Bugzilla – Bug 50206
VUL-0: CVE-2004-0094: XFree86: remote denial-of-service
Last modified: 2021-10-13 13:44:40 UTC
Hi Stefan, Debian mentioned in their XFree86 advisory (http://www.debian.org/ security/2004/dsa-443) two other bugs (CAN-2004-0093, CAN-2004-0094), that we seem not to have fixed. Can you verify that we have fixed them in STABLE, please? (patch: http://security.debian.org/pool/updates/main/x/xfree86/ xfree86_4.1.0-16woody3.diff.gz)
<!-- SBZ_reproduce --> -
~> du -h xfree86_4.1.0-16woody3.diff 9,2M xfree86_4.1.0-16woody3.diff I will refuse this patch, also for STABLE. I simply don't have the time for verifying a 9 MB patch.
:) No need to panic. I'll strip it down for you.
Created attachment 16289 [details] xfree86_4.1.0_glx_dri_outofbounds_index-security.diff
Thanks. Verified. The patch is already in our XFree86 sources of STABLE as it was commited to XFree86 CVS. It was commited to XFree86 CVS on 2002/12/14, i.e. after SuSE 9.0 release.
"after SuSE 9.0 release"? I found the vulnerable code in 8.0 and 8.1 only. I can't see a direct exploitability expect for the crash. (But due to a bad cold I feel a bit dizzy...) Stefan, how can this bug be triggered remotely? And can this bug be triggered remotely by default? Is authentication needed?
Yes, it was commited into XFree86 CVS after SuSE 9.0 was released. This doesn't mean, that SuSE 9.0 needs to be affected by this security problem. Only 8.0 and 8.1 is not much help for me as 8.1 is SLES8 and then I need to update nearly all maintained distributions. I don't know how to trigger the problem remotely and if it can be triggered remotely by default. I assume that you need an OpenGL program for this (IIRC libGL is communicating with the glx Extension in the server). What do you mean with "authentication needed"? BTW, you're the security experts, not me. :-)
authentication: Like ssh -X remote.si.de "xosview", or Cookies or xhost, ... Noone can trigger this bug on the X-server without some kind of authentication beforehand, right? 8.1 an maintained products: thomas@bragg:~/work> md5sum 8.1/xf86/XFree86-4.2.0.tar.bz2 501bce4f8e01fa7d90564aaec0a3428c 8.1/xf86/XFree86-4.2.0.tar.bz2 thomas@bragg:~/work> md5sum SLES8/xf86/XFree86-4.2.0.tar.bz2 501bce4f8e01fa7d90564aaec0a3428c SLES8/xf86/XFree86-4.2.0.tar.bz2
Sure, you need access to the Xserver with some sort of authentication to be able to trigger this bug: :-) I don't understand what you want to tell me with the md5sums.
md5sums: Both sources are the same so fixing 8.1 includes SLES8 and SLES8-based products too. So I see no reason why it is more work like you suggested in comment #7.
You're right. It's only Sources /work/src/done/<dir> ----------------------------------------------------------------------- /work/SRC/old-versions/8.0/all/xf86 8.0 /work/SRC/old-versions/8.1/UL/all/xf86 8.1 this time. I'm already running in panic mode ...
Created attachment 16321 [details] patchinfo-box.glxdri
Created attachment 16322 [details] patchinfo.glxdri
7.2-s390,sles7-i386,sles7-ia64,sles7-ppc,sles7-s390x,sles8-ppc,sles8-s390,sles8-s390x,ul1-i386,ul1-ia64,ul1-x86_64 in Distribution line should be sles8-ppc,sles8-s390,sles8-s390x,ul1-i386,ul1-ia64,ul1-x86_64 as SLES7 is SuSE 7.2/7.3 based.
And the udpate packages should be "xloader xmodules xf86_glx" instead of "xf86". I'll adjust the patchinfo files.
fixed now (including all the tmp races of Bug 48716). Packages now in /work/src/done/8.0/xf86 /work/src/done/8.1/xf86 patchinfo files copied to /work/src/done/PATCHINFO. Thomas can take care of this now. :-)
Thanks.
packages approved (YOU only test).
CVE-2004-0094: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)