GNU bug report logs -
#27600
[PATCH] gnu: xorg-server: Fix CVE-2017-{10971,10972}.
Previous Next
Reported by: Kei Kebreau <kei <at> openmailbox.org>
Date: Thu, 6 Jul 2017 19:29:02 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27600 in the body.
You can then email your comments to 27600 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#27600; Package
guix-patches.
(Thu, 06 Jul 2017 19:29:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Kei Kebreau <kei <at> openmailbox.org>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Thu, 06 Jul 2017 19:29:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/xorg.scm (xorg-server)[source]: Add patches.
* gnu/packages/patches/xorg-CVE-2017-10971.patch,
gnu/packages/patches/xorg-CVE-2017-10972.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
---
gnu/local.mk | 2 +
gnu/packages/patches/xorg-CVE-2017-10971.patch | 153 +++++++++++++++++++++++++
gnu/packages/patches/xorg-CVE-2017-10972.patch | 35 ++++++
gnu/packages/xorg.scm | 5 +-
4 files changed, 194 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/xorg-CVE-2017-10971.patch
create mode 100644 gnu/packages/patches/xorg-CVE-2017-10972.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 8dbce7c05..bb93cac53 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1081,6 +1081,8 @@ dist_patch_DATA = \
%D%/packages/patches/xinetd-fix-fd-leak.patch \
%D%/packages/patches/xinetd-CVE-2013-4342.patch \
%D%/packages/patches/xmodmap-asprintf.patch \
+ %D%/packages/patches/xorg-CVE-2017-10971.patch \
+ %D%/packages/patches/xorg-CVE-2017-10972.patch \
%D%/packages/patches/libyaml-CVE-2014-9130.patch \
%D%/packages/patches/zathura-plugindir-environment-variable.patch \
%D%/packages/patches/zziplib-CVE-2017-5974.patch \
diff --git a/gnu/packages/patches/xorg-CVE-2017-10971.patch b/gnu/packages/patches/xorg-CVE-2017-10971.patch
new file mode 100644
index 000000000..2696033e5
--- /dev/null
+++ b/gnu/packages/patches/xorg-CVE-2017-10971.patch
@@ -0,0 +1,153 @@
+From 215f894965df5fb0bb45b107d84524e700d2073c Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb <at> suse.com>
+Date: Wed, 24 May 2017 15:54:40 +0300
+Subject: dix: Disallow GenericEvent in SendEvent request.
+
+The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
+no less. Both ProcSendEvent and SProcSendEvent verify that the received data
+exactly match the request size. However nothing stops the client from passing
+in event with xEvent::type = GenericEvent and any value of
+xGenericEvent::length.
+
+In the case of ProcSendEvent, the event will be eventually passed to
+WriteEventsToClient which will see that it is Generic event and copy the
+arbitrary length from the receive buffer (and possibly past it) and send it to
+the other client. This allows clients to copy unitialized heap memory out of X
+server or to crash it.
+
+In case of SProcSendEvent, it will attempt to swap the incoming event by
+calling a swapping function from the EventSwapVector array. The swapped event
+is written to target buffer, which in this case is local xEvent variable. The
+xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
+expect that the target buffer has size matching the size of the source
+GenericEvent. This allows clients to cause stack buffer overflows.
+
+Signed-off-by: Michal Srb <msrb <at> suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer <at> who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer <at> who-t.net>
+
+diff --git a/dix/events.c b/dix/events.c
+index 3e3a01e..d3a33ea 100644
+--- a/dix/events.c
++++ b/dix/events.c
+@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client)
+ client->errorValue = stuff->event.u.u.type;
+ return BadValue;
+ }
++ /* Generic events can have variable size, but SendEvent request holds
++ exactly 32B of event data. */
++ if (stuff->event.u.u.type == GenericEvent) {
++ client->errorValue = stuff->event.u.u.type;
++ return BadValue;
++ }
+ if (stuff->event.u.u.type == ClientMessage &&
+ stuff->event.u.u.detail != 8 &&
+ stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) {
+diff --git a/dix/swapreq.c b/dix/swapreq.c
+index 719e9b8..6785059 100644
+--- a/dix/swapreq.c
++++ b/dix/swapreq.c
+@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client)
+ swapl(&stuff->destination);
+ swapl(&stuff->eventMask);
+
++ /* Generic events can have variable size, but SendEvent request holds
++ exactly 32B of event data. */
++ if (stuff->event.u.u.type == GenericEvent) {
++ client->errorValue = stuff->event.u.u.type;
++ return BadValue;
++ }
++
+ /* Swap event */
+ proc = EventSwapVector[stuff->event.u.u.type & 0177];
+ if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */
+--
+cgit v0.10.2
+
+From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb <at> suse.com>
+Date: Wed, 24 May 2017 15:54:41 +0300
+Subject: Xi: Verify all events in ProcXSendExtensionEvent.
