Bugzilla – Full Text Bug Listing
|Summary:||VUL-0: CVE-2014-8091: xorg-x11: Various issues: Protocol handling, integer overflows, etc.|
|Product:||[Novell Products] SUSE Security Incidents||Reporter:||Johannes Segitz <jsegitz>|
|Component:||Incidents||Assignee:||Security Team bot <security-team>|
|Status:||RESOLVED FIXED||QA Contact:||Security Team bot <security-team>|
|Priority:||P5 - None||CC:||abergmann, eich, heikki.ylipiessa, jsegitz, msrb, thomas|
|Found By:||---||Services Priority:|
|Marketing QA Status:||---||IT Deployment:||---|
|Attachments:||List of patches and how were they renamed and modified.|
Description Johannes Segitz 2014-11-26 09:43:42 UTC
Created attachment 615053 [details] Patcheset *** EMBARGOED: Please keep confidential until 8am PST Tuesday, Dec 9, 2014 *** X.Org Security Advisory: Dec. 9, 2014 Protocol handling issues in X Window System servers =================================================== Description: ============ Ilja van Sprundel, a security researcher with IOActive, has discovered a large number of issues in the way the X server code base handles requests from X clients, and has worked with X.Org's security team to analyze, confirm, and fix these issues. Ilja's talk at the 30th Chaos Communication Congress (30C3) in Hamburg last year ("X Security: it's worse than it looks") gave a preview of these issues and discussed the general form of many of these, but did not disclose the exact details of them. The vulnerabilities could be exploited to cause the X server to access uninitialized memory or overwrite arbitrary memory in the X server process. This can cause a denial of service (e.g., an X server segmentation fault), or could be exploited to achieve arbitrary code execution. How critical these vulnerabilities are to any given installation depends on whether they run an X server with root privileges or reduced privileges; whether they run X servers exposed to network clients or limited to local connections; and whether or not they allow use of the affected protocol extensions, especially the GLX extension. The GLX extension to the X Window System allows an X client to send X protocol to the X server, to request that the X server perform OpenGL rendering on behalf of the X client. This is known as "GLX indirect rendering", as opposed to "GLX direct rendering" where the X client submits OpenGL rendering commands directly to the GPU, bypassing the X server and avoiding the X server code for GLX protocol handling. Most GLX indirect rendering implementations share some common ancestry, dating back to "Sample Implementation" code from Silicon Graphics, Inc (SGI), which SGI originally commercially licensed to other Unix workstation and graphics vendors, and later released as open source, so those vulnerabilities may affect other licensees of SGI's code base beyond those running code from the X.Org Foundation or the XFree86 Project. The vulnerabilities include: - denial of service due to unchecked malloc in client authentication CVE-2014-8091: In servers built with support for SUN-DES-1 (Secure RPC) authentication credentials, an unauthenticated client may be able to crash the X server by sending a connection request specifying values that cause malloc to fail, causing the authentication routines to attempt to write data to the returned NULL pointer. Since the request is limited to an unsigned 16-bit integer for the allocation size, it is unlikely to fail unless the server is severely memory constrained. Introduced in the initial revision of Secure RPC support in X11R5 (1991). - integer overflows calculating memory needs for requests These calls do not check that their calculations for how much