Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 487360 (CVE-2013-4396) - <x11-base/xorg-server-{1.9.5-r3,1.10.6-r3,1.11.4-r3,1.12.4-r2,1.13.4-r1,1.14.3-r2}: Use after free in Xserver handling of ImageText requests (CVE-2013-4396)
Summary: <x11-base/xorg-server-{1.9.5-r3,1.10.6-r3,1.11.4-r3,1.12.4-r2,1.13.4-r1,1.14....
Status: RESOLVED FIXED
Alias: CVE-2013-4396
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://lists.x.org/archives/xorg-anno...
Whiteboard: A3 [glsa]
Keywords:
: 487536 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-10-08 21:57 UTC by Chí-Thanh Christopher Nguyễn
Modified: 2014-05-15 12:18 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Chí-Thanh Christopher Nguyễn gentoo-dev 2013-10-08 21:57:03 UTC
X.Org Security Advisory: October 8, 2013 - CVE-2013-4396
Use after free in Xserver handling of ImageText requests
========================================================

Description:
============

Pedro Ribeiro (pedrib at gmail.com) reported an issue to the X.Org security
team in which an authenticated X client can cause an X server to use memory
after it was freed, potentially leading to crash and/or memory corruption.

Affected Versions
=================

This bug appears to have been introduced in RCS version 1.42 on 1993/09/18,
and is thus believed to be present in every X server release starting with
X11R6.0 up to the current xorg-server 1.14.3.  (Manual inspection shows it
is present in the sources from the X11R6 tarballs, but not in those from the
X11R5 tarballs.)

Fixes
=====

A fix is available via the attached patch, which is intended to be included
in xorg-server 1.15.0 and 1.14.4.

Thanks
======

X.Org thanks Pedro Ribeiro for reporting this issues to our security team at
xorg-security at lists.x.org.
Comment 1 Chí-Thanh Christopher Nguyễn gentoo-dev 2013-10-10 11:56:37 UTC
Fixed in

xorg-server-1.9.5-r3
xorg-server-1.10.6-r3
xorg-server-1.11.4-r3
xorg-server-1.12.4-r2
xorg-server-1.13.4-r1
xorg-server-1.14.3-r2
Comment 2 Chí-Thanh Christopher Nguyễn gentoo-dev 2013-10-10 15:04:05 UTC
*** Bug 487536 has been marked as a duplicate of this bug. ***
Comment 3 Chí-Thanh Christopher Nguyễn gentoo-dev 2013-10-11 14:02:40 UTC
Arches, please stabilize the versions mentioned in comment 1.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2013-10-11 15:44:51 UTC
For everything prior to 1.14.3 I have dropped HPPA keywording.
=x11-base/xorg-server-1.14.3-r2 is stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2013-10-12 08:55:33 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-10-13 08:11:44 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-10-14 06:00:46 UTC
alpha stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-10-15 18:49:17 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-10-16 19:31:56 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-10-21 17:37:23 UTC
x86 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-10-22 08:19:09 UTC
ppc and sparc stable
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2013-10-24 00:21:37 UTC
CVE-2013-4396 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4396):
  Use-after-free vulnerability in the doImageText function in dix/dixfonts.c
  in the xorg-server module before 1.14.4 in X.Org X11 allows remote
  authenticated users to cause a denial of service (daemon crash) or possibly
  execute arbitrary code via a crafted ImageText request that triggers
  memory-allocation failure.
Comment 13 Sergey Popov gentoo-dev 2013-10-28 17:45:30 UTC
Thanks everyone, GLSA request filed

@maintainers: cleanup vulnerable versions, please
Comment 14 Chí-Thanh Christopher Nguyễn gentoo-dev 2013-10-28 17:56:57 UTC
Vulnerable versions have been removed from the tree.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-05-15 12:18:54 UTC
This issue was resolved and addressed in
 GLSA 201405-07 at http://security.gentoo.org/glsa/glsa-201405-07.xml
by GLSA coordinator Mikle Kolyada (Zlogene).