Bugzilla – Bug 1025035
VUL-1: xorg-x11-server: Potential Use after Free in Xorg Server in XdmToID()
Last modified: 2020-01-15 17:46:23 UTC
Embargoed until CRD 2017-02-28. Received via private discussion on mailing list: Summary and Impact ------------------ In XDM is a (currently non security) issue, regarding a potential use after free. The ToID() function in os/auth.c is not used anywhere, just defined in the struct and filled by the protocols, but there are no users. AuthToIDFunc ToID; /* convert cookie to ID */ X41 noticed that, XdmToID() frees the cookie argument in case it can resolve the ID or on failure, but not if it can't allocate memory for plain. The same return value is given, whether no memory could be allocated or it just failed to lookup the ID, so the caller cannot distinguish whether this memory is freed or not, which might lead to double-free or memory leaks. The other ToID functions do not free this parameter.
I've checked our codestreams and it seems the situation has always been the same: The ToID function is never called. We should fix this anyway to avoid trouble in the future. The oldest codestream SUSE:SLE-10-SP3:Update already contains the faulty XdmToID() function. So we can consider all codestreams affected. There is no final patch for this available yet. Given that the other two ToID functions don't free the cookie parameter the `xfree( cookie )` calls will probably be removed from XdmToID(). We will give an update once the final patch is available.
bugbot adjusting priority
Potential Use after Free in Xorg Server ======================================= Vulnerability Type: Other Affected Products: Xorg Server Attack Type: Local Impact: - Severity Rating: none Confirmed Affected Version: 1.19.0 and lower Confirmed Patched Version: Vector: local CVE: - CVSS Score: - CVSS Vector: - Summary and Impact ------------------ In XDM is a (currently non security) issue, regarding a potential use after free. The ToID() function in os/auth.c is not used anywhere, just defined in the struct and filled by the protocols, but there are no users. AuthToIDFunc ToID; /* convert cookie to ID */ X41 noticed that, XdmToID() frees the cookie argument in case it can resolve the ID or on failure, but not if it can't allocate memory for plain: XdmToID(unsigned short cookie_length, char *cookie) { XdmAuthorizationPtr auth; XdmClientAuthPtr client; unsigned char *plain; plain = malloc(cookie_length); if (!plain) return (XID) -1; for (auth = xdmAuth; auth; auth = auth->next) { XdmcpUnwrap((unsigned char *) cookie, (unsigned char *) &auth->key, plain, cookie_length); if ((client = XdmAuthorizationValidate(plain, cookie_length, &auth->rho, NULL, NULL)) != NULL) { free(client); free(cookie); free(plain); return auth->id; } } free(cookie); free(plain); return (XID) -1; } The same return value is given, whether no memory could be allocated or it just failed to lookup the ID, so the caller cannot distinguish whether this memory is freed or not, which might lead to double-free or memory leaks. The other ToID functions do not free this parameter.
About which component are we talking here? I can't find this code in git master of xserver (os/auth.c).
(In reply to Stefan Dirsch from comment #4) > About which component are we talking here? I can't find this code in git > master of xserver (os/auth.c). The mentioned function is in os/xdmauth.c, only the declaration of the "AuthToIDFunc ToID" is in os/auth.c. Has been removed in git master upstream in commit 2855f759b1e7bf7f5e57cac36c1f0d0e5ac1a683.
Thanks. This explains it. commit is in xserver, not xdm.
According to Michal Srb 2855f759b1e7bf7f5e57cac36c1f0d0e5ac1a683 is the fix.
Already fixed in factory/TW (xorg-server-1.19.3).
This is an autogenerated message for OBS integration: This bug (1025035) was mentioned in https://build.opensuse.org/request/show/502781 Factory / xorg-x11-server
Submitted to sle11-sp3: SR#133961 Submitted to sle11-sp1: SR#133962 Submitted to sle10-sp3: SR#133963 Reassigning to security team ...
This is an autogenerated message for OBS integration: This bug (1025035) was mentioned in https://build.opensuse.org/request/show/502874 42.2 / xorg-x11-server
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2017-06-26. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63669
openSUSE-SU-2017:1610-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1025029,1025035,1025084 CVE References: CVE-2017-2624 Sources used: openSUSE Leap 42.2 (src): xorg-x11-server-7.6_1.18.3-12.15.2
SUSE-SU-2017:1675-1: An update that solves one vulnerability and has 7 fixes is now available. Category: security (moderate) Bug References: 1019649,1021803,1025029,1025035,1025084,1025985,1032509,1039042 CVE References: CVE-2017-2624 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): xorg-x11-server-7.6_1.18.3-71.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): xorg-x11-server-7.6_1.18.3-71.1 SUSE Linux Enterprise Server 12-SP2 (src): xorg-x11-server-7.6_1.18.3-71.1 SUSE Linux Enterprise Desktop 12-SP2 (src): xorg-x11-server-7.6_1.18.3-71.1
SUSE-SU-2017:1741-1: An update that solves one vulnerability and has four fixes is now available. Category: security (moderate) Bug References: 1019649,1025029,1025035,1025084,981044 CVE References: CVE-2017-2624 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): xorg-x11-server-7.4-27.118.1 SUSE Linux Enterprise Server 11-SP4 (src): xorg-x11-server-7.4-27.118.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): xorg-x11-server-7.4-27.118.1
released