Date: Fri, 26 Jan 2024 13:53:41 -0800 From: Alan Coopersmith <alan.coopersmith@...cle.com> To: oss-security@...ts.openwall.com Subject: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Over on the full-disclosure mailing list today, a number of messages were delivered (though dated last week, presumably due to moderation delays) from Meng Ruijie at the National University of Singapore, disclosing CVE assignments in a range of FOSS programs, including: Null pointer deference in freedesktop mesa Null pointer dereference in Xedit NULL pointer dereference in tgetstr() of ncurses Buffer Overflow in glXQueryServerString() of mesa Null pointer deference in XGetWMHints() of Xfig NULL pointer dereference in the function handle_viminfo_register() of vim NULL pointer dereference in __glXGetDrawableAttribute() of Mesa NULL pointer dereference in XIQueryDevice() of gnome gtk NULL pointer dereference in glXGetDrawableScreen() of OpenGL libglvnd null pointer deference in GNU Midnight at /tty/x11conn.c null pointer deference in gnome gdk-pixbuf arithmetic exception in S-lang via the function tt_sprintf() null pointer deference in gnome gtk via init_randr15() at gdkscreen-x11.c SEGV in S-Lang via fixup_tgetstr() null pointer deference in gnome gtk via parse_settings() at xsettings-client.c NULL pointer dereference in freedesktop Mesa via check_xshm() null pointer deference in nano via read_the_list() NULL pointer dereference in QT via the function QXcbConnection::initializeAllAtoms() Buffer Overflow in graphviz via via a crafted config6a file null pointer deference in MiniZinc via a crafted .mzn file null pointer deference in Sane via a crafted config file null pointer deference in tex-live via a crafted cmr10.pfb null pointer deference in LLVM null pointer deference in MiniZinc via a crafted Preferences.json file null pointer deference in tex-live Buffer overflow in Sane as you can see on https://seclists.org/fulldisclosure/2024/Jan/ Unfortunately, many of the email titles are misleading as they represent bugs other than NULL pointer dereferences. For instance, "NULL pointer dereference in __glXGetDrawableAttribute() of Mesa" from https://seclists.org/fulldisclosure/2024/Jan/50 points to https://gitlab.freedesktop.org/mesa/mesa/-/issues/9857 which is an out-of-bounds read that would segfault long before it could cause the pointer to wrap around to a NULL value. While I can't speak for all the projects involved, I can speak for the X.Org maintainers & security team, and I can say that we were not consulted or informed about this CVE filing - if I wasn't on the FD mailing list, I wouldn't even know it had happened. The CNA responsible has not yet published the CVE to the CVE database yet, so we can't yet file a dispute, but once they do, I plan to request that they withdraw CVE-2023-45916 for xedit, as there is no security boundary crossed here and the bug doesn't allow someone to do anything they otherwise couldn't. The claim in https://seclists.org/fulldisclosure/2024/Jan/45 is that if you can edit /usr/local/lib/X11/xedit/lisp/lisp.lsp you can make xedit crash - but if you can edit that file you can just change the lisp code to do whatever you want already, so while I see a low-priority bug there I don't see any security exposure worthy of a CVE. (The bug report also doesn't explain how an attacker would have permissions to modify that file in the first place, without already having privileges to do far worse to the system.) The Mesa developers I spoke to on IRC today were similarly surprised by these CVE assignments for their project, so please be kind to the maintainers of the above projects if they similarly are unaware of these CVE's and surprised that someone would claim a security vulnerability exists given the circumstances. -- -Alan Coopersmith- alan.coopersmith@...cle.com X.Org Security Response Team - xorg-security@...ts.x.org
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.