diff options
author | herrb <herrb@web> | 2016-12-11 11:32:02 +0000 |
---|---|---|
committer | xorg <iki-xorg@freedesktop.org> | 2016-12-11 11:32:02 +0000 |
commit | 5b907a547531175e2c00a1948e94fef5381a8589 (patch) | |
tree | 0606904bdb445d4f8b47a26af882d4c31b9a006f /Development | |
parent | c077043047f60849d3bd3022f17d234170e02d11 (diff) |
2016-10-04 advisory with CVE-IDs
Diffstat (limited to 'Development')
-rw-r--r-- | Development/Development/Security/Advisory-2016-10-04.mdwn | 121 |
1 files changed, 121 insertions, 0 deletions
diff --git a/Development/Development/Security/Advisory-2016-10-04.mdwn b/Development/Development/Security/Advisory-2016-10-04.mdwn new file mode 100644 index 00000000..eddd53fd --- /dev/null +++ b/Development/Development/Security/Advisory-2016-10-04.mdwn @@ -0,0 +1,121 @@ +# X.Org security advisory: October 4, 2016 + +## Protocol handling issues in X Window System client libraries + +### Description + +Tobias Stoeckmann from the OpenBSD project has discovered a number of +issues in the way various X client libraries handle the responses they +receive from servers, and has worked with X.Org's security team to +analyze, confirm, and fix these issues. These issue come in addition +to the ones discovered by Ilja van Sprundel in 2013. + +Most of these issues stem from the client libraries trusting the +server to send correct protocol data, and not verifying that the +values will not overflow or cause other damage. Most of the time X +clients & servers are run by the same user, with the server more +privileged than the clients, so this is not a problem, but there are +scenarios in which a privileged client can be connected to an +unprivileged server, for instance, connecting a setuid X client (such +as a screen lock program) to a virtual X server (such as Xvfb or +Xephyr) which the user has modified to return invalid data, +potentially allowing the user to escalate their privileges. + +The X.Org security team would like to take this opportunity to remind +X client authors that current best practices suggest separating code +that requires privileges from the GUI, to reduce the attack surface of +issues like this. + + +### Affected libraries and CVE Ids + + * libX11 - insufficient validation of data from the X server can cause out of boundary memory read (XGetImage() - CVE-2016-7942) or write (XListFonts() - CVE-2016-7943). + + Affected versions libX11 <= 1.6.3 + + * libXfixes - insufficient validation of data from the X server can cause an integer overflow on 32 bit architectures. CVE-2016-7944. + + Affected versions : libXfixes <= 5.0.2 + + * libXi - insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service). CVE-2016-7945, CVE-2016-7946. + + Affected versions libXi <= 1.7.6 + + * libXrandr - insufficient validation of data from the X server can cause out of boundary memory writes. CVE-2016-7947, CVE-2016-7948. + + Affected versions: libXrandr <= 1.5.0 + + * libXrender - insufficient validation of data from the X server can cause out of boundary memory writes. CVE-2016-7949, CVE-2016-7950. + + Affected version: libXrender <= 0.9.9 + + * XRecord - insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service). CVE-2016-7951, CVE-2016-7952. + + Affected version libXtst <= 1.2.2 + + * libXv - insufficient validation of data from the X server can cause out of boundary memory and memory corruption. CVE-2016-5407 + + Affected versions libXv <= 1.0.10 + + * libXvMC - insufficient validation of data from the X server can cause a one byte buffer read underrun. CVE-2016-7953. + + Affected versions: libXvMC <= 1.0.9 + + +### Fixes + +Fixes are available in the following git commits. + + * lib/libX11 + + [[8ea762f|https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8ea762f94f4c942d898fdeb590a1630c83235c17]] Validation of server responses in XGetImage() + + [[8c29f16|https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8c29f1607a31dac0911e45a0dd3d74173822b3c9]] The validation of server responses avoids out of boundary accesses. + + * libXfixes + + [[61c1039|https://cgit.freedesktop.org/xorg/lib/libXfixes/commit/?id=61c1039ee23a2d1de712843bed3480654d7ef42e]] Integer overflow on illegal server response + + * libXi + + [[19a9cd6|https://cgit.freedesktop.org/xorg/lib/libXi/commit/?id=19a9cd607de73947fcfb104682f203ffe4e1f4e5]] Properly validate server responses. + + * libXrandr + + [[a0df3e1|https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6]] Avoid out of boundary accesses on illegal responses + + * libXrender + + [[9362c7d|https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=9362c7ddd1af3b168953d0737877bc52d79c94f4]] Validate lengths while parsing server data. + + [[8fad00b|https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=8fad00b0b647ee662ce4737ca15be033b7a21714]] Avoid OOB write in XRenderQueryFilters + + * lib/libXtst + + [[9556ad6|https://cgit.freedesktop.org/xorg/lib/libXtst/commit/?id=9556ad67af3129ec4a7a4f4b54a0d59701beeae3]] Out of boundary access and endless loop in libXtst + + * libXv + + [[d9da58|https://cgit.freedesktop.org/xorg/lib/libXv/commit/?id=d9da580b46a28ab497de2e94fdc7b9ff953dab17]] Protocol handling issues in libXv + + * libXvMC + + [[2cd95e7|https://cgit.freedesktop.org/xorg/lib/libXvMC/commit/?id=2cd95e7da8367cccdcdd5c9b160012d1dec5cbdb]] Avoid buffer underflow on empty strings. + + +They are also available in these modules releases from X.Org: + + * libX11 1.6.4 + * libXfixes 5.0.3 + * libXi 1.7.7 + * libXrandr 1.5.1 + * libXrender 0.9.10 + * libXtst 1.2.3 + * libXv 1.0.11 + * libXvMC 1.0.10 + +### Thanks + +X.Org thanks Tobias Stoeckmann for reporting these issues to our +security team and assisting them in understanding them and evaluating +our fixes. |