memory is needed to handle the client's request have not overflowed, so can result in out of bounds reads or writes. These calls all occur only after a client has successfully authenticated itself. * CVE-2014-8092: X11 core protocol requests Affected functions: ProcPutImage(), GetHosts(), RegionSizeof(), REQUEST_FIXED_SIZE() Introduced in X11R1 (1987). * CVE-2014-8093: GLX extension Affected functions: __glXDisp_ReadPixels(), __glXDispSwap_ReadPixels(), __glXDisp_GetTexImage(), __glXDispSwap_GetTexImage(), GetSeparableFilter(), GetConvolutionFilter(), GetHistogram(), GetMinmax(), GetColorTable(), __glXGetAnswerBuffer(), __GLX_GET_ANSWER_BUFFER(), __glXMap1dReqSize(), __glXMap1fReqSize(), Map2Size(), __glXMap2dReqSize(), __glXMap2fReqSize(), __glXImageSize(), __glXSeparableFilter2DReqSize() Originally developed by SGI and licensed to multiple vendors prior to SGI open sourcing the code in 1999. Included in XFree86 releases starting in XFree86 4.0 (2000). Included in X.Org releases starting in X11R6.7 (2004). * CVE-2014-8094: DRI2 extension Affected functions: ProcDRI2GetBuffers() Introduced in xorg-server-1.7.0 (2009). - out of bounds access due to not validating length or offset values in requests These calls do not check that the lengths and/or indexes sent by the client are within the bounds specified by the caller or the bounds of the memory allocated to hold the request read from the client, so could read or write past the bounds of allocated memory while processing the request. These calls all occur only after a client has successfully authenticated itself. * CVE-2014-8095: XInput extension Affected functions: SProcXChangeDeviceControl(), ProcXChangeDeviceControl(), ProcXChangeFeedbackControl(), ProcXSendExtensionEvent(), SProcXIAllowEvents(), SProcXIChangeCursor(), ProcXIChangeHierarchy(), SProcXIGetClientPointer(), SProcXIGrabDevice(), SProcXIUngrabDevice(), ProcXIUngrabDevice(), SProcXIPassiveGrabDevice(), ProcXIPassiveGrabDevice(), SProcXIPassiveUngrabDevice(), ProcXIPassiveUngrabDevice(), SProcXListDeviceProperties(), SProcXDeleteDeviceProperty(), SProcXIListProperties(), SProcXIDeleteProperty(), SProcXIGetProperty(), SProcXIQueryDevice(), SProcXIQueryPointer(), SProcXISelectEvents(), SProcXISetClientPointer(), SProcXISetFocus(), SProcXIGetFocus(), SProcXIWarpPointer() Introduced in X11R4 (1989). * CVE-2014-8096: XC-MISC extension Affected functions: SProcXCMiscGetXIDList() Introduced in X11R6.0 (1994). * CVE-2014-8097: DBE extension Affected functions: ProcDbeSwapBuffers(), SProcDbeSwapBuffers() Introduced in X11R6.1 (1996). * CVE-2014-8098: GLX extension Affected functions: __glXDisp_Render(), __glXDisp_RenderLarge(), __glXDispSwap_VendorPrivate(), __glXDispSwap_VendorPrivateWithReply(), set_client_info(), __glXDispSwap_SetClientInfoARB(), DoSwapInterval(), DoGetProgramString(), DoGetString(), __glXDispSwap_RenderMode(), __glXDisp_GetCompressedTexImage(), __glXDispSwap_GetCompressedTexImage(), __glXDisp_FeedbackBuffer(), __glXDispSwap_FeedbackBuffer(), __glXDisp_SelectBuffer(), __glXDispSwap_SelectBuffer(), __glXDisp_Flush(), __glXDispSwap_Flush(), __glXDisp_Finish(), __glXDispSwap_Finish(), __glXDisp_ReadPixels(), __glXDispSwap_ReadPixels(), __glXDisp_GetTexImage(), __glXDispSwap_GetTexImage(), __glXDisp_GetPolygonStipple(), __glXDispSwap_GetPolygonStipple(), __glXDisp_GetSeparableFilter(), __glXDisp_GetSeparableFilterEXT(), __glXDisp_GetConvolutionFilter(), __glXDisp_GetConvolutionFilterEXT(), __glXDisp_GetHistogram(), __glXDisp_GetHistogramEXT(), __glXDisp_GetMinmax(), __glXDisp_GetMinmaxEXT(), __glXDisp_GetColorTable(), __glXDisp_GetColorTableSGI(), GetSeparableFilter(), GetConvolutionFilter(), GetHistogram(), GetMinmax(), GetColorTable(), Originally