|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2020-25712: xorg-x11-server: XkbSetDeviceInfo Heap-based Buffer Overflow Privilege Escalation (ZDI-CAN-11839) | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Wolfgang Frisch <wolfgang.frisch> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | atoptsoglou, smash_bz, sndirsch, wolfgang.frisch |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/269136/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2020-25712:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Comment 17
Wolfgang Frisch
2020-11-16 12:59:22 UTC
I'm afraid I found an issue with the patch.
[ 60s] xkb.c: In function '_XkbSetDeviceInfoCheck':
[ 60s] xkb.c:6800:14: warning: 'sz' may be used uninitialized in this function [-Wmaybe-uninitialized]
[ 60s] if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz))
[ 60s] ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I am using the one of the zip file.
@@ -6635,6 +6663,10 @@ _XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev,
return BadAlloc;
dev->button->xkb_acts = acts;
}
+ if (stuff->firstBtn + stuff->nBtns > nBtns)
+ return BadValue;
+ if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz))
+ return BadLength;
sz = stuff->nBtns * SIZEOF(xkbActionWireDesc);
memcpy((char *) &acts[stuff->firstBtn], (char *) wire, sz);
wire += sz;
This looks indeed weird. The one you posted later does make indeed different.
@@ -6683,7 +6698,11 @@ _XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev,
return BadAlloc;
dev->button->xkb_acts = acts;
}
+ if (stuff->firstBtn + stuff->nBtns > nBtns)
+ return BadValue;
sz = stuff->nBtns * SIZEOF(xkbActionWireDesc);
+ if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz))
+ return BadLength;
memcpy((char *) &acts[stuff->firstBtn], (char *) wire, sz);
wire += sz;
ed.reason |= XkbXI_ButtonActionsMask;
This makes more sense to me. What do you think? I'm afraid I need to redo everything. :-(
(In reply to Stefan Dirsch from comment #18) > I'm afraid I found an issue with the patch. > > [ 60s] xkb.c: In function '_XkbSetDeviceInfoCheck': > [ 60s] xkb.c:6800:14: warning: 'sz' may be used uninitialized in this > function [-Wmaybe-uninitialized] > [ 60s] if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) > wire + sz)) > [ 60s] > ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > [...] > > This makes more sense to me. What do you think? I'm afraid I need to redo > everything. :-( Unfortunately I agree. The original upstream patch is definitely faulty. Fixed. Packages with fixed patch submitted. now public through oss CVE-2020-25712 / ZDI-CAN-11839 XkbSetDeviceInfo Heap-based Buffer Overflow Insufficient checks on input of the XkbSetDeviceInfo request can lead to a buffer overflow on the head in the X server. Just submitted to factory/TW. Reassigning. This is an autogenerated message for OBS integration: This bug (1177596) was mentioned in https://build.opensuse.org/request/show/852408 Factory / xorg-x11-server SUSE-SU-2020:3588-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1174908,1177596 CVE References: CVE-2020-14360,CVE-2020-25712 JIRA References: Sources used: SUSE Linux Enterprise Workstation Extension 15-SP2 (src): xorg-x11-server-1.20.3-22.5.16.1 SUSE Linux Enterprise Module for Development Tools 15-SP2 (src): xorg-x11-server-1.20.3-22.5.16.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): xorg-x11-server-1.20.3-22.5.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2020:3589-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1174908,1177596 CVE References: CVE-2020-14360,CVE-2020-25712 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): xorg-x11-server-1.19.6-8.27.1 SUSE Linux Enterprise Server 15-LTSS (src): xorg-x11-server-1.19.6-8.27.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): xorg-x11-server-1.19.6-8.27.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): xorg-x11-server-1.19.6-8.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2020:3582-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1174908,1177596 CVE References: CVE-2020-14360,CVE-2020-25712 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): xorg-x11-server-1.19.6-4.19.1 SUSE OpenStack Cloud 9 (src): xorg-x11-server-1.19.6-4.19.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): xorg-x11-server-1.19.6-4.19.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): xorg-x11-server-1.19.6-4.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2020:3587-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1174908,1177596 CVE References: CVE-2020-14360,CVE-2020-25712 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): xorg-x11-server-1.19.6-10.20.1 SUSE Linux Enterprise Server 12-SP5 (src): xorg-x11-server-1.19.6-10.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2020:3586-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1174908,1177596 CVE References: CVE-2020-14360,CVE-2020-25712 JIRA References: Sources used: SUSE Linux Enterprise Workstation Extension 15-SP1 (src): xorg-x11-server-1.20.3-14.5.13.1 SUSE Linux Enterprise Module for Development Tools 15-SP1 (src): xorg-x11-server-1.20.3-14.5.13.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): xorg-x11-server-1.20.3-14.5.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2020:3585-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1174908,1177596 CVE References: CVE-2020-14360,CVE-2020-25712 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 8 (src): xorg-x11-server-7.6_1.18.3-76.37.1 SUSE OpenStack Cloud 8 (src): xorg-x11-server-7.6_1.18.3-76.37.1 SUSE OpenStack Cloud 7 (src): xorg-x11-server-7.6_1.18.3-76.37.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): xorg-x11-server-7.6_1.18.3-76.37.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): xorg-x11-server-7.6_1.18.3-76.37.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): xorg-x11-server-7.6_1.18.3-76.37.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): xorg-x11-server-7.6_1.18.3-76.37.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): xorg-x11-server-7.6_1.18.3-76.37.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): xorg-x11-server-7.6_1.18.3-76.37.1 SUSE Enterprise Storage 5 (src): xorg-x11-server-7.6_1.18.3-76.37.1 HPE Helion Openstack 8 (src): xorg-x11-server-7.6_1.18.3-76.37.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2020:14553-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1174908,1177596 CVE References: CVE-2020-14360,CVE-2020-25712 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): xorg-x11-server-7.4-27.122.37.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): xorg-x11-server-7.4-27.122.37.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): xorg-x11-server-7.4-27.122.37.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): xorg-x11-server-7.4-27.122.37.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. openSUSE-SU-2020:2147-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1174908,1177596 CVE References: CVE-2020-14360,CVE-2020-25712 JIRA References: Sources used: openSUSE Leap 15.2 (src): xorg-x11-server-1.20.3-lp152.8.12.1 openSUSE-SU-2020:2186-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1174908,1177596 CVE References: CVE-2020-14360,CVE-2020-25712 JIRA References: Sources used: openSUSE Leap 15.1 (src): xorg-x11-server-1.20.3-lp151.4.9.1 Released. |