Package: guix-patches;
Reported by: Kei Kebreau <kei <at> openmailbox.org>
Date: Thu, 6 Jul 2017 19:29:02 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
View this message in rfc822 format
From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Leo Famulari <leo <at> famulari.name>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#27600: closed ([PATCH] gnu: xorg-server: Fix CVE-2017-{10971,10972}.)
Date: Fri, 07 Jul 2017 03:54:02 +0000
[Message part 1 (text/plain, inline)]
Your message dated Thu, 6 Jul 2017 23:53:19 -0400
with message-id <20170707035319.GA20475 <at> jasmine.lan>
and subject line Re: [bug#27600] [PATCH] gnu: xorg-server: Fix CVE-2017-{10971, 10972}.
has caused the debbugs.gnu.org bug report #27600,
regarding [PATCH] gnu: xorg-server: Fix CVE-2017-{10971,10972}.
to be marked as done.
(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)
--
27600: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=27600
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
From: Kei Kebreau <kei <at> openmailbox.org> To: guix-patches <at> gnu.org Cc: Kei Kebreau <kei <at> openmailbox.org> Subject: [PATCH] gnu: xorg-server: Fix CVE-2017-{10971,10972}. Date: Thu, 6 Jul 2017 15:28:07 -0400* gnu/packages/xorg.scm (xorg-server)[source]: Add patches. * gnu/packages/patches/xorg-CVE-2017-10971.patch, gnu/packages/patches/xorg-CVE-2017-10972.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. --- gnu/local.mk | 2 + gnu/packages/patches/xorg-CVE-2017-10971.patch | 153 +++++++++++++++++++++++++ gnu/packages/patches/xorg-CVE-2017-10972.patch | 35 ++++++ gnu/packages/xorg.scm | 5 +- 4 files changed, 194 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/xorg-CVE-2017-10971.patch create mode 100644 gnu/packages/patches/xorg-CVE-2017-10972.patch diff --git a/gnu/local.mk b/gnu/local.mk index 8dbce7c05..bb93cac53 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1081,6 +1081,8 @@ dist_patch_DATA = \ %D%/packages/patches/xinetd-fix-fd-leak.patch \ %D%/packages/patches/xinetd-CVE-2013-4342.patch \ %D%/packages/patches/xmodmap-asprintf.patch \ + %D%/packages/patches/xorg-CVE-2017-10971.patch \ + %D%/packages/patches/xorg-CVE-2017-10972.patch \ %D%/packages/patches/libyaml-CVE-2014-9130.patch \ %D%/packages/patches/zathura-plugindir-environment-variable.patch \ %D%/packages/patches/zziplib-CVE-2017-5974.patch \ diff --git a/gnu/packages/patches/xorg-CVE-2017-10971.patch b/gnu/packages/patches/xorg-CVE-2017-10971.patch new file mode 100644 index 000000000..2696033e5 --- /dev/null +++ b/gnu/packages/patches/xorg-CVE-2017-10971.patch @@ -0,0 +1,153 @@ +From 215f894965df5fb0bb45b107d84524e700d2073c Mon Sep 17 00:00:00 2001 +From: Michal Srb <msrb <at> suse.com> +Date: Wed, 24 May 2017 15:54:40 +0300 +Subject: dix: Disallow GenericEvent in SendEvent request. + +The SendEvent request holds xEvent which is exactly 32 bytes long, no more, +no less. Both ProcSendEvent and SProcSendEvent verify that the received data +exactly match the request size. However nothing stops the client from passing +in event with xEvent::type = GenericEvent and any value of +xGenericEvent::length. + +In the case of ProcSendEvent, the event will be eventually passed to +WriteEventsToClient which will see that it is Generic event and copy the +arbitrary length from the receive buffer (and possibly past it) and send it to +the other client. This allows clients to copy unitialized heap memory out of X +server or to crash it. + +In case of SProcSendEvent, it will attempt to swap the incoming event by +calling a swapping function from the EventSwapVector array. The swapped event +is written to target buffer, which in this case is local xEvent variable. The +xEvent variable is 32 bytes long, but the swapping functions for GenericEvents +expect that the target buffer has size matching the size