Bugzilla – Bug 345131
VUL-0: xorg-x11-server: X Server MIT-SHM Extension Integer Overflow Vulnerability [IDEF2904]
Last modified: 2009-10-14 00:20:21 UTC
Created attachment 185373 [details] pub_Multiple Vendor X Server MIT-SHM Extension Integer Overflow Vulnerability.txt iDefense Vendor Notification [IDEF2904]
Any fix available?
Freedesktop.org has made a bug-entry with test-case: http://bugs.freedesktop.org/show_bug.cgi?id=13520 I dont have an account though.
Thanks. I've added myself to Cc of this upstream bugreport. There's even a proposal for a fix attached to this bugreport.
CVE-2007-6429 - EVI and MIT-SHM integer overflows
updates released
made bug public
Ludwig Nussel wrote: > Hi, > > After we've released packages for CVE-2007-6429 we've got reports > that older versions of xine-ui, vlc and (not yet confirmed) eclipse > fail now due to the new SHM size checks. Anyone got reports for > other programs too? > Yes see the bug reports cited by Julien Cristau : http://lists.freedesktop.org/archives/xorg/2008-January/031979.html I'm currently trying to figure out exactly what test fails and will propose a better patch... -- Matthieu Herrb
From: Kees Cook <kees@ubuntu.com> On Fri, Jan 18, 2008 at 03:55:26PM +0100, Ludwig Nussel wrote: > After we've released packages for CVE-2007-6429 we've got reports > that older versions of xine-ui, vlc and (not yet confirmed) eclipse > fail now due to the new SHM size checks. Anyone got reports for > other programs too? Java (SWT), AMule, Xara, things wxwidget-based: https://bugs.launchpad.net/ubuntu/+bug/183969 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=461410 Ubuntu is already in progress of reverting the entire patch set. Likely suspect is: + unsigned long size; ... + size = PixmapBytePad(width, depth) * height; + if (sizeof(size) == 4) { + if (size < width * height) + return BadAlloc; + /* thankfully, offset is unsigned */ + if (stuff->offset + size < size) + return BadAlloc; + } -Kees -- Kees Cook
On Fri, Jan 18, 2008 at 08:37:47AM -0800, Kees Cook wrote: > On Fri, Jan 18, 2008 at 03:55:26PM +0100, Ludwig Nussel wrote: > > After we've released packages for CVE-2007-6429 we've got reports > > that older versions of xine-ui, vlc and (not yet confirmed) eclipse > > fail now due to the new SHM size checks. Anyone got reports for > > other programs too? > > Java (SWT), AMule, Xara, things wxwidget-based: > > https://bugs.launchpad.net/ubuntu/+bug/183969 > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=461410 > > Ubuntu is already in progress of reverting the entire patch set. > > Likely suspect is: > > + unsigned long size; > ... > + size = PixmapBytePad(width, depth) * height; > + if (sizeof(size) == 4) { > + if (size < width * height) > + return BadAlloc; > + /* thankfully, offset is unsigned */ > + if (stuff->offset + size < size) > + return BadAlloc; > + } Two things are wrong here: 1) PixmapBytePad uses "depth" is is not validated (it is used as an array index). This test needs to move below the depth validation section. #define PixmapBytePad(w, d) \ (PixmapWidthInPadUnits(w, d) << PixmapWidthPaddingInfo[d].padBytesLog2) 2) width * height doesn't seem to be the right test. The failure seen with azureus is: ProcShmCreatePixmap (size < width * height) size: 12288 width: 1536 height: 64 -- Kees Cook
On Fri, Jan 18, 2008 at 10:19:53AM -0800, Kees Cook wrote: > Two things are wrong here: > > 1) PixmapBytePad uses "depth" is is not validated (it is used as an > array index). This test needs to move below the depth validation > section. > > #define PixmapBytePad(w, d) \ > (PixmapWidthInPadUnits(w, d) << PixmapWidthPaddingInfo[d].padBytesLog2) > > 2) width * height doesn't seem to be the right test. The failure seen > with azureus is: > ProcShmCreatePixmap (size < width * height) size: 12288 width: 1536 height: 64 Upstream has fixed[1] these issues, and I've also verified that it works correctly again. -Kees [1] http://gitweb.freedesktop.org/?p=xorg/xserver.git;a=commitdiff;h=e9fa7c1c88a8130a48f772c92b186b8b777986b5 -- Kees Cook
*** Bug 354615 has been marked as a duplicate of this bug. ***
*** Bug 354593 has been marked as a duplicate of this bug. ***
*** Bug 354930 has been marked as a duplicate of this bug. ***
*** Bug 354946 has been marked as a duplicate of this bug. ***
*** Bug 354954 has been marked as a duplicate of this bug. ***
That's the patch used in Debian systems. http://security.debian.org/pool/updates/main/x/xorg-server/xorg-server_1.1.1-21etch3.diff.gz This one seems not to break applications.
