Alerts This Week
Warning Icon 1 640
Alerts This Week
Warning Icon 1 640

Ubuntu 20.04: USN-4488-1 Moderate: X.Org X Server Access Control

ubuntu
Calendar Grey September 2, 2020
Dist Ubuntu Esm H88
Various vulnerabilities within the X.Org X Server were resolved in Ubuntu's advisory released in September, highlighting risks of privilege escalation.
Several security issues were fixed in X.Org X Server.

Summary

Several security issues were fixed in X.Org X Server.

Software Description:

- xorg-server: X.Org X11 server

- xorg-server-hwe-18.04: X.Org X11 server

- xorg-server-hwe-16.04: X.Org X11 server

Details:

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled the

input extension protocol. A local attacker could possibly use this issue to

escalate privileges. (CVE-2020-14346)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly initialized

memory. A local attacker could possibly use this issue to obtain sensitive

information. (CVE-2020-14347)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled the

XkbSelectEvents function. A local attacker could possibly use this issue to

escalate privileges. (CVE-2020-14361)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled the

XRecordRegisterClients function. A local attacker could possibly use this

issue to escalate privileges. (CVE-2020-14362)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
  xserver-xorg-core               2:1.20.8-2ubuntu2.3

Ubuntu 18.04 LTS:
  xserver-xorg-core               2:1.19.6-1ubuntu4.5
  xserver-xorg-core-hwe-18.04     2:1.20.8-2ubuntu2.2~18.04.2

Ubuntu 16.04 LTS:
  xserver-xorg-core               2:1.18.4-0ubuntu0.9
  xserver-xorg-core-hwe-16.04     2:1.19.6-1ubuntu4.1~16.04.3

After a standard system update you need to reboot your computer to make all
the necessary changes.

References

https://ubuntu.com/security/notices/USN-4488-1

CVE-2020-14346, CVE-2020-14347, CVE-2020-14361, CVE-2020-14362

September 02, 2020

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here