Bug 907268 (CVE-2014-8091)

Summary: VUL-0: CVE-2014-8091: xorg-x11: Various issues: Protocol handling, integer overflows, etc.
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P5 - None CC: abergmann, eich, heikki.ylipiessa, jsegitz, msrb, thomas
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
See Also: https://bugzilla.suse.com/show_bug.cgi?id=882226
Whiteboard: maint:released:sle11-sp3:60063 maint:released:sle11-sp1:60129
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: List of patches and how were they renamed and modified.

Description Johannes Segitz 2014-11-26 09:43:42 UTC
Created attachment 615053 [details]

*** EMBARGOED: Please keep confidential until 8am PST Tuesday, Dec 9, 2014 ***

X.Org Security Advisory:  Dec. 9, 2014
Protocol handling issues in X Window System servers


Ilja van Sprundel, a security researcher with IOActive, has discovered
a large number of issues in the way the X server code base handles
requests from X clients, and has worked with X.Org's security team to
analyze, confirm, and fix these issues.

Ilja's talk at the 30th Chaos Communication Congress (30C3) in Hamburg
last year ("X Security: it's worse than it looks") gave a preview of
these issues and discussed the general form of many of these, but did
not disclose
the exact details of them.

The vulnerabilities could be exploited to cause the X server to
access uninitialized memory or overwrite arbitrary memory in the X
server process.  This can cause a denial of service (e.g., an X server
segmentation fault), or could be exploited to achieve arbitrary code

How critical these vulnerabilities are to any given installation depends
on whether they run an X server with root privileges or reduced privileges;
whether they run X servers exposed to network clients or limited to local
connections; and whether or not they allow use of the affected protocol
extensions, especially the GLX extension.

The GLX extension to the X Window System allows an X client to send X
protocol to the X server, to request that the X server perform OpenGL
rendering on behalf of the X client.  This is known as "GLX indirect
rendering", as opposed to "GLX direct rendering" where the X client
submits OpenGL rendering commands directly to the GPU, bypassing the
X server and avoiding the X server code for GLX protocol handling.

Most GLX indirect rendering implementations share some common ancestry,
dating back to "Sample Implementation" code from Silicon Graphics, Inc
(SGI), which SGI originally commercially licensed to other Unix workstation
and graphics vendors, and later released as open source, so those
vulnerabilities may affect other licensees of SGI's code base beyond
those running code from the X.Org Foundation or the XFree86 Project.

The vulnerabilities include:

- denial of service due to unchecked malloc in client authentication

   CVE-2014-8091: In servers built with support for SUN-DES-1 (Secure RPC)
   authentication credentials, an unauthenticated client may be able to
   crash the X server by sending a connection request specifying values
   that cause malloc to fail, causing the authentication routines to
   attempt to write data to the returned NULL pointer.  Since the request
   is limited to an unsigned 16-bit integer for the allocation size,
it is    unlikely to fail unless the server is severely memory

   Introduced in the initial revision of Secure RPC support in X11R5 (1991).

- integer overflows calculating memory needs for requests

   These calls do not check that their calculations for how much memory
   is needed to handle the client's request have not overflowed, so can
   result in out of bounds reads or writes.  These calls all occur only
   after a client has successfully authenticated itself.

   * CVE-2014-8092: X11 core protocol requests
     Affected functions: ProcPutImage(), GetHosts(), RegionSizeof(),

     Introduced in X11R1 (1987).

   * CVE-2014-8093: GLX extension
     Affected functions: __glXDisp_ReadPixels(), __glXDispSwap_ReadPixels(),
      __glXDisp_GetTexImage(), __glXDispSwap_GetTexImage(),
      GetSeparableFilter(), GetConvolutionFilter(), GetHistogram(),
      GetMinmax(), GetColorTable(), __glXGetAnswerBuffer(),
__GLX_GET_ANSWER_BUFFER(), __glXMap1dReqSize(), __glXMap1fReqSize(),
      Map2Size(), __glXMap2dReqSize(), __glXMap2fReqSize(),
__glXImageSize(), __glXSeparableFilter2DReqSize()

     Originally developed by SGI and licensed to multiple vendors
      prior to SGI open sourcing the code in 1999.
     Included in XFree86 releases starting in XFree86 4.0 (2000).
     Included in X.Org releases starting in X11R6.7 (2004).
   * CVE-2014-8094: DRI2 extension
     Affected functions: ProcDRI2GetBuffers()

     Introduced in xorg-server-1.7.0 (2009).

- out of bounds access due to not validating length or offset values in requests

   These calls do not check that the lengths and/or indexes sent by the
   client are within the bounds specified by the caller or the bounds of
   the memory allocated to hold the request read from the client, so could
   read or write past the bounds of allocated memory while processing the
   request. These calls all occur only after a client has successfully
   authenticated itself.