developed by SGI and licensed to multiple vendors prior to SGI open sourcing the code in 1999. Included in XFree86 releases starting in XFree86 4.0 (2000). Included in X.Org releases starting in X11R6.7 (2004). * CVE-2014-8099: XVideo extension Affected functions: SProcXvQueryExtension(), SProcXvQueryAdaptors(), SProcXvQueryEncodings(), SProcXvGrabPort(), SProcXvUngrabPort(), SProcXvPutVideo(), SProcXvPutStill(), SProcXvGetVideo(), SProcXvGetStill(), SProcXvPutImage(), SProcXvShmPutImage(), SProcXvSelectVideoNotify(), SProcXvSelectPortNotify(), SProcXvStopVideo(), SProcXvSetPortAttribute(), SProcXvGetPortAttribute(), SProcXvQueryBestSize(), SProcXvQueryPortAttributes(), SProcXvQueryImageAttributes(), SProcXvListImageFormats() Introduced in XFree86 4.0.0 (2000). Included in X.Org releases starting in X11R6.7 (2004). * CVE-2014-8100: Render extension Affected functions: ProcRenderQueryVersion(), SProcRenderQueryVersion(), SProcRenderQueryPictFormats(), SProcRenderQueryPictIndexValues(), SProcRenderCreatePicture(), SProcRenderChangePicture(), SProcRenderSetPictureClipRectangles(), SProcRenderFreePicture(), SProcRenderComposite(), SProcRenderScale(), SProcRenderCreateGlyphSet(), SProcRenderReferenceGlyphSet(), SProcRenderFreeGlyphSet(), SProcRenderFreeGlyphs(), SProcRenderCompositeGlyphs() Introduced in XFree86 4.0.1 (2000). Included in X.Org releases starting in X11R6.7 (2004). * CVE-2014-8101: RandR extension Affected functions: SProcRRQueryVersion(), SProcRRGetScreenInfo(), SProcRRSelectInput(), SProcRRConfigureOutputProperty() Introduced in XFree86 4.2.0 (2002). Included in X.Org releases starting in X11R6.7 (2004). * CVE-2014-8102: XFixes extension Affected functions: SProcXFixesSelectSelectionInput() Introduced in X11R6.8.0 (2004). * CVE-2014-8103: DRI3 & Present extensions Affected functions: sproc_dri3_query_version(), sproc_dri3_open(), sproc_dri3_pixmap_from_buffer(), sproc_dri3_buffer_from_pixmap(), sproc_dri3_fence_from_fd(), sproc_dri3_fd_from_fence(), proc_present_query_capabilities(), sproc_present_query_version(), sproc_present_pixmap(), sproc_present_notify_msc(), sproc_present_select_input(), sproc_present_query_capabilities() Introduced in xorg-server-1.15.0 (2013). Affected Versions ================= X.Org believes all versions of the affected functions contain these flaws, dating back to their introduction. In the above listings, we've listed the earliest date of any of the affected functions in a given protocol or area - some functions listed may not have been introduced until later versions. Fixes ===== Fixes are available in git commits and patches which will be listed on http://www.x.org/wiki/Development/Security/Advisory-2014-12-09 when this advisory is released. Fixes are also planned to be included in the xorg-server-1.17.0 and xorg-server-1.16.3 releases Other providers of Xserver or GLX implementations based on the same code base (the X Consortium or X.Org Foundation X sources, or the SGI GLX sources) will announce the availability of any fixes necessary for their implementations. Mitigation ========== While the fixes cover all the cases currently known to X.Org, these are not the first issues in this area and are unlikely to be the last. Users can reduce their exposure to issues similar to the ones in this advisory via these methods: * Configure the X server to prohibit X connections from the network by passing the "-nolisten tcp" command line option to the X server. Many OS distributions already set this option by default, and it will be set by default in the upstream X.Org release starting with Xorg 1.17. * Disable GLX indirect contexts. Some