Date: Tue, 4 Oct 2016 17:22:17 +0200 From: Marcus Meissner <meissner@...e.de> To: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: Re: X.Org security advisory: Protocol handling issues in X Window System client libraries Hi, Mitre, can you assign CVE ids for the issues without? Ciao, Marcus On Tue, Oct 04, 2016 at 04:46:53PM +0200, Matthieu Herrb wrote: > X.Org security advisory: October 4, 2016 > > Protocol handling issues in X Window System client libraries > ============================================================ > > Description > > Tobias Stoeckmann from the OpenBSD project has discovered a number of > issues in the way various X client libraries handle the responses they > receive from servers, and has worked with X.Org's security team to > analyze, confirm, and fix these issues. These issue come in addition > to the ones discovered by Ilja van Sprundel in 2013. > > Most of these issues stem from the client libraries trusting the > server to send correct protocol data, and not verifying that the > values will not overflow or cause other damage. Most of the time X > clients & servers are run by the same user, with the server more > privileged than the clients, so this is not a problem, but there are > scenarios in which a privileged client can be connected to an > unprivileged server, for instance, connecting a setuid X client (such > as a screen lock program) to a virtual X server (such as Xvfb or > Xephyr) which the user has modified to return invalid data, > potentially allowing the user to escalate their privileges. > > The X.Org security team would like to take this opportunity to remind > X client authors that current best practices suggest separating code > that requires privileges from the GUI, to reduce the attack surface of > issues like this. > > > Affected libraries and CVE Ids > > libX11 - insufficient validation of data from the X server > can cause out of boundary memory read (XGetImage()) > or write (XListFonts()). > Affected versions libX11 <= 1.6.3 > > libXfixes - insufficient validation of data from the X server > can cause an integer overflow on 32 bit architectures. > Affected versions : libXfixes <= 5.0.2 > > libXi - insufficient validation of data from the X server > can cause out of boundary memory access or > endless loops (Denial of Service). > Affected versions libXi <= 1.7.6 > > libXrandr - insufficient validation of data from the X server > can cause out of boundary memory writes. > Affected versions: libXrandr <= 1.5.0 > > libXrender - insufficient validation of data from the X server > can cause out of boundary memory writes. > Affected version: libXrender <= 0.9.9 > > XRecord - insufficient validation of data from the X server > can cause out of boundary memory access or > endless loops (Denial of Service). > Affected version libXtst <= 1.2.2 > > libXv - insufficient validation of data from the X server > can cause out of boundary memory and memory corruption. > CVE-2016-5407 > affected versions libXv <= 1.0.10 > > libXvMC - insufficient validation of data from the X server > can cause a one byte buffer read underrun. > Affected versions: libXvMC <= 1.0.9 > > > Fixes > > Fixes are available in the following git commits. > > lib/libX11 > 8ea762f Validation of server responses in XGetImage() > 8c29f16 The validation of server responses avoids out of boundary accesses. > > libXfixes > 61c1039 Integer overflow on illegal server response > > libXi > 19a9cd6 Properly validate server responses. > > libXrandr > a0df3e1 Avoid out of boundary accesses on illegal responses > > libXrender > 9362c7d Validate lengths while parsing server data. > 8fad00b Avoid OOB write in XRenderQueryFilters > > lib/libXtst > 9556ad6 Out of boundary access and endless loop in libXtst > > libXv > 87b3c94 Protocol handling issues in libXv > > libXvMC > 2cd95e7 Avoid buffer underflow on empty strings. > > > They will also be available in these modules releases from X.Org: > > * libX11 1.6.4 > * libXfixes 5.0.3 > * libXi 1.7.7 > * libXrandr 1.5.1 > * libXrender 0.9.10 > * libXtst 1.2.3 > * libXv 1.0.11 > * libXvMC 1.0.10 > > Thanks > > X.Org thanks Tobias Stoeckmann for reporting these issues to our > security team and assisting them in understanding them and evaluating > our fixes. > > -- > Matthieu Herrb -- Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <meissner@...e.de>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