   * CVE-2014-8095: XInput extension
     Affected functions: SProcXChangeDeviceControl(),
      ProcXChangeDeviceControl(), ProcXChangeFeedbackControl(),
      ProcXSendExtensionEvent(), SProcXIAllowEvents(), SProcXIChangeCursor(),
      ProcXIChangeHierarchy(), SProcXIGetClientPointer(), SProcXIGrabDevice(),
      SProcXIUngrabDevice(), ProcXIUngrabDevice(), SProcXIPassiveGrabDevice(),
      ProcXIPassiveGrabDevice(), SProcXIPassiveUngrabDevice(),
      ProcXIPassiveUngrabDevice(), SProcXListDeviceProperties(),
      SProcXDeleteDeviceProperty(), SProcXIListProperties(),
      SProcXIDeleteProperty(), SProcXIGetProperty(), SProcXIQueryDevice(),
      SProcXIQueryPointer(), SProcXISelectEvents(), SProcXISetClientPointer(),
      SProcXISetFocus(), SProcXIGetFocus(), SProcXIWarpPointer()
     Introduced in X11R4 (1989).

   * CVE-2014-8096: XC-MISC extension
     Affected functions: SProcXCMiscGetXIDList()

     Introduced in X11R6.0 (1994).

   * CVE-2014-8097: DBE extension
     Affected functions: ProcDbeSwapBuffers(), SProcDbeSwapBuffers()

     Introduced in X11R6.1 (1996).

   * CVE-2014-8098: GLX extension
     Affected functions: __glXDisp_Render(), __glXDisp_RenderLarge(),
      __glXDispSwap_VendorPrivate(), __glXDispSwap_VendorPrivateWithReply(),
      set_client_info(), __glXDispSwap_SetClientInfoARB(), DoSwapInterval(),
      DoGetProgramString(), DoGetString(), __glXDispSwap_RenderMode(),
      __glXDisp_GetCompressedTexImage(), __glXDispSwap_GetCompressedTexImage(),
      __glXDisp_FeedbackBuffer(), __glXDispSwap_FeedbackBuffer(),
__glXDisp_SelectBuffer(), __glXDispSwap_SelectBuffer(),
      __glXDisp_Flush(), __glXDispSwap_Flush(),
      __glXDisp_Finish(), __glXDispSwap_Finish(),
      __glXDisp_ReadPixels(), __glXDispSwap_ReadPixels(),
__glXDisp_GetTexImage(), __glXDispSwap_GetTexImage(),
      __glXDisp_GetPolygonStipple(), __glXDispSwap_GetPolygonStipple(),
      __glXDisp_GetSeparableFilter(), __glXDisp_GetSeparableFilterEXT(),
      __glXDisp_GetConvolutionFilter(), __glXDisp_GetConvolutionFilterEXT(),
      __glXDisp_GetHistogram(), __glXDisp_GetHistogramEXT(),
      __glXDisp_GetMinmax(), __glXDisp_GetMinmaxEXT(),
      __glXDisp_GetColorTable(), __glXDisp_GetColorTableSGI(),
      GetSeparableFilter(), GetConvolutionFilter(), GetHistogram(),
      GetMinmax(), GetColorTable(),

     Originally developed by SGI and licensed to multiple vendors
      prior to SGI open sourcing the code in 1999.
     Included in XFree86 releases starting in XFree86 4.0 (2000).
     Included in X.Org releases starting in X11R6.7 (2004).

   * CVE-2014-8099: XVideo extension
     Affected functions: SProcXvQueryExtension(), SProcXvQueryAdaptors(),
      SProcXvQueryEncodings(), SProcXvGrabPort(), SProcXvUngrabPort(),
      SProcXvPutVideo(), SProcXvPutStill(), SProcXvGetVideo(),
      SProcXvGetStill(), SProcXvPutImage(), SProcXvShmPutImage(),
      SProcXvSelectVideoNotify(), SProcXvSelectPortNotify(),
      SProcXvStopVideo(), SProcXvSetPortAttribute(),
      SProcXvGetPortAttribute(), SProcXvQueryBestSize(),
      SProcXvQueryPortAttributes(), SProcXvQueryImageAttributes(),

     Introduced in XFree86 4.0.0 (2000).
     Included in X.Org releases starting in X11R6.7 (2004).

