Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 493294 (CVE-2013-6424) - <x11-base/xorg-server-1.18.4: integer underflow when handling trapezoids (CVE-2013-6424)
Summary: <x11-base/xorg-server-1.18.4: integer underflow when handling trapezoids (CVE...
Status: RESOLVED FIXED
Alias: CVE-2013-6424
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A2 [glsa cve cleanup]
Keywords:
Depends on: 579266 CVE-2017-2624 CVE-2017-13721, CVE-2017-13723
Blocks:
  Show dependency tree
 
Reported: 2013-12-04 10:09 UTC by Agostino Sarubbo
Modified: 2017-10-29 19:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
kensington: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-12-04 10:09:57 UTC
From ${URL} :

An integer underflow flaw was found in the X.Org server when handling trapezoids. A malicious, authorized 
client could use this flaw to crash the X.Org server.

References:
http://seclists.org/oss-sec/2013/q4/399
http://patchwork.freedesktop.org/patch/14769/


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-01-26 02:14:08 UTC
CVE-2013-6424 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6424):
  Integer underflow in the xTrapezoidValid macro in render/picture.h in X.Org
  allows context-dependent attackers to cause a denial of service (crash) via
  a negative bottom value.
Comment 2 Chí-Thanh Christopher Nguyễn gentoo-dev 2014-01-26 16:24:18 UTC
It appears that this patch was still not accepted into fdo git.
http://lists.x.org/archives/xorg-devel/2013-October/037996.html
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-10-21 14:02:48 UTC
@maintainer(s), 1.18.4 has the appropriate fix, but 1.16.4 and 1.17.4 do not.  Stable keywords do not match the older versions so we can request stable here if you like.  What would you like to do?
Comment 4 Matt Turner gentoo-dev 2016-10-21 19:03:33 UTC
Yes, please stabilize. Thanks.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2016-10-22 09:01:27 UTC
(In reply to Aaron Bauman from comment #3)
> @maintainer(s), 1.18.4 has the appropriate fix, but 1.16.4 and 1.17.4 do
> not.

So what are you going to do for people stuck on those older versions?
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-10-22 09:10:38 UTC
(In reply to Jeroen Roovers from comment #5)
> (In reply to Aaron Bauman from comment #3)
> > @maintainer(s), 1.18.4 has the appropriate fix, but 1.16.4 and 1.17.4 do
> > not.
> 
> So what are