Bug 1065386 (CVE-2017-16612) - VUL-0: CVE-2017-16612: libXcursor: heap overflows when parsing malicious files
Summary: VUL-0: CVE-2017-16612: libXcursor: heap overflows when parsing malicious files
Status: RESOLVED FIXED
Alias: CVE-2017-16612
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2017-12-13
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv3:RedHat:CVE-2017-16612:7.8:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-27 06:22 UTC by Johannes Segitz
Modified: 2019-05-01 13:57 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 3 Stefan Dirsch 2017-11-20 14:05:43 UTC
The patch hasn't been applied upstream yet. Therefore setting to NEEDINFO until Marcus can provide a CVE number.
Comment 4 Marcus Meissner 2017-11-20 14:55:18 UTC
CVE-2017-16612 is the one I got for it.
Comment 5 Stefan Dirsch 2017-11-21 17:55:58 UTC
Fixed for sle12, sle11 and sle10.

SR#146787
SR#146784
SR#146781

Please let me know, once I can add this patch also for obs://X11:XOrg and TW/factory. I assume this is still embargoed ...
Comment 7 Johannes Segitz 2017-11-22 11:24:00 UTC
we will remove the "EMBARGOED" tag from the bug and make it public once this issue is announced by upstream, then it can be fixed in OBS
Comment 8 Marcus Meissner 2017-11-25 11:49:48 UTC
CRD: 2017-11-28
Comment 9 Stefan Dirsch 2017-11-28 10:35:07 UTC
Fixed in X11:XOrg/libXcursor and submitrequested for factory/TW/sle15 now. Reassigning.
Comment 10 Bernhard Wiedemann 2017-11-28 11:10:05 UTC
This is an autogenerated message for OBS integration:
This bug (1065386) was mentioned in
https://build.opensuse.org/request/show/546195 Factory / libXcursor
Comment 12 Marcus Meissner 2017-11-28 15:06:55 UTC
is public now

https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8

Fix heap overflows when parsing malicious files. (CVE-2017-16612)
It is possible to trigger heap overflows due to an integer overflow
while parsing images and a signedness issue while parsing comments.

The integer overflow occurs because the chosen limit 0x10000 for
dimensions is too large for 32 bit systems, because each pixel takes
4 bytes. Properly chosen values allow an overflow which in turn will
lead to less allocated memory than needed for subsequent reads.

The signedness bug is triggered by reading the length of a comment
as unsigned int, but casting it to int when calling the function
XcursorCommentCreate. Turning length into a negative value allows the
check against XCURSOR_COMMENT_MAX_LEN to pass, and the following
addition of sizeof (XcursorComment) + 1 makes it possible to allocate
less memory than needed for subsequent reads.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Comment 13 Stefan Dirsch 2017-11-28 15:11:28 UTC
Hmm. And now my changes in obs://X11:XOrg/libXcursor are gone. :-(
Comment 16 Bernhard Wiedemann 2017-11-28 20:00:05 UTC
This is an autogenerated message for OBS integration:
This bug (1065386) was mentioned in
https://build.opensuse.org/request/show/546296 Factory / libXcursor
Comment 17 Swamp Workflow Management 2017-11-29 15:09:11 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-12-13.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63901
Comment 18 Swamp Workflow Management 2017-12-05 20:10:40 UTC
SUSE-SU-2017:3214-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1065386
CVE References: CVE-2017-16612
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    libXcursor-1.1.14-4.3.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    libXcursor-1.1.14-4.3.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libXcursor-1.1.14-4.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    libXcursor-1.1.14-4.3.1
SUSE Linux Enterprise Server 12-SP2 (src):    libXcursor-1.1.14-4.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    libXcursor-1.1.14-4.3.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    libXcursor-1.1.14-4.3.1
Comment 19 Swamp Workflow Management 2018-01-26 20:14:40 UTC
SUSE-SU-2018:0246-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1049692,1050459,1054285,1065386
CVE References: CVE-2017-13720,CVE-2017-13722,CVE-2017-16612
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xorg-x11-libs-7.4-8.26.50.5.3
SUSE Linux Enterprise Server 11-SP4 (src):    xorg-x11-libs-7.4-8.26.50.5.3
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xorg-x11-libs-7.4-8.26.50.5.3
Comment 20 Marcus Meissner 2018-02-19 16:20:35 UTC
Leap 42.3 submission is still needed. (not connected to SLES 12 currently)
Comment 21 Stefan Dirsch 2018-02-20 10:54:39 UTC
done -> SR#578320
Comment 22 Swamp Workflow Management 2018-02-20 11:40:06 UTC
This is an autogenerated message for OBS integration:
This bug (1065386) was mentioned in
https://build.opensuse.org/request/show/578320 42.3 / libXcursor
Comment 23 Marcus Meissner 2018-02-21 07:02:23 UTC
released
Comment 24 Swamp Workflow Management 2018-02-21 11:08:10 UTC
openSUSE-SU-2018:0504-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1065386
CVE References: CVE-2017-16612
Sources used:
openSUSE Leap 42.3 (src):    libXcursor-1.1.14-10.3.1