   * CVE-2014-8100: Render extension
     Affected functions: ProcRenderQueryVersion(), SProcRenderQueryVersion(),
      SProcRenderQueryPictFormats(), SProcRenderQueryPictIndexValues(),
      SProcRenderCreatePicture(), SProcRenderChangePicture(),
      SProcRenderSetPictureClipRectangles(), SProcRenderFreePicture(),
      SProcRenderComposite(), SProcRenderScale(), SProcRenderCreateGlyphSet(),
      SProcRenderReferenceGlyphSet(), SProcRenderFreeGlyphSet(),
      SProcRenderFreeGlyphs(), SProcRenderCompositeGlyphs()

     Introduced in XFree86 4.0.1 (2000).
     Included in X.Org releases starting in X11R6.7 (2004).

   * CVE-2014-8101: RandR extension
     Affected functions: SProcRRQueryVersion(), SProcRRGetScreenInfo(),
      SProcRRSelectInput(), SProcRRConfigureOutputProperty()

     Introduced in XFree86 4.2.0 (2002).
     Included in X.Org releases starting in X11R6.7 (2004).

   * CVE-2014-8102: XFixes extension
     Affected functions: SProcXFixesSelectSelectionInput()

     Introduced in X11R6.8.0 (2004).

   * CVE-2014-8103: DRI3 & Present extensions
     Affected functions: sproc_dri3_query_version(), sproc_dri3_open(),
      sproc_dri3_pixmap_from_buffer(), sproc_dri3_buffer_from_pixmap(),
      sproc_dri3_fence_from_fd(), sproc_dri3_fd_from_fence(),
      proc_present_query_capabilities(), sproc_present_query_version(),
      sproc_present_pixmap(), sproc_present_notify_msc(),
      sproc_present_select_input(), sproc_present_query_capabilities()

     Introduced in xorg-server-1.15.0 (2013).

Affected Versions

X.Org believes all versions of the affected functions contain these
flaws, dating back to their introduction.   In the above listings,
we've listed the earliest date of any of the affected functions in
a given protocol or area - some functions listed may not have been
introduced until later versions.


Fixes are available in git commits and patches which will be listed
on http://www.x.org/wiki/Development/Security/Advisory-2014-12-09
when this advisory is released.

Fixes are also planned to be included in the xorg-server-1.17.0 and
xorg-server-1.16.3 releases

Other providers of Xserver or GLX implementations based on the same
code base (the X Consortium or X.Org Foundation X sources, or the
SGI GLX sources) will announce the availability of any fixes necessary
for their implementations.


While the fixes cover all the cases currently known to X.Org, these are
not the first issues in this area and are unlikely to be the last.

Users can reduce their exposure to issues similar to the ones in this
advisory via these methods:

   * Configure the X server to prohibit X connections from the network
     by passing the "-nolisten tcp" command line option to the X server.
     Many OS distributions already set this option by default, and it
will be set by default in the upstream X.Org release starting with
     Xorg 1.17.

   * Disable GLX indirect contexts.  Some implementations have a
     configuration option for this.  In Xorg 1.16 or newer, this can
     be achieved by setting the '-iglx' X server command line option.
     This option will be the default in Xorg 1.17 and later releases.

Consult your operating system's documentation for details on setting X
server command line options, as X servers are started by a variety of
different methods on different platforms (startx, gdm, kdm, xdm, etc.).


X.Org thanks Ilja van Sprundel of IOActive for reporting these issues to our
security team and assisting them in understanding them and evaluating our
fixes, and the following X.Org contributors for developing and reviewing
the fixes, tests, and advisory for these issues, and coordinating the
X.Org response to them:

     Adam Jackson (Red Hat)
     Alan Coopersmith (Oracle)
     Andy Ritger (NVIDIA)
     Julien Cristau (Debian)
     Keith Packard (Intel)
     Michal Srb (SuSE)
     Peter Hutterer (Red Hat)
     Robert Morell (NVIDIA)
Comment 2 Alexander Bergmann 2014-11-26 09:51:38 UTC
*** Bug 907140 has been marked as a duplicate of this bug. ***
Comment 8 Swamp Workflow Management 2014-12-03 09:59:40 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-12-10.
When done, reassign the bug to security-team@suse.de.
Comment 10 Michal Srb 2014-12-03 13:59:07 UTC
Created attachment 615758 [details]
List of patches and how were they renamed and modified.

SLE11 SP3:

Comment 11 Michal Srb 2014-12-05 14:16:37 UTC
Assigning to security team.
Comment 12 Johannes Segitz 2014-12-09 16:19:50 UTC
Comment 13 Johannes Segitz 2014-12-10 09:02:31 UTC
From: Alan Coopersmith <alan.coopersmith@oracle.com>

Fixes are now available in the X.Org master git repositories for the Xserver
1.17 development branch ("master") & 1.16 stable branch ("server-1.16-branch").

