Re: X.Org security advisory: Protocol handling issues in X Window System client libraries

[Marcus Meissner <meissner () suse de>]

Hi,

Mitre, can you assign CVE ids for the issues without?

Ciao, Marcus
On Tue, Oct 04, 2016 at 04:46:53PM +0200, Matthieu Herrb wrote:
> X.Org security advisory: October 4, 2016
>
> Protocol handling issues in X Window System client libraries
> ============================================================
>
> Description
>
> Tobias Stoeckmann from the OpenBSD project has discovered a number of
> issues in the way various X client libraries handle the responses they
> receive from servers, and has worked with X.Org's security team to
> analyze, confirm, and fix these issues. These issue come in addition
> to the ones discovered by Ilja van Sprundel in 2013.
>
> Most of these issues stem from the client libraries trusting the
> server to send correct protocol data, and not verifying that the
> values will not overflow or cause other damage. Most of the time X
> clients & servers are run by the same user, with the server more
> privileged than the clients, so this is not a problem, but there are
> scenarios in which a privileged client can be connected to an
> unprivileged server, for instance, connecting a setuid X client (such
> as a screen lock program) to a virtual X server (such as Xvfb or
> Xephyr) which the user has modified to return invalid data,
> potentially allowing the user to escalate their privileges.
>
> The X.Org security team would like to take this opportunity to remind
> X client authors that current best practices suggest separating code
> that requires privileges from the GUI, to reduce the attack surface of
> issues like this.
>
>
> Affected libraries and CVE Ids
>
> libX11 - insufficient validation of data from the X server
>        can cause out of boundary memory read (XGetImage())
>        or write (XListFonts()).
>        Affected versions libX11 <= 1.6.3
>
> libXfixes - insufficient validation of data from the X server
>       can cause an integer overflow on 32 bit architectures.
>       Affected versions : libXfixes <= 5.0.2
>
> libXi - insufficient validation of data from the X server
>       can cause out of boundary memory access or
>       endless loops (Denial of Service).
>       Affected versions libXi <= 1.7.6
>
> libXrandr - insufficient validation of data from the X server
>       can cause out of boundary memory writes.
>       Affected versions: libXrandr <= 1.5.0
>
> libXrender - insufficient validation of data from the X server
>       can cause out of boundary memory writes.
>       Affected version: libXrender <= 0.9.9
>
> XRecord - insufficient validation of data from the X server
>         can cause out of boundary memory access or
>       endless loops (Denial of Service).
>        Affected version libXtst <= 1.2.2
>
> libXv - insufficient validation of data from the X server
>         can cause out of boundary memory and memory corruption.
>       CVE-2016-5407
>       affected versions libXv <= 1.0.10
>
> libXvMC - insufficient validation of data from the X server
>       can cause a one byte buffer read underrun.
>       Affected versions: libXvMC <= 1.0.9
>
>
> Fixes
>
> Fixes are available in the following git commits.
>
> lib/libX11
> 8ea762f Validation of server responses in XGetImage()
> 8c29f16 The validation of server responses avoids out of boundary accesses.
>
> libXfixes
> 61c1039 Integer overflow on illegal server response
>
> libXi
> 19a9cd6 Properly validate server responses.
>
> libXrandr
> a0df3e1 Avoid out of boundary accesses on illegal responses
>
> libXrender
> 9362c7d Validate lengths while parsing server data.
> 8fad00b Avoid OOB write in XRenderQueryFilters
>
> lib/libXtst
> 9556ad6 Out of boundary access and endless loop in libXtst
>
> libXv
> 87b3c94 Protocol handling issues in libXv
>
> libXvMC
> 2cd95e7 Avoid buffer underflow on empty strings.
>
>
> They will also be available in these modules releases from X.Org:
>
>  * libX11 1.6.4
>  * libXfixes 5.0.3
>  * libXi 1.7.7
>  * libXrandr 1.5.1
>  * libXrender 0.9.10
>  * libXtst 1.2.3
>  * libXv 1.0.11
>  * libXvMC 1.0.10
>
> Thanks
>
> X.Org thanks Tobias Stoeckmann for reporting these issues to our
> security team and assisting them in understanding them and evaluating
> our fixes.
>
> -- 
> Matthieu Herrb



-- 
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 
53-432,,serv=loki,mail=wotan,type=real <meissner () suse de>