2016-10-04 advisory with CVE-IDs

1 files changed, 121 insertions, 0 deletions

diff --git a/Development/Development/Security/Advisory-2016-10-04.mdwn b/Development/Development/Security/Advisory-2016-10-04.mdwn
new file mode 100644
index 00000000..eddd53fd
--- /dev/null
+++ b/Development/Development/Security/Advisory-2016-10-04.mdwn
@@ -0,0 +1,121 @@
+# X.Org security advisory: October 4, 2016
+
+## Protocol handling issues in X Window System client libraries
+
+### Description
+
+Tobias Stoeckmann from the OpenBSD project has discovered a number of
+issues in the way various X client libraries handle the responses they
+receive from servers, and has worked with X.Org's security team to
+analyze, confirm, and fix these issues. These issue come in addition
+to the ones discovered by Ilja van Sprundel in 2013.
+
+Most of these issues stem from the client libraries trusting the
+server to send correct protocol data, and not verifying that the
+values will not overflow or cause other damage. Most of the time X
+clients & servers are run by the same user, with the server more
+privileged than the clients, so this is not a problem, but there are
+scenarios in which a privileged client can be connected to an
+unprivileged server, for instance, connecting a setuid X client (such
+as a screen lock program) to a virtual X server (such as Xvfb or
+Xephyr) which the user has modified to return invalid data,
+potentially allowing the user to escalate their privileges.
+
+The X.Org security team would like to take this opportunity to remind
+X client authors that current best practices suggest separating code
+that requires privileges from the GUI, to reduce the attack surface of
+issues like this.
+
+
+### Affected libraries and CVE Ids
+
+ * libX11 - insufficient validation of data from the X server can cause out of boundary memory read (XGetImage() - CVE-2016-7942) or write (XListFonts() - CVE-2016-7943).
+
+	 Affected versions libX11 <= 1.6.3
+
+ * libXfixes - insufficient validation of data from the X server can cause an integer overflow on 32 bit architectures. CVE-2016-7944.
+
+	Affected versions : libXfixes <= 5.0.2 
+
+ * libXi - insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service). CVE-2016-7945, CVE-2016-7946.
+
+	Affected versions libXi <= 1.7.6
+
+ * libXrandr - insufficient validation of data from the X server can cause out of boundary memory writes. CVE-2016-7947, CVE-2016-7948.
+
+	Affected versions: libXrandr <= 1.5.0
+
+ * libXrender - insufficient validation of data from the X server can cause out of boundary memory writes. CVE-2016-7949, CVE-2016-7950.
+
+	Affected version: libXrender <= 0.9.9
+
+ * XRecord - insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service). CVE-2016-7951, CVE-2016-7952.
+
+	 Affected version libXtst <= 1.2.2
+
+ * libXv - insufficient validation of data from the X server can cause out of boundary memory and memory corruption.	CVE-2016-5407
+
+	Affected versions libXv <= 1.0.10
+
+ * libXvMC - insufficient validation of data from the X server can cause a one byte buffer read underrun.  CVE-2016-7953.
+
+	Affected versions: libXvMC <= 1.0.9
+
+
+### Fixes
+
+Fixes are available in the following git commits.
+
+ * lib/libX11
+
+ [[8ea762f|https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8ea762f94f4c942d898fdeb590a1630c83235c17]] Validation of server responses in XGetImage()
+
+ [[8c29f16|https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8c29f1607a31dac0911e45a0dd3d74173822b3c9]] The validation of server responses avoids out of boundary accesses.
+
+ * libXfixes
+
+ [[61c1039|https://cgit.freedesktop.org/xorg/lib/libXfixes/commit/?id=61c1039ee23a2d1de712843bed3480654d7ef42e]] Integer overflow on illegal server response
+
+ * libXi
+
+ [[19a9cd6|https://cgit.freedesktop.org/xorg/lib/libXi/commit/?id=19a9cd607de73947fcfb104682f203ffe4e1f4e5]] Properly validate server responses.
+
+ * libXrandr
+
+ [[a0df3e1|https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6]] Avoid out of boundary accesses on illegal responses
+
+ * libXrender
+
+ [[9362c7d|https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=9362c7ddd1af3b168953d0737877bc52d79c94f4]] Validate lengths while parsing server data.
+
+ [[8fad00b|https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=8fad00b0b647ee662ce4737ca15be033b7a21714]] Avoid OOB write in XRenderQueryFilters
+
+ * lib/libXtst
+
+ [[9556ad6|https://cgit.freedesktop.org/xorg/lib/libXtst/commit/?id=9556ad67af3129ec4a7a4f4b54a0d59701beeae3]] Out of boundary access and endless loop in libXtst
+
+ * libXv
+
+ [[d9da58|https://cgit.freedesktop.org/xorg/lib/libXv/commit/?id=d9da580b46a28ab497de2e94fdc7b9ff953dab17]] Protocol handling issues in libXv
+
+ * libXvMC
+
+ [[2cd95e7|https://cgit.freedesktop.org/xorg/lib/libXvMC/commit/?id=2cd95e7da8367cccdcdd5c9b160012d1dec5cbdb]] Avoid buffer underflow on empty strings.
+
+
+They are also available in these modules releases from X.Org:
+
+ * libX11 1.6.4
+ * libXfixes 5.0.3
+ * libXi 1.7.7
+ * libXrandr 1.5.1
+ * libXrender 0.9.10
+ * libXtst 1.2.3
+ * libXv 1.0.11
+ * libXvMC 1.0.10
+
+### Thanks
+
+X.Org thanks Tobias Stoeckmann for reporting these issues to our
+security team and assisting them in understanding them and evaluating
+our fixes.