Additionally they are included in today's release of xorg-server
(Release Candidate 1 for 1.16.3):

For those who either used the patches mailed to the distros list during embargo
or pulled changes from my personal git repository earlier today, please note
there are some additional changes that were made due to issues raised when the
patches were on final approach this morning.  These fixes mostly silence
compiler warnings, but also fix at least one bug in calculating buffer sizes
that could result in false failures or allowing overflows.  These added patches

dbe: Call to DDX SwapBuffers requires address of int, not unsigned int
[CVE-2014-8097 pt. 2]

glx: Can't mix declarations and code in X.org sources [CVE-2014-8098 pt. 9]

Missing parens in REQUEST_FIXED_SIZE macro [CVE-2014-8092 pt. 5]

dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6]

They are also included with all the earlier patches in the list now posted to:


Since these additional commits went into the X.Org master repo as part of the
same pull request as the earlier fixes, X.Org considers them to be part of the
fix for the CVE's in this advisory and does not believe new CVE id's are
warranted as X.Org distributed no version of its code in which only part of
these fixes were present.
Comment 15 Michal Srb 2014-12-10 15:06:47 UTC
Added the important additional patches:

SLE11 SP3:

Comment 18 Bernhard Wiedemann 2014-12-17 16:00:11 UTC
This is an autogenerated message for OBS integration:
This bug (907268) was mentioned in
https://build.opensuse.org/request/show/265579 13.2+13.1+12.3 / xorg-x11-server
Comment 20 Stefan Dirsch 2014-12-17 16:45:39 UTC
Michal is/was working on this one. Hence reassigning to him instead.
Comment 22 Swamp Workflow Management 2014-12-27 21:06:45 UTC
openSUSE-SU-2014:1719-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 856931,907268,908258
CVE References: CVE-2014-8091,CVE-2014-8092,CVE-2014-8093,CVE-2014-8094,CVE-2014-8095,CVE-2014-8096,CVE-2014-8097,CVE-2014-8098,CVE-2014-8099,CVE-2014-8100,CVE-2014-8101,CVE-2014-8102,CVE-2014-8103
Sources used:
openSUSE 13.2 (src):    xorg-x11-server-7.6_1.16.1-5.1
openSUSE 13.1 (src):    xorg-x11-server-7.6_1.14.3.901-12.1
openSUSE 12.3 (src):    xorg-x11-server-7.6_1.13.2-1.29.1
Comment 25 Egbert Eich 2015-01-02 16:57:23 UTC
Since the maint update is running already assigning back to the security team.
Comment 26 Egbert Eich 2015-01-02 22:42:03 UTC
*** Bug 882226 has been marked as a duplicate of this bug. ***
Comment 27 Heikki Ylipiessa 2015-01-14 10:47:44 UTC
What's up with the release date for this fix ???
When the updated xorg packages are available for SLE11SP3 and SLE12 ??
Comment 28 Johannes Segitz 2015-01-14 11:10:09 UTC
(In reply to Heikki Ylipiessa from comment #27)
QA for SLE 11 SP3 finished yesterday, I just released the update. For SLE 12 it's still in QA, I will contact them and ask them to prioritize it.
Comment 29 Johannes Segitz 2015-01-14 11:43:48 UTC
(In reply to Johannes Segitz from comment #28)
Just got feedback, SLE 12 testing should finish today.
Comment 30 Swamp Workflow Management 2015-01-14 22:05:14 UTC
SUSE-SU-2015:0045-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 864911,886213,907268,907633
CVE References: CVE-2014-8091,CVE-2014-8092,CVE-2014-8093,CVE-2014-8094,CVE-2014-8095,CVE-2014-8096,CVE-2014-8097,CVE-2014-8098,CVE-2014-8099,CVE-2014-8100,CVE-2014-8101,CVE-2014-8102
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xorg-x11-server-7.4-27.101.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    xorg-x11-server-7.4-27.101.1
SUSE Linux Enterprise Server 11 SP3 (src):    xorg-x11-server-7.4-27.101.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xorg-x11-server-7.4-27.101.1
Comment 35 Swamp Workflow Management 2015-01-15 12:04:57 UTC
SUSE-SU-2015:0047-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 907268
CVE References: CVE-2014-8091,CVE-2014-8092,CVE-2014-8093,CVE-2014-8094,CVE-2014-8095,CVE-2014-8096,CVE-2014-8097,CVE-2014-8098,CVE-2014-8099,CVE-2014-8100,CVE-2014-8101,CVE-2014-8102,CVE-2014-8103
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xorg-x11-server-7.6_1.15.2-17.2
SUSE Linux Enterprise Server 12 (src):    xorg-x11-server-7.6_1.15.2-17.2
SUSE Linux Enterprise Desktop 12 (src):    xorg-x11-server-7.6_1.15.2-17.2
Comment 36 Marcus Meissner 2015-01-23 13:37:26 UTC
released i think