Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 09 Apr 2015 08:23:37 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
CC: Marc Deslauriers <marc.deslauriers@...onical.com>,
        Florian Weimer <fweimer@...hat.com>, cve-assign@...re.org
Subject: Re: Re: CVE Request: libX11: buffer overflow in MakeBigReq
 macro

On 04/ 9/15 04:44 AM, Marc Deslauriers wrote:
> On 2015-04-09 07:10 AM, Florian Weimer wrote:
>> On 04/09/2015 09:09 AM, cve-assign@...re.org wrote:
>>>> The MakeBigReq macro in libX11 contained a 4-byte buffer overflow:
>>>
>>>> https://bugs.freedesktop.org/show_bug.cgi?id=56508
>>>
>>>> Fixed by the following commit in libX11 1.5.99.901:
>>>
>>>> http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=39547d600a13713e15429f49768e54c3173c828d
>>>
>>> (for the "#ifdef LONG64")
>>>> - memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
>>>> + memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
>>>
>>> (for the "else")
>>>> - memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
>>>> + memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
>>>
>>> Use CVE-2013-7439.
>>
>> Does this assignment cover application code which has to be recompiled
>> because it included an expansion of broken macro?
>>
>> (The question is hypothetical.  I could find copies of the header file,
>> but not actual users of the macro.)
>>
>
> Actually, libx11 contains the following macro also:
>
> #define SetReqLen(req,n,badlen) \
>      if ((req->length + n) > (unsigned)65535) { \
> 	if (dpy->bigreq_size) { \
> 	    MakeBigReq(req,n) \
> 	} else { \
> 	    n = badlen; \
> 	    req->length += n; \
> 	} \
>      } else \
> 	req->length += n
>
> which means anything that uses SetReqLen also needs to be rebuilt, and so far
> I've found:
>
> libxext
> libxrender
> libxi
> libxfixes
> libxrandr
> libsdl1.2
> libxv
> libxp
> texlive-bin
> xserver-xorg-video-vmware

I'd expect it in most of the X.Org libraries for the various extensions (the 
ones based on Xlib instead of XCB at least), which includes some of the Xorg
drivers which provide extension code for their extensions, but I'm surprised
by it in other applications.

-- 
	-Alan Coopersmith-              alan.coopersmith@...cle.com
	  X.Org Security Response Team - xorg-security@...ts.x.org

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