+
+The requirement is that events have type in range
+EXTENSION_EVENT_BASE..lastEvent, but it was tested
+only for first event of all.
+
+Signed-off-by: Michal Srb <msrb <at> suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer <at> who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer <at> who-t.net>
+
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index 1cf118a..5e63bfc 100644
+--- a/Xi/sendexev.c
++++ b/Xi/sendexev.c
+@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client)
+ int
+ ProcXSendExtensionEvent(ClientPtr client)
+ {
+- int ret;
++ int ret, i;
+ DeviceIntPtr dev;
+ xEvent *first;
+ XEventClass *list;
+@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client)
+ /* The client's event type must be one defined by an extension. */
+
+ first = ((xEvent *) &stuff[1]);
+- if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
+- (first->u.u.type < lastEvent))) {
+- client->errorValue = first->u.u.type;
+- return BadValue;
++ for (i = 0; i < stuff->num_events; i++) {
++ if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
++ (first[i].u.u.type < lastEvent))) {
++ client->errorValue = first[i].u.u.type;
++ return BadValue;
++ }
+ }
+
+ list = (XEventClass *) (first + stuff->num_events);
+--
+cgit v0.10.2
+
+From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb <at> suse.com>
+Date: Wed, 24 May 2017 15:54:42 +0300
+Subject: Xi: Do not try to swap GenericEvent.
+
+The SProcXSendExtensionEvent must not attempt to swap GenericEvent because
+it is assuming that the event has fixed size and gives the swapping function
+xEvent-sized buffer.
+
+A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway.
+
+Signed-off-by: Michal Srb <msrb <at> suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer <at> who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer <at> who-t.net>
+
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index 5e63bfc..5c2e0fc 100644
+--- a/Xi/sendexev.c
++++ b/Xi/sendexev.c
+@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client)
+
+ eventP = (xEvent *) &stuff[1];
+ for (i = 0; i < stuff->num_events; i++, eventP++) {
++ if (eventP->u.u.type == GenericEvent) {
++ client->errorValue = eventP->u.u.type;
++ return BadValue;
++ }
++
+ proc = EventSwapVector[eventP->u.u.type & 0177];
+- if (proc == NotImplemented) /* no swapping proc; invalid event type? */
++ /* no swapping proc; invalid event type? */
++ if (proc == NotImplemented) {
++ client->errorValue = eventP->u.u.type;
+ return BadValue;
++ }
+ (*proc) (eventP, &eventT);
+ *eventP = eventT;
+ }
+--
+cgit v0.10.2
+
diff --git a/gnu/packages/patches/xorg-CVE-2017-10972.patch b/gnu/packages/patches/xorg-CVE-2017-10972.patch
new file mode 100644
index 000000000..f24e9c0ae
--- /dev/null
+++ b/gnu/packages/patches/xorg-CVE-2017-10972.patch
@@ -0,0 +1,35 @@
+From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb <at> suse.com>
+Date: Wed, 24 May 2017 15:54:39 +0300
+Subject: Xi: Zero target buffer in SProcXSendExtensionEvent.
+
+Make sure that the xEvent eventT is initialized with zeros, the same way as
+in SProcSendEvent.
+
+Some event swapping functions do not overwrite all 32 bytes of xEvent
+structure, for example XSecurityAuthorizationRevoked. Two cooperating
+clients, one swapped and the other not, can send
+XSecurityAuthorizationRevoked event to each other to retrieve old stack data
+from X server. This can be potentialy misused to go around ASLR or
+stack-protector.
+
+Signed-off-by: Michal Srb <msrb <at> suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer <at> who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer <at> who-t.net>
+
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index 11d8202..1cf118a 100644
+--- a/Xi/sendexev.c
++++ b/Xi/sendexev.c
+@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)
+ {
+ CARD32 *p;
+ int i;
+- xEvent eventT;
++ xEvent eventT = { .u.u.type = 0 };
+ xEvent *eventP;
+ EventSwapPtr proc;
+
+--
+cgit v0.10.2
+
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 7b1d00f47..ec6fe6069 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -5000,7 +5000,10 @@ over Xlib, including:
name "-" version ".tar.bz2"))
(sha256
(base32
- "162s1v901djr57gxmmk4airk8hiwcz79dqyz72972x1lw1k82yk7"))))
+ "162s1v901djr57gxmmk4airk8hiwcz79dqyz72972x1lw1k82yk7"))
+ (patches
+ (search-patches "xorg-CVE-2017-10971.patch"
+ "xorg-CVE-2017-10972.patch"))))
(build-system gnu-build-system)
(propagated-inputs
`(("dri2proto" ,dri2proto)
--
2.13.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#27600; Package
guix-patches.