implementations have a configuration option for this. In Xorg 1.16 or newer, this can be achieved by setting the '-iglx' X server command line option. This option will be the default in Xorg 1.17 and later releases. Consult your operating system's documentation for details on setting X server command line options, as X servers are started by a variety of different methods on different platforms (startx, gdm, kdm, xdm, etc.). Thanks ====== X.Org thanks Ilja van Sprundel of IOActive for reporting these issues to our security team and assisting them in understanding them and evaluating our fixes, and the following X.Org contributors for developing and reviewing the fixes, tests, and advisory for these issues, and coordinating the X.Org response to them: Adam Jackson (Red Hat) Alan Coopersmith (Oracle) Andy Ritger (NVIDIA) Julien Cristau (Debian) Keith Packard (Intel) Michal Srb (SuSE) Peter Hutterer (Red Hat) Robert Morell (NVIDIA)
Comment 2 Alexander Bergmann 2014-11-26 09:51:38 UTC
*** Bug 907140 has been marked as a duplicate of this bug. ***
Comment 8 Swamp Workflow Management 2014-12-03 09:59:40 UTC
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2014-12-10. When done, reassign the bug to firstname.lastname@example.org. https://swamp.suse.de/webswamp/wf/59900
Comment 10 Michal Srb 2014-12-03 13:59:07 UTC
Created attachment 615758 [details] List of patches and how were they renamed and modified. SLE11 SP3: https://build.suse.de/request/show/47067 SLE12: https://build.suse.de/request/show/47068
Comment 11 Michal Srb 2014-12-05 14:16:37 UTC
Assigning to security team.
Comment 12 Johannes Segitz 2014-12-09 16:19:50 UTC
Comment 13 Johannes Segitz 2014-12-10 09:02:31 UTC
From: Alan Coopersmith <email@example.com> Fixes are now available in the X.Org master git repositories for the Xserver 1.17 development branch ("master") & 1.16 stable branch ("server-1.16-branch"). Additionally they are included in today's release of xorg-server 126.96.36.1991 (Release Candidate 1 for 1.16.3): http://lists.x.org/archives/xorg-announce/2014-December/002501.html For those who either used the patches mailed to the distros list during embargo or pulled changes from my personal git repository earlier today, please note there are some additional changes that were made due to issues raised when the patches were on final approach this morning. These fixes mostly silence compiler warnings, but also fix at least one bug in calculating buffer sizes that could result in false failures or allowing overflows. These added patches are: dbe: Call to DDX SwapBuffers requires address of int, not unsigned int [CVE-2014-8097 pt. 2] http://cgit.freedesktop.org/xorg/xserver/commit/?id=b20912c3d45cbbde3c443e6c3d9e189092fe65e1 glx: Can't mix declarations and code in X.org sources [CVE-2014-8098 pt. 9] http://cgit.freedesktop.org/xorg/xserver/commit/?id=61b17c0f10307e25e51e30e6fb1d3e3127f82d86 Missing parens in REQUEST_FIXED_SIZE macro [CVE-2014-8092 pt. 5] http://cgit.freedesktop.org/xorg/xserver/commit/?id=9802a0162f738de03585ca3f3b8a8266494f7d45 dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6] http://cgit.freedesktop.org/xorg/xserver/commit/?id=1559a94395258fd73e369f1a2c98a44bfe21a486 They are also included with all the earlier patches in the list now posted to: http://www.x.org/wiki/Development/Security/Advisory-2014-12-09 Since these additional commits went into the X.Org master repo as part of the same pull request as the earlier fixes, X.Org considers them to be part of the fix for the CVE's in this advisory and does not believe new CVE id's are warranted as X.Org distributed no version of its code in which only part of these fixes were present.