*** Bug 354952 has been marked as a duplicate of this bug. ***
Now that I'm sensible for the problem, I remembered suffering from regular nspluginviewer crashes lately. Some .xsession-errors extract: Flash Player: Warning: environment variable G_FILENAME_ENCODING is set and is not UTF-8 (process:9039): GLib-GObject-CRITICAL **: gtype.c:2240: initialization assertion failed, use g_type_init() prior to this function (process:9039): Gtk-CRITICAL **: gtk_clipboard_get_for_display: assertion `GDK_IS_DISPLAY (display)' failed Adobe Flash Player: gtk_clipboard_get(GDK_SELECTION_PRIMARY); failed. Trying to call gtk_init(0,0); The program '<unknown>' received an X Window System error. This probably reflects a bug in the program. The error was 'BadWindow (invalid Window parameter)'. (Details: serial 84 error_code 3 request_code 18 minor_code 0) (Note to programmers: normally, X errors are reported asynchronously; that is, you will receive the error a while after causing it. To debug your program, run it with the --sync command line option to change this behavior. You can then get a meaningful backtrace from your debugger if you break on the gdk_x_error() function.) DCOP aborting call from 'konqueror-6220' to 'nspluginviewer-6220' KCrash: Application 'nspluginviewer' crashing... X Error: BadWindow (invalid Window parameter) 3 Major opcode: 19 Minor opcode: 0 Resource id: 0x2400008 Flash Player: Warning: environment variable G_FILENAME_ENCODING is set and is not UTF-8 (process:9060): GLib-GObject-CRITICAL **: gtype.c:2240: initialization assertion failed, use g_type_init() prior to this function (process:9060): Gtk-CRITICAL **: gtk_clipboard_get_for_display: assertion `GDK_IS_DISPLAY (display)' failed Adobe Flash Player: gtk_clipboard_get(GDK_SELECTION_PRIMARY); failed. Trying to call gtk_init(0,0); The program '<unknown>' received an X Window System error. This probably reflects a bug in the program. The error was 'BadWindow (invalid Window parameter)'. (Details: serial 84 error_code 3 request_code 18 minor_code 0) (Note to programmers: normally, X errors are reported asynchronously; that is, you will receive the error a while after causing it. To debug your program, run it with the --sync command line option to change this behavior. You can then get a meaningful backtrace from your debugger if you break on the gdk_x_error() function.) DCOP aborting call from 'konqueror-6220' to 'nspluginviewer-6220' KCrash: Application 'nspluginviewer' crashing... Unable to start Dr. Konqi Happens with: flash-player-9.0.115.0-0.1 xorg-x11-server-7.2-30.8 Could those be related?
Yes, this could well be.
Okay, I'm going to revert to factory xorg this evening (when the kids are in bed) and call back with the outcome..
That one seems to be a red herring, since firefox doesn't suffer from this: therefor https://bugzilla.novell.com/show_bug.cgi?id=354960 added.. Sorry for the noise.
any fix found?? ubuntu seem to had yet fixed that problem.. i found that link: https://bugs.edge.launchpad.net/ubuntu/+source/xorg/+bug/183969
See comment #21.
*** Bug 354974 has been marked as a duplicate of this bug. ***
Temporary workaround via /etc/X11/xorg.conf: Section "Extensions" Option "MIT-SHM" "no" EndSection Disabling this extension degrades X performance so it is *not* a solution.
Unofficial fixed packages for 10.2/10.3 will be soon availabe via http://beta.suse.com/private/sndirsch/bug345131/
*** Bug 355006 has been marked as a duplicate of this bug. ***
*** Bug 355083 has been marked as a duplicate of this bug. ***
the fix from #37 works for me. thanks! j.
*** Bug 355127 has been marked as a duplicate of this bug. ***
+1 on fix works for me. SuSE 10.3, SuSE Java 1.6, downloaded Eclipse 3.3.x
Package from comment #37 works for me. I'm using OpenSuse 10.3 my problem with VLC crashing my system after the xorg update of 1/17/08 is fixed. Thank you for the package.
+1 on fix from comment #37, it solved the problem for me too. openSuse 10.3 on i686, tested with both suse packaged Sun JDK 1.5 and Sun JDK 1.6 + Eclipse 3.3.x and packman packaged Azureus, all works now perfectly. Thanks!
*** Bug 355512 has been marked as a duplicate of this bug. ***
How long will it approx. take until we can push out fixed packages? I see complains all over falling down. At least an 'update' to the previous version should be considered to offer a short-term solution to the end-user that is struggling with different non-working programs.
the fix in comment #37 works for me also. (opensuse 10.3, i386, tested with Eclipse). Thanks!
Dominique, fixed packages have already been checked in, so QA can test them now. An update should be available shortly. For now you can use the packages mentioned in comment #37.
Thank you Stefan... it was less an issue for me; After all I follow the bug and know about the case... I was more worried for 99% of the users that do not follow here; but the packages from comment #37 are normally what I suggest so far too... but not every average user feels comfortable with it (understandable)
*** Bug 355564 has been marked as a duplicate of this bug. ***
icewm has broken window decoration since the latest xorg update as well
Created attachment 191464 [details] Screenshot of broken icewm decorations
I've released the openSUSE updates now based on preliminary qa results. Hopefully they don't cause more breakage than there already is :-)
*** Bug 355239 has been marked as a duplicate of this bug. ***
Both icewm and eclipse look fixed now.
*** Bug 355928 has been marked as a duplicate of this bug. ***
all packages released now
CVE-2007-6429: CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)