Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 09 Apr 2015 17:00:08 +0200
From: Yann Droneaud <ydroneaud@...eya.com>
To: oss-security@...ts.openwall.com
Cc: Florian Weimer <fweimer@...hat.com>, Marc Deslauriers
	 <marc.deslauriers@...onical.com>, cve-assign@...re.org
Subject: Re: Re: CVE Request: libX11: buffer overflow in 
 MakeBigReq macro

Hi,

Le jeudi 09 avril 2015 à 07:44 -0400, Marc Deslauriers a écrit :
> On 2015-04-09 07:10 AM, Florian Weimer wrote:
> > On 04/09/2015 09:09 AM, cve-assign@...re.org wrote:
> >>> The MakeBigReq macro in libX11 contained a 4-byte buffer overflow:
> >>
> >>> https://bugs.freedesktop.org/show_bug.cgi?id=56508
> >>
> >>> Fixed by the following commit in libX11 1.5.99.901:
> >>
> >>> http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=39547d600a13713e15429f49768e54c3173c828d
> >>
> >> (for the "#ifdef LONG64")
> >>> - memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
> >>> + memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
> >>
> >> (for the "else")
> >>> - memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
> >>> + memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
> >>
> >> Use CVE-2013-7439.
> > 
> > Does this assignment cover application code which has to be recompiled
> > because it included an expansion of broken macro?
> > 
> > (The question is hypothetical.  I could find copies of the header file,
> > but not actual users of the macro.)
> > 
> 
> Actually, libx11 contains the following macro also:
> 
> #define SetReqLen(req,n,badlen) \
>     if ((req->length + n) > (unsigned)65535) { \
> 	if (dpy->bigreq_size) { \
> 	    MakeBigReq(req,n) \
> 	} else { \
> 	    n = badlen; \
> 	    req->length += n; \
> 	} \
>     } else \
> 	req->length += n
> 
> which means anything that uses SetReqLen also needs to be rebuilt, and so far
> I've found:
> 
> libxext
> libxrender
> libxi
> libxfixes
> libxrandr
> libsdl1.2
> libxv
> libxp
> texlive-bin
> xserver-xorg-video-vmware
> 

There's more candidates for SetReqLen:

http://codesearch.debian.net/results/SetReqLen/page_0

I've noted in particular cairo.

And then indirectly through a embedded copy of cairo:
firefox (iceweasel), thunderbird (icedove), texlive-bin, indigo,
wine-gecko.

Additionally vnc4 through its own libX11 copy.

Finally open-vm-tools is also a possible candidate.

(Please note I haven't check if the SetReqLen macro is actually used in 
a way that might trigger a buffer overflow in MakeBigReq macro).

Regards.

-- 
Yann Droneaud
OPTEYA


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