Bug 50206 (CVE-2004-0094)

Summary: VUL-0: CVE-2004-0094: XFree86: remote denial-of-service
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Thomas Biege <thomas>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: security-team, sndirsch
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0094: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: xfree86_4.1.0_glx_dri_outofbounds_index-security.diff
patchinfo-box.glxdri
patchinfo.glxdri

Description Thomas Biege 2004-03-01 20:09:50 UTC 
Hi Stefan, 
Debian mentioned in their XFree86 advisory (http://www.debian.org/
security/2004/dsa-443) two other bugs (CAN-2004-0093, CAN-2004-0094), 
that we seem not to have fixed. 
 
Can you verify that we have fixed them in STABLE, please? 
 
(patch: http://security.debian.org/pool/updates/main/x/xfree86/
xfree86_4.1.0-16woody3.diff.gz)
Comment 1 Thomas Biege 2004-03-01 20:09:50 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Stefan Dirsch 2004-03-01 23:05:13 UTC 
~> du -h xfree86_4.1.0-16woody3.diff 
9,2M    xfree86_4.1.0-16woody3.diff 
 
I will refuse this patch, also for STABLE. I simply don't have the time 
for verifying a 9 MB patch.
Comment 3 Thomas Biege 2004-03-01 23:15:22 UTC 
:) 
No need to panic. I'll strip it down for you.
Comment 4 Thomas Biege 2004-03-02 00:25:33 UTC 
Created attachment 16289 [details]
xfree86_4.1.0_glx_dri_outofbounds_index-security.diff
Comment 5 Stefan Dirsch 2004-03-02 00:41:31 UTC 
Thanks. Verified. The patch is already in our XFree86 sources of STABLE as 
it was commited to XFree86 CVS. It was commited to XFree86 CVS on 2002/12/14, 
i.e. after SuSE 9.0 release.
Comment 6 Thomas Biege 2004-03-02 19:57:48 UTC 
"after SuSE 9.0 release"? 
 
I found the vulnerable code in 8.0 and 8.1 only. 
 
I can't see a direct exploitability expect for the crash. 
(But due to a bad cold I feel a bit dizzy...) 
 
Stefan, how can this bug be triggered remotely? 
And can this bug be triggered remotely by default? 
Is authentication needed?
Comment 7 Stefan Dirsch 2004-03-02 20:09:20 UTC 
Yes, it was commited into XFree86 CVS after SuSE 9.0 was released. This 
doesn't mean, that SuSE 9.0 needs to be affected by this security problem.  
 
Only 8.0 and 8.1 is not much help for me as 8.1 is SLES8 and then I need to 
update nearly all maintained distributions.  
 
I don't know how to trigger the problem remotely and if it can be triggered 
remotely by default. I assume that you need an OpenGL program for this (IIRC 
libGL is communicating with the glx Extension in the server). What do you mean 
with "authentication needed"?  
 
BTW, you're the security experts, not me. :-)
Comment 8 Thomas Biege 2004-03-02 20:37:16 UTC 
authentication: 
Like ssh -X remote.si.de "xosview", or Cookies or xhost, ... 
Noone can trigger this bug on the X-server without some kind of 
authentication beforehand, right? 
 
8.1 an maintained products: 
thomas@bragg:~/work> md5sum 8.1/xf86/XFree86-4.2.0.tar.bz2 
501bce4f8e01fa7d90564aaec0a3428c  8.1/xf86/XFree86-4.2.0.tar.bz2 
thomas@bragg:~/work> md5sum SLES8/xf86/XFree86-4.2.0.tar.bz2 
501bce4f8e01fa7d90564aaec0a3428c  SLES8/xf86/XFree86-4.2.0.tar.bz2
Comment 9 Stefan Dirsch 2004-03-02 21:45:57 UTC 
Sure, you need access to the Xserver with some sort of authentication to be 
able to trigger this bug: :-) 
 
I don't understand what you want to tell me with the md5sums.
Comment 10 Thomas Biege 2004-03-02 22:29:19 UTC 
md5sums: 
Both sources are the same so fixing 8.1 includes SLES8 and SLES8-based 
products too. 
So I see no reason why it is more work like you suggested in comment #7.
Comment 11 Stefan Dirsch 2004-03-02 22:42:38 UTC 
You're right. It's only 
 
Sources                                            /work/src/done/<dir>    
-----------------------------------------------------------------------    
/work/SRC/old-versions/8.0/all/xf86                8.0    
/work/SRC/old-versions/8.1/UL/all/xf86             8.1    
    
this time. I'm already running in panic mode ...
Comment 12 Thomas Biege 2004-03-03 18:11:54 UTC 
Created attachment 16321 [details]
patchinfo-box.glxdri
Comment 13 Thomas Biege 2004-03-03 18:12:23 UTC 
Created attachment 16322 [details]
patchinfo.glxdri
Comment 14 Stefan Dirsch 2004-03-03 18:25:45 UTC 
7.2-s390,sles7-i386,sles7-ia64,sles7-ppc,sles7-s390x,sles8-ppc,sles8-s390,sles8-s390x,ul1-i386,ul1-ia64,ul1-x86_64 
 
in Distribution line should be 
 
sles8-ppc,sles8-s390,sles8-s390x,ul1-i386,ul1-ia64,ul1-x86_64 
 
as SLES7 is SuSE 7.2/7.3 based.
Comment 15 Stefan Dirsch 2004-03-03 22:50:44 UTC 
And the udpate packages should be "xloader xmodules xf86_glx" instead of 
"xf86". I'll adjust the patchinfo files.
Comment 16 Stefan Dirsch 2004-03-03 23:56:30 UTC 
fixed now (including all the tmp races of Bug 48716). Packages now in 
 
/work/src/done/8.0/xf86 
/work/src/done/8.1/xf86 
 
patchinfo files copied to /work/src/done/PATCHINFO. 
 
Thomas can take care of this now. :-)
Comment 17 Thomas Biege 2004-03-04 00:15:14 UTC 
Thanks.
Comment 18 Thomas Biege 2004-03-15 19:01:49 UTC 
packages approved (YOU only test).
Comment 19 Thomas Biege 2009-10-13 20:16:10 UTC 
CVE-2004-0094: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)