of the source +GenericEvent. This allows clients to cause stack buffer overflows. + +Signed-off-by: Michal Srb <msrb <at> suse.com> +Reviewed-by: Peter Hutterer <peter.hutterer <at> who-t.net> +Signed-off-by: Peter Hutterer <peter.hutterer <at> who-t.net> + +diff --git a/dix/events.c b/dix/events.c +index 3e3a01e..d3a33ea 100644 +--- a/dix/events.c ++++ b/dix/events.c +@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client) + client->errorValue = stuff->event.u.u.type; + return BadValue; + } ++ /* Generic events can have variable size, but SendEvent request holds ++ exactly 32B of event data. */ ++ if (stuff->event.u.u.type == GenericEvent) { ++ client->errorValue = stuff->event.u.u.type; ++ return BadValue; ++ } + if (stuff->event.u.u.type == ClientMessage && + stuff->event.u.u.detail != 8 && + stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) { +diff --git a/dix/swapreq.c b/dix/swapreq.c +index 719e9b8..6785059 100644 +--- a/dix/swapreq.c ++++ b/dix/swapreq.c +@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client) + swapl(&stuff->destination); + swapl(&stuff->eventMask); + ++ /* Generic events can have variable size, but SendEvent request holds ++ exactly 32B of event data. */ ++ if (stuff->event.u.u.type == GenericEvent) { ++ client->errorValue = stuff->event.u.u.type; ++ return BadValue; ++ } ++ + /* Swap event */ + proc = EventSwapVector[stuff->event.u.u.type & 0177]; + if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */ +-- +cgit v0.10.2 + +From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001 +From: Michal Srb <msrb <at> suse.com> +Date: Wed, 24 May 2017 15:54:41 +0300 +Subject: Xi: Verify all events in ProcXSendExtensionEvent. + +The requirement is that events have type in range +EXTENSION_EVENT_BASE..lastEvent, but it was tested +only for first event of all. + +Signed-off-by: Michal Srb <msrb <at> suse.com> +Reviewed-by: Peter Hutterer <peter.hutterer <at> who-t.net> +Signed-off-by: Peter Hutterer <peter.hutterer <at> who-t.net> + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 1cf118a..5e63bfc 100644 +--- a/Xi/sendexev.c ++++ b/Xi/sendexev.c +@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client) + int + ProcXSendExtensionEvent(ClientPtr client) + { +- int ret; ++ int ret, i; + DeviceIntPtr dev; + xEvent *first; + XEventClass *list; +@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client) + /* The client's event type must be one defined by an extension. */ + + first = ((xEvent *) &stuff[1]); +- if (!((EXTENSION_EVENT_BASE <= first->u.u.type) && +- (first->u.u.type < lastEvent))) { +- client->errorValue = first->u.u.type; +- return BadValue; ++ for (i = 0; i < stuff->num_events; i++) { ++ if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) && ++ (first[i].u.u.type < lastEvent))) { ++ client->errorValue = first[i].u.u.type; ++ return BadValue; ++ } + } + + list = (XEventClass *) (first + stuff->num_events); +-- +cgit v0.10.2 + +From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001 +From: Michal Srb <msrb <at> suse.com> +Date: Wed, 24 May 2017 15:54:42 +0300 +Subject: Xi: Do not try to swap GenericEvent. + +The SProcXSendExtensionEvent must not attempt to swap GenericEvent because +it is assuming that the event has fixed size and gives the swapping function +xEvent-sized buffer. + +A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway. + +Signed-off-by: Michal Srb <msrb <at> suse.com> +Reviewed-by: Peter Hutterer <peter.hutterer <at> who-t.net> +Signed-off-by: Peter Hutterer <peter.hutterer <at> who-t.net> + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 5e63bfc..5c2e0fc 100644 +--- a/Xi/sendexev.c ++++ b/Xi/sendexev.c +@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client) + + eventP = (xEvent *) &stuff[1]; + for (i = 0; i < stuff->num_events; i++, eventP++) { ++ if (eventP->u.u.type == GenericEvent) { ++ client->errorValue = eventP->u.u.type; ++ return BadValue; ++ } ++ + proc = EventSwapVector[eventP->u.u.type & 0177]; +- if (proc == NotImplemented) /* no swapping proc; invalid event type? */ ++ /* no swapping proc; invalid event type? */ ++ if (proc == NotImplemented) { ++ client->errorValue = eventP->u.u.type; + return BadValue; ++ } + (*proc) (eventP, &eventT); + *eventP = eventT; + } +-- +cgit v0.10.2 + diff --git a/gnu/packages/patches/xorg-CVE-2017-10972.patch b/gnu/packages/patches/xorg-CVE-2017-10972.patch new file mode 100644 index 000000000..f24e9c0ae --- /dev/null +++ b/gnu/packages/patches/xorg-CVE-2017-10972.patch @@ -0,0 +1,35 @@ +From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001 +From: Michal Srb <msrb <at> suse.com> +Date: Wed, 24 May 2017 15:54:39 +0300 +Subject: Xi: Zero target buffer in SProcXSendExtensionEvent. + +Make sure that the xEvent eventT is initialized with zeros, the same way as +in SProcSendEvent. + +Some event swapping functions do not overwrite all 32 bytes of xEvent +structure, for example XSecurityAuthorizationRevoked. Two cooperating +clients, one swapped and the other not, can send +XSecurityAuthorizationRevoked event to each other to retrieve old stack data +from X server. This can be potentialy misused to go around ASLR or +stack-protector. + +Signed-off-by: Michal Srb <msrb <at> suse.com> +Reviewed-by: Peter Hutterer <peter.hutterer <at> who-t.net> +Signed-off-by: Peter Hutterer <peter.hutterer <at> who-t.net> + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 11d8202..1cf118a 100644 +--- a/Xi/sendexev.c ++++ b/Xi/sendexev.c +@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client) + { + CARD32 *p; + int i; +- xEvent eventT; ++ xEvent eventT = { .u.u.type = 0 }; + xEvent *eventP; + EventSwapPtr proc; + +-- +cgit v0.10.2 + diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm index 7b1d00f47..ec6fe6069 100644 --- a/gnu/packages/xorg.scm +++ b/gnu/packages/xorg.scm @@ -5000,7 +5000,10 @@ over Xlib, including: name "-" version ".tar.bz2")) (sha256 (base32 - "162s1v901djr57gxmmk4airk8hiwcz79dqyz72972x1lw1k82yk7")))) + "162s1v901djr57gxmmk4airk8hiwcz79dqyz72972x1lw1k82yk7")) + (patches + (search-patches "xorg-CVE-2017-10971.patch" + "xorg-CVE-2017-10972.patch")))) (build-system gnu-build-system) (propagated-inputs `(("dri2proto" ,dri2proto) -- 2.13.2
[Message part 3 (message/rfc822, inline)]
From: Leo Famulari <leo <at> famulari.name> To: Kei Kebreau <kei <at> openmailbox.org> Cc: 27600-done <at> debbugs.gnu.org Subject: Re: [bug#27600] [PATCH] gnu: xorg-server: Fix CVE-2017-{10971, 10972}. Date: Thu, 6 Jul 2017 23:53:19 -0400[Message part 4 (text/plain, inline)]On Thu, Jul 06, 2017 at 07:43:43PM -0400, Leo Famulari wrote: > On Thu, Jul 06, 2017 at 03:28:07PM -0400, Kei Kebreau wrote: > > * gnu/packages/xorg.scm (xorg-server)[source]: Add patches. > > * gnu/packages/patches/xorg-CVE-2017-10971.patch, > > gnu/packages/patches/xorg-CVE-2017-10972.patch: New files. > > * gnu/local.mk (dist_patch_DATA): Add them. > > Yikes, these bugs! > > > --- > > gnu/local.mk | 2 + > > gnu/packages/patches/xorg-CVE-2017-10971.patch | 153 +++++++++++++++++++++++++ > > gnu/packages/patches/xorg-CVE-2017-10972.patch | 35 ++++++ > > gnu/packages/xorg.scm | 5 +- > > 4 files changed, 194 insertions(+), 1 deletion(-) > > create mode 100644 gnu/packages/patches/xorg-CVE-2017-10971.patch > > create mode 100644 gnu/packages/patches/xorg-CVE-2017-10972.patch > > Please rename the patch files to include the name of the package > (xorg-server), adjust the changes to local.mk accordingly, and please > push! I had some time so I made the adjustment and pushed on your behalf. Thanks again![signature.asc (application/pgp-signature, inline)]
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.