ALAS2-2021-1592

Amazon Linux 2 Security Advisory: ALAS-2021-1592
Advisory Release Date: 2021-01-25 23:09 Pacific
Advisory Updated Date: 2021-01-26 18:45 Pacific

Severity: Important

References: CVE-2020-14347 CVE-2020-14360 CVE-2020-25712
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A flaw was found in the way the Xserver memory was not properly initialized. This issue leak parts of server memory to the X client. In cases where the Xorg server runs with elevated privileges, this flaw results in a possible ASLR bypass. (CVE-2020-14347)

A flaw was found in the X.Org Server. An out-of-bounds access in the XkbSetMap function may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-14360)

A flaw was found in xorg-x11-server. A heap-buffer overflow in XkbSetDeviceInfo may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25712)

Affected Packages:

xorg-x11-server

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update xorg-x11-server to update your system.

New Packages:

aarch64:
    xorg-x11-server-common-1.20.4-15.amzn2.0.1.aarch64
    xorg-x11-server-Xorg-1.20.4-15.amzn2.0.1.aarch64
    xorg-x11-server-Xnest-1.20.4-15.amzn2.0.1.aarch64
    xorg-x11-server-Xdmx-1.20.4-15.amzn2.0.1.aarch64
    xorg-x11-server-Xvfb-1.20.4-15.amzn2.0.1.aarch64
    xorg-x11-server-Xephyr-1.20.4-15.amzn2.0.1.aarch64
    xorg-x11-server-Xwayland-1.20.4-15.amzn2.0.1.aarch64
    xorg-x11-server-devel-1.20.4-15.amzn2.0.1.aarch64
    xorg-x11-server-debuginfo-1.20.4-15.amzn2.0.1.aarch64

i686:
    xorg-x11-server-common-1.20.4-15.amzn2.0.1.i686
    xorg-x11-server-Xorg-1.20.4-15.amzn2.0.1.i686
    xorg-x11-server-Xnest-1.20.4-15.amzn2.0.1.i686
    xorg-x11-server-Xdmx-1.20.4-15.amzn2.0.1.i686
    xorg-x11-server-Xvfb-1.20.4-15.amzn2.0.1.i686
    xorg-x11-server-Xephyr-1.20.4-15.amzn2.0.1.i686
    xorg-x11-server-Xwayland-1.20.4-15.amzn2.0.1.i686
    xorg-x11-server-devel-1.20.4-15.amzn2.0.1.i686
    xorg-x11-server-debuginfo-1.20.4-15.amzn2.0.1.i686

noarch:
    xorg-x11-server-source-1.20.4-15.amzn2.0.1.noarch

src:
    xorg-x11-server-1.20.4-15.amzn2.0.1.src

x86_64:
    xorg-x11-server-common-1.20.4-15.amzn2.0.1.x86_64
    xorg-x11-server-Xorg-1.20.4-15.amzn2.0.1.x86_64
    xorg-x11-server-Xnest-1.20.4-15.amzn2.0.1.x86_64
    xorg-x11-server-Xdmx-1.20.4-15.amzn2.0.1.x86_64
    xorg-x11-server-Xvfb-1.20.4-15.amzn2.0.1.x86_64
    xorg-x11-server-Xephyr-1.20.4-15.amzn2.0.1.x86_64
    xorg-x11-server-Xwayland-1.20.4-15.amzn2.0.1.x86_64
    xorg-x11-server-devel-1.20.4-15.amzn2.0.1.x86_64
    xorg-x11-server-debuginfo-1.20.4-15.amzn2.0.1.x86_64

Additional References

Red Hat: CVE-2020-14347, CVE-2020-14360, CVE-2020-25712

Mitre: CVE-2020-14347, CVE-2020-14360, CVE-2020-25712