-3472 / ZDI-CAN-1259 Thanks ====== These vulnerabilities have been discovered by Jan-Niklas Sohn working with Trend Micro Zero Day Initiative. -- Matthieu Herrbsignature.asc
Description: PGP signature_______________________________________________ xorg-announce mailing list xorg-annou...@lists.x.org https://lists.x.org/mailman/listinfo/xorg-announce
--- End Message ---
_______________________________________________ Xquartz-dev mailing list Xquartz-dev@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/xquartz-dev