Date: Wed, 1 Mar 2017 11:01:30 +1030 From: Doran Moppert <dmoppert@...hat.com> To: oss-security@...ts.openwall.com Subject: three issues in xorg (CVE-2016-2624, CVE-2016-2625, CVE-2016-2626) Vulnerabilities in xorg (server, libXdmcp, libICE) were recently reported by Eric Sesterhenn of X41, and assigned CVEs by Red Hat. > CVE-2017-2624 xorg-x11-server: timing attack against MIT Cookie mitauth.c uses memcmp() to check the validity of MIT cookies, exposing a possible timing attack on some platforms. https://bugzilla.redhat.com/show_bug.cgi?id=1424984 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856398 https://bugzilla.novell.com/show_bug.cgi?id=1025029 > CVE-2017-2625 libXdmcp: weak entropy usage for session keys In the absence of arc4random(), xdmcp session keys are generated based on getpid() and time(), which may allow a local attacker to brute-force the key. https://bugzilla.redhat.com/show_bug.cgi?id=1424987 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856399 https://bugzilla.novell.com/show_bug.cgi?id=1025046 > CVE-2017-2626 libICE: weak entropy usage in session keys In the absence of arc4random(), the Inter-Client Exchange session keys are generated based on gettimeofday(), which may allow a local attacker to brute-force the key. https://bugzilla.redhat.com/show_bug.cgi?id=1424992 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856400 https://bugzilla.novell.com/show_bug.cgi?id=1025068 The first issue is mitigated with recent glibc's memcmp, particularly with -D_FORTIFY_SOURCE=2, and the other two by providing an implementation of arc4random at compile time, such as libbsd. I expect these to be announced shortly at <https://www.x.org/wiki/Development/Security/>. -- Doran Moppert Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