(Thu, 06 Jul 2017 23:44:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 27600 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Thu, Jul 06, 2017 at 03:28:07PM -0400, Kei Kebreau wrote:
> * gnu/packages/xorg.scm (xorg-server)[source]: Add patches.
> * gnu/packages/patches/xorg-CVE-2017-10971.patch,
> gnu/packages/patches/xorg-CVE-2017-10972.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
Yikes, these bugs!
> ---
> gnu/local.mk | 2 +
> gnu/packages/patches/xorg-CVE-2017-10971.patch | 153 +++++++++++++++++++++++++
> gnu/packages/patches/xorg-CVE-2017-10972.patch | 35 ++++++
> gnu/packages/xorg.scm | 5 +-
> 4 files changed, 194 insertions(+), 1 deletion(-)
> create mode 100644 gnu/packages/patches/xorg-CVE-2017-10971.patch
> create mode 100644 gnu/packages/patches/xorg-CVE-2017-10972.patch
Please rename the patch files to include the name of the package
(xorg-server), adjust the changes to local.mk accordingly, and please
push!
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Leo Famulari <leo <at> famulari.name>:
You have taken responsibility.
(Fri, 07 Jul 2017 03:54:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Kei Kebreau <kei <at> openmailbox.org>:
bug acknowledged by developer.
(Fri, 07 Jul 2017 03:54:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 27600-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Thu, Jul 06, 2017 at 07:43:43PM -0400, Leo Famulari wrote:
> On Thu, Jul 06, 2017 at 03:28:07PM -0400, Kei Kebreau wrote:
> > * gnu/packages/xorg.scm (xorg-server)[source]: Add patches.
> > * gnu/packages/patches/xorg-CVE-2017-10971.patch,
> > gnu/packages/patches/xorg-CVE-2017-10972.patch: New files.
> > * gnu/local.mk (dist_patch_DATA): Add them.
>
> Yikes, these bugs!
>
> > ---
> > gnu/local.mk | 2 +
> > gnu/packages/patches/xorg-CVE-2017-10971.patch | 153 +++++++++++++++++++++++++
> > gnu/packages/patches/xorg-CVE-2017-10972.patch | 35 ++++++
> > gnu/packages/xorg.scm | 5 +-
> > 4 files changed, 194 insertions(+), 1 deletion(-)
> > create mode 100644 gnu/packages/patches/xorg-CVE-2017-10971.patch
> > create mode 100644 gnu/packages/patches/xorg-CVE-2017-10972.patch
>
> Please rename the patch files to include the name of the package
> (xorg-server), adjust the changes to local.mk accordingly, and please
> push!
I had some time so I made the adjustment and pushed on your behalf.
Thanks again!
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#27600; Package
guix-patches.
(Fri, 07 Jul 2017 04:22:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 27600-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
> On Thu, Jul 06, 2017 at 07:43:43PM -0400, Leo Famulari wrote:
>> On Thu, Jul 06, 2017 at 03:28:07PM -0400, Kei Kebreau wrote:
>> > * gnu/packages/xorg.scm (xorg-server)[source]: Add patches.
>> > * gnu/packages/patches/xorg-CVE-2017-10971.patch,
>> > gnu/packages/patches/xorg-CVE-2017-10972.patch: New files.
>> > * gnu/local.mk (dist_patch_DATA): Add them.
>>
>> Yikes, these bugs!
>>
>> > ---
>> > gnu/local.mk | 2 +
>> > gnu/packages/patches/xorg-CVE-2017-10971.patch | 153 +++++++++++++++++++++++++
>> > gnu/packages/patches/xorg-CVE-2017-10972.patch | 35 ++++++
>> > gnu/packages/xorg.scm | 5 +-
>> > 4 files changed, 194 insertions(+), 1 deletion(-)
>> > create mode 100644 gnu/packages/patches/xorg-CVE-2017-10971.patch
>> > create mode 100644 gnu/packages/patches/xorg-CVE-2017-10972.patch
>>
>> Please rename the patch files to include the name of the package
>> (xorg-server), adjust the changes to local.mk accordingly, and please
>> push!
>
> I had some time so I made the adjustment and pushed on your behalf.
> Thanks again!
Thank you!
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Fri, 04 Aug 2017 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 7 years and 321 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.