Comment 15 Michal Srb 2014-12-10 15:06:47 UTC
Added the important additional patches: SLE11 SP3: https://build.suse.de/request/show/47240 SLE12: https://build.suse.de/request/show/47242
Comment 18 Bernhard Wiedemann 2014-12-17 16:00:11 UTC
This is an autogenerated message for OBS integration: This bug (907268) was mentioned in https://build.opensuse.org/request/show/265579 13.2+13.1+12.3 / xorg-x11-server
Comment 20 Stefan Dirsch 2014-12-17 16:45:39 UTC
Michal is/was working on this one. Hence reassigning to him instead.
Comment 22 Swamp Workflow Management 2014-12-27 21:06:45 UTC
openSUSE-SU-2014:1719-1: An update that fixes 13 vulnerabilities is now available. Category: security (moderate) Bug References: 856931,907268,908258 CVE References: CVE-2014-8091,CVE-2014-8092,CVE-2014-8093,CVE-2014-8094,CVE-2014-8095,CVE-2014-8096,CVE-2014-8097,CVE-2014-8098,CVE-2014-8099,CVE-2014-8100,CVE-2014-8101,CVE-2014-8102,CVE-2014-8103 Sources used: openSUSE 13.2 (src): xorg-x11-server-7.6_1.16.1-5.1 openSUSE 13.1 (src): xorg-x11-server-7.6_188.8.131.521-12.1 openSUSE 12.3 (src): xorg-x11-server-7.6_1.13.2-1.29.1
Comment 25 Egbert Eich 2015-01-02 16:57:23 UTC
Since the maint update is running already assigning back to the security team.
Comment 26 Egbert Eich 2015-01-02 22:42:03 UTC
*** Bug 882226 has been marked as a duplicate of this bug. ***
Comment 27 Heikki Ylipiessa 2015-01-14 10:47:44 UTC
What's up with the release date for this fix ??? When the updated xorg packages are available for SLE11SP3 and SLE12 ??
Comment 28 Johannes Segitz 2015-01-14 11:10:09 UTC
(In reply to Heikki Ylipiessa from comment #27) QA for SLE 11 SP3 finished yesterday, I just released the update. For SLE 12 it's still in QA, I will contact them and ask them to prioritize it.
Comment 29 Johannes Segitz 2015-01-14 11:43:48 UTC
(In reply to Johannes Segitz from comment #28) Just got feedback, SLE 12 testing should finish today.
Comment 30 Swamp Workflow Management 2015-01-14 22:05:14 UTC
SUSE-SU-2015:0045-1: An update that fixes 12 vulnerabilities is now available. Category: security (important) Bug References: 864911,886213,907268,907633 CVE References: CVE-2014-8091,CVE-2014-8092,CVE-2014-8093,CVE-2014-8094,CVE-2014-8095,CVE-2014-8096,CVE-2014-8097,CVE-2014-8098,CVE-2014-8099,CVE-2014-8100,CVE-2014-8101,CVE-2014-8102 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): xorg-x11-server-7.4-27.101.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): xorg-x11-server-7.4-27.101.1 SUSE Linux Enterprise Server 11 SP3 (src): xorg-x11-server-7.4-27.101.1 SUSE Linux Enterprise Desktop 11 SP3 (src): xorg-x11-server-7.4-27.101.1
Comment 35 Swamp Workflow Management 2015-01-15 12:04:57 UTC
SUSE-SU-2015:0047-1: An update that fixes 13 vulnerabilities is now available. Category: security (moderate) Bug References: 907268 CVE References: CVE-2014-8091,CVE-2014-8092,CVE-2014-8093,CVE-2014-8094,CVE-2014-8095,CVE-2014-8096,CVE-2014-8097,CVE-2014-8098,CVE-2014-8099,CVE-2014-8100,CVE-2014-8101,CVE-2014-8102,CVE-2014-8103 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): xorg-x11-server-7.6_1.15.2-17.2 SUSE Linux Enterprise Server 12 (src): xorg-x11-server-7.6_1.15.2-17.2 SUSE Linux Enterprise Desktop 12 (src): xorg-x11-server-7.6_1.15.2-17.2
Comment 36 Marcus Meissner 2015-01-23 13:37:26 UTC
released i think