Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 09 Apr 2015 07:44:52 -0400
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: Florian Weimer <fweimer@...hat.com>, oss-security@...ts.openwall.com
CC: cve-assign@...re.org
Subject: Re: Re: CVE Request: libX11: buffer overflow in  MakeBigReq
 macro

On 2015-04-09 07:10 AM, Florian Weimer wrote:
> On 04/09/2015 09:09 AM, cve-assign@...re.org wrote:
>>> The MakeBigReq macro in libX11 contained a 4-byte buffer overflow:
>>
>>> https://bugs.freedesktop.org/show_bug.cgi?id=56508
>>
>>> Fixed by the following commit in libX11 1.5.99.901:
>>
>>> http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=39547d600a13713e15429f49768e54c3173c828d
>>
>> (for the "#ifdef LONG64")
>>> - memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
>>> + memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
>>
>> (for the "else")
>>> - memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
>>> + memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
>>
>> Use CVE-2013-7439.
> 
> Does this assignment cover application code which has to be recompiled
> because it included an expansion of broken macro?
> 
> (The question is hypothetical.  I could find copies of the header file,
> but not actual users of the macro.)
> 

Actually, libx11 contains the following macro also:

#define SetReqLen(req,n,badlen) \
    if ((req->length + n) > (unsigned)65535) { \
	if (dpy->bigreq_size) { \
	    MakeBigReq(req,n) \
	} else { \
	    n = badlen; \
	    req->length += n; \
	} \
    } else \
	req->length += n

which means anything that uses SetReqLen also needs to be rebuilt, and so far
I've found:

libxext
libxrender
libxi
libxfixes
libxrandr
libsdl1.2
libxv
libxp
texlive-bin
xserver-xorg-video-vmware


Marc.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