Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <aa1585dd-d109-463e-9639-9b6f576a3f1e@oracle.com>
Date: Fri, 26 Jan 2024 13:53:41 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list

Over on the full-disclosure mailing list today, a number of messages were
delivered (though dated last week, presumably due to moderation delays)
from Meng Ruijie at the National University of Singapore, disclosing CVE
assignments in a range of FOSS programs, including:

Null pointer deference in freedesktop mesa
Null pointer dereference in Xedit
NULL pointer dereference in tgetstr() of ncurses
Buffer Overflow in glXQueryServerString() of mesa
Null pointer deference in XGetWMHints() of Xfig
NULL pointer dereference in the function handle_viminfo_register() of vim
NULL pointer dereference in __glXGetDrawableAttribute() of Mesa
NULL pointer dereference in XIQueryDevice() of gnome gtk
NULL pointer dereference in glXGetDrawableScreen() of OpenGL libglvnd
null pointer deference in GNU Midnight at /tty/x11conn.c
null pointer deference in gnome gdk-pixbuf
arithmetic exception in S-lang via the function tt_sprintf()
null pointer deference in gnome gtk via init_randr15() at gdkscreen-x11.c
SEGV in S-Lang via fixup_tgetstr()
null pointer deference in gnome gtk via parse_settings() at xsettings-client.c
NULL pointer dereference in freedesktop Mesa via check_xshm()
null pointer deference in nano via read_the_list()
NULL pointer dereference in QT via the function QXcbConnection::initializeAllAtoms()
Buffer Overflow in graphviz via via a crafted config6a file
null pointer deference in MiniZinc via a crafted .mzn file
null pointer deference in Sane via a crafted config file
null pointer deference in tex-live via a crafted cmr10.pfb
null pointer deference in LLVM
null pointer deference in MiniZinc via a crafted Preferences.json file
null pointer deference in tex-live
Buffer overflow in Sane

as you can see on https://seclists.org/fulldisclosure/2024/Jan/

Unfortunately, many of the email titles are misleading as they represent
bugs other than NULL pointer dereferences.  For instance,
"NULL pointer dereference in __glXGetDrawableAttribute() of Mesa" from
https://seclists.org/fulldisclosure/2024/Jan/50 points to
https://gitlab.freedesktop.org/mesa/mesa/-/issues/9857 which is an
out-of-bounds read that would segfault long before it could cause the
pointer to wrap around to a NULL value.

While I can't speak for all the projects involved, I can speak for the
X.Org maintainers & security team, and I can say that we were not
consulted or informed about this CVE filing - if I wasn't on the FD
mailing list, I wouldn't even know it had happened.  The CNA responsible
has not yet published the CVE to the CVE database yet, so we can't yet
file a dispute, but once they do, I plan to request that they withdraw
CVE-2023-45916 for xedit, as there is no security boundary crossed here
and the bug doesn't allow someone to do anything they otherwise couldn't.

The claim in https://seclists.org/fulldisclosure/2024/Jan/45 is that if
you can edit /usr/local/lib/X11/xedit/lisp/lisp.lsp you can make xedit
crash - but if you can edit that file you can just change the lisp code
to do whatever you want already, so while I see a low-priority bug there
I don't see any security exposure worthy of a CVE.  (The bug report also
doesn't explain how an attacker would have permissions to modify that
file in the first place, without already having privileges to do far
worse to the system.)

The Mesa developers I spoke to on IRC today were similarly surprised by
these CVE assignments for their project, so please be kind to the
maintainers of the above projects if they similarly are unaware of these
CVE's and surprised that someone would claim a security vulnerability
exists given the circumstances.

-- 
      -Alan Coopersmith-              alan.coopersmith@...cle.com
        X.Org Security Response Team - xorg-security@...ts.x.org

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.