Bug 1025035

Summary: VUL-1: xorg-x11-server: Potential Use after Free in Xorg Server in XdmToID()
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Gerstner <matthias.gerstner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: matthias.gerstner, meissner, sndirsch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:running:63669:moderate maint:released:sle10-sp3:63670 maint:planned:update
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1025639    

Description Matthias Gerstner 2017-02-13 16:08:44 UTC
Embargoed until CRD 2017-02-28.

Received via private discussion on mailing list:

Summary and Impact
------------------

In XDM is a (currently non security) issue, regarding a potential
use after free.

The ToID() function in os/auth.c is not used anywhere, just defined in
the struct and filled by the protocols, but there are no users.

    AuthToIDFunc ToID;          /* convert cookie to ID */

X41 noticed that, XdmToID() frees the cookie argument in
case it can resolve the ID or on failure, but not if it can't
allocate memory for plain. The same return value is given,
whether no memory could be allocated or it just failed to
lookup the ID, so the caller cannot distinguish whether this
memory is freed or not, which might lead to double-free or
memory leaks. The other ToID functions do not free this parameter.
Comment 1 Matthias Gerstner 2017-02-13 16:12:28 UTC
I've checked our codestreams and it seems the situation has always been the same:  The ToID function is never called. We should fix this anyway to avoid trouble in the future.

The oldest codestream SUSE:SLE-10-SP3:Update already contains the faulty XdmToID() function. So we can consider all codestreams affected.

There is no final patch for this available yet. Given that the other two ToID functions don't free the cookie parameter the `xfree( cookie )` calls will probably be removed from XdmToID().

We will give an update once the final patch is available.
Comment 2 Swamp Workflow Management 2017-02-13 23:01:43 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2017-02-28 15:02:39 UTC
Potential Use after Free in Xorg Server
=======================================
Vulnerability Type: Other
Affected Products: Xorg Server
Attack Type: Local
Impact: -       
Severity Rating: none
Confirmed Affected Version: 1.19.0 and lower
Confirmed Patched Version:
Vector: local
CVE: -
CVSS Score: -
CVSS Vector: -

Summary and Impact
------------------

In XDM is a (currently non security) issue, regarding a potential use
after free.

The ToID() function in os/auth.c is not used anywhere, just defined in
the struct and filled by the protocols, but there are no users.

    AuthToIDFunc ToID;          /* convert cookie to ID */

X41 noticed that, XdmToID() frees the cookie argument in case it can
resolve the ID or on failure, but not if it can't allocate memory for plain:

        XdmToID(unsigned short cookie_length, char *cookie)
        {
            XdmAuthorizationPtr auth;
            XdmClientAuthPtr client;
            unsigned char *plain;
        
            plain = malloc(cookie_length);
            if (!plain)
                return (XID) -1;
            for (auth = xdmAuth; auth; auth = auth->next) {
                XdmcpUnwrap((unsigned char *) cookie, (unsigned char *) &auth->key,
                            plain, cookie_length);
                if ((client =
                     XdmAuthorizationValidate(plain, cookie_length, &auth->rho,
NULL,
                                              NULL)) != NULL) {
                    free(client);
                    free(cookie);
                    free(plain);
                    return auth->id;
                }
            }
            free(cookie);
            free(plain);
            return (XID) -1;
        }

The same return value is given, whether no memory could be allocated or
it just failed to lookup the ID, so the caller cannot distinguish
whether this  memory is freed or not, which might lead to double-free or
memory leaks. The other ToID functions do not free this parameter.
Comment 4 Stefan Dirsch 2017-03-20 14:48:21 UTC
About which component are we talking here? I can't find this code in git master of xserver (os/auth.c).
Comment 5 Matthias Gerstner 2017-03-20 15:17:08 UTC
(In reply to Stefan Dirsch from comment #4)
> About which component are we talking here? I can't find this code in git
> master of xserver (os/auth.c).

The mentioned function is in os/xdmauth.c, only the declaration of the "AuthToIDFunc ToID" is in os/auth.c.

Has been removed in git master upstream in commit 2855f759b1e7bf7f5e57cac36c1f0d0e5ac1a683.
Comment 6 Stefan Dirsch 2017-03-20 15:21:00 UTC
Thanks. This explains it. commit is in xserver, not xdm.
Comment 7 Stefan Dirsch 2017-06-07 15:29:51 UTC
According to Michal Srb 2855f759b1e7bf7f5e57cac36c1f0d0e5ac1a683 is the fix.
Comment 9 Stefan Dirsch 2017-06-10 11:48:31 UTC
Already fixed in factory/TW (xorg-server-1.19.3).
Comment 10 Bernhard Wiedemann 2017-06-10 12:01:03 UTC
This is an autogenerated message for OBS integration:
This bug (1025035) was mentioned in
https://build.opensuse.org/request/show/502781 Factory / xorg-x11-server
Comment 11 Stefan Dirsch 2017-06-11 12:16:50 UTC
Submitted to sle11-sp3: SR#133961
Submitted to sle11-sp1: SR#133962
Submitted to sle10-sp3: SR#133963

Reassigning to security team ...
Comment 12 Bernhard Wiedemann 2017-06-11 14:01:10 UTC
This is an autogenerated message for OBS integration:
This bug (1025035) was mentioned in
https://build.opensuse.org/request/show/502874 42.2 / xorg-x11-server
Comment 15 Swamp Workflow Management 2017-06-12 12:33:30 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-06-26.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63669
Comment 16 Swamp Workflow Management 2017-06-19 19:09:51 UTC
openSUSE-SU-2017:1610-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1025029,1025035,1025084
CVE References: CVE-2017-2624
Sources used:
openSUSE Leap 42.2 (src):    xorg-x11-server-7.6_1.18.3-12.15.2
Comment 17 Swamp Workflow Management 2017-06-26 13:14:34 UTC
SUSE-SU-2017:1675-1: An update that solves one vulnerability and has 7 fixes is now available.

Category: security (moderate)
Bug References: 1019649,1021803,1025029,1025035,1025084,1025985,1032509,1039042
CVE References: CVE-2017-2624
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-71.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-71.1
SUSE Linux Enterprise Server 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-71.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-71.1
Comment 18 Swamp Workflow Management 2017-06-30 19:10:30 UTC
SUSE-SU-2017:1741-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (moderate)
Bug References: 1019649,1025029,1025035,1025084,981044
CVE References: CVE-2017-2624
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xorg-x11-server-7.4-27.118.1
SUSE Linux Enterprise Server 11-SP4 (src):    xorg-x11-server-7.4-27.118.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xorg-x11-server-7.4-27.118.1
Comment 19 Marcus Meissner 2017-07-01 08:11:26 UTC
released