Bug 1177596 - (CVE-2020-25712) VUL-0: CVE-2020-25712: xorg-x11-server: XkbSetDeviceInfo Heap-based Buffer Overflow Privilege Escalation (ZDI-CAN-11839)
(CVE-2020-25712)
VUL-0: CVE-2020-25712: xorg-x11-server: XkbSetDeviceInfo Heap-based Buffer Ov...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/269136/
CVSSv3.1:SUSE:CVE-2020-25712:7.8:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-10-12 16:27 UTC by Wolfgang Frisch
Modified: 2020-12-10 14:05 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 17 Wolfgang Frisch 2020-11-16 12:59:22 UTC
CVE-2020-25712 was assigned to this issue.
Comment 18 Stefan Dirsch 2020-11-18 10:13:37 UTC
I'm afraid I found an issue with the patch.

[   60s] xkb.c: In function '_XkbSetDeviceInfoCheck':
[   60s] xkb.c:6800:14: warning: 'sz' may be used uninitialized in this function [-Wmaybe-uninitialized]
[   60s]          if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz))
[   60s]               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I am using the one of the zip file.

@@ -6635,6 +6663,10 @@ _XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev,
                 return BadAlloc;
             dev->button->xkb_acts = acts;
         }
+        if (stuff->firstBtn + stuff->nBtns > nBtns)
+            return BadValue;
+        if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz))
+            return BadLength;
         sz = stuff->nBtns * SIZEOF(xkbActionWireDesc);
         memcpy((char *) &acts[stuff->firstBtn], (char *) wire, sz);
         wire += sz;

This looks indeed weird. The one you posted later does make indeed different.

@@ -6683,7 +6698,11 @@ _XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev,
                 return BadAlloc;
             dev->button->xkb_acts = acts;
         }
+        if (stuff->firstBtn + stuff->nBtns > nBtns)
+            return BadValue;
         sz = stuff->nBtns * SIZEOF(xkbActionWireDesc);
+        if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz))
+            return BadLength;
         memcpy((char *) &acts[stuff->firstBtn], (char *) wire, sz);
         wire += sz;
         ed.reason |= XkbXI_ButtonActionsMask;

This makes more sense to me. What do you think? I'm afraid I need to redo everything. :-(
Comment 19 Wolfgang Frisch 2020-11-19 11:07:37 UTC
(In reply to Stefan Dirsch from comment #18)
> I'm afraid I found an issue with the patch.
> 
> [   60s] xkb.c: In function '_XkbSetDeviceInfoCheck':
> [   60s] xkb.c:6800:14: warning: 'sz' may be used uninitialized in this
> function [-Wmaybe-uninitialized]
> [   60s]          if (!_XkbCheckRequestBounds(client, stuff, wire, (char *)
> wire + sz))
> [   60s]              
> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
[...]
> 
> This makes more sense to me. What do you think? I'm afraid I need to redo
> everything. :-(

Unfortunately I agree. The original upstream patch is definitely faulty.
Comment 20 Stefan Dirsch 2020-11-19 13:23:50 UTC
Fixed. Packages with fixed patch submitted.
Comment 25 Alexandros Toptsoglou 2020-12-01 15:22:09 UTC
now public through oss 

CVE-2020-25712 / ZDI-CAN-11839 XkbSetDeviceInfo Heap-based Buffer Overflow

Insufficient checks on input of the XkbSetDeviceInfo request can lead
to a buffer overflow on the head in the X server.
Comment 26 Stefan Dirsch 2020-12-01 17:26:42 UTC
Just submitted to factory/TW. Reassigning.
Comment 27 OBSbugzilla Bot 2020-12-01 17:40:11 UTC
This is an autogenerated message for OBS integration:
This bug (1177596) was mentioned in
https://build.opensuse.org/request/show/852408 Factory / xorg-x11-server
Comment 28 Swamp Workflow Management 2020-12-01 20:17:28 UTC
SUSE-SU-2020:3588-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.16.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.16.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Swamp Workflow Management 2020-12-01 20:18:32 UTC
SUSE-SU-2020:3589-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xorg-x11-server-1.19.6-8.27.1
SUSE Linux Enterprise Server 15-LTSS (src):    xorg-x11-server-1.19.6-8.27.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xorg-x11-server-1.19.6-8.27.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xorg-x11-server-1.19.6-8.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Swamp Workflow Management 2020-12-01 20:19:38 UTC
SUSE-SU-2020:3582-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xorg-x11-server-1.19.6-4.19.1
SUSE OpenStack Cloud 9 (src):    xorg-x11-server-1.19.6-4.19.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xorg-x11-server-1.19.6-4.19.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xorg-x11-server-1.19.6-4.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Swamp Workflow Management 2020-12-01 20:20:43 UTC
SUSE-SU-2020:3587-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xorg-x11-server-1.19.6-10.20.1
SUSE Linux Enterprise Server 12-SP5 (src):    xorg-x11-server-1.19.6-10.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 32 Swamp Workflow Management 2020-12-01 20:22:47 UTC
SUSE-SU-2020:3586-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.13.1
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.13.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 33 Swamp Workflow Management 2020-12-01 20:24:00 UTC
SUSE-SU-2020:3585-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE OpenStack Cloud 8 (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE OpenStack Cloud 7 (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xorg-x11-server-7.6_1.18.3-76.37.1
SUSE Enterprise Storage 5 (src):    xorg-x11-server-7.6_1.18.3-76.37.1
HPE Helion Openstack 8 (src):    xorg-x11-server-7.6_1.18.3-76.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 34 Swamp Workflow Management 2020-12-01 20:25:11 UTC
SUSE-SU-2020:14553-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xorg-x11-server-7.4-27.122.37.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xorg-x11-server-7.4-27.122.37.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xorg-x11-server-7.4-27.122.37.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xorg-x11-server-7.4-27.122.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 35 Swamp Workflow Management 2020-12-02 11:16:55 UTC
openSUSE-SU-2020:2147-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xorg-x11-server-1.20.3-lp152.8.12.1
Comment 36 Swamp Workflow Management 2020-12-07 14:18:32 UTC
openSUSE-SU-2020:2186-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174908,1177596
CVE References: CVE-2020-14360,CVE-2020-25712
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    xorg-x11-server-1.20.3-lp151.4.9.1
Comment 37 Wolfgang Frisch 2020-12-10 14:05:35 UTC
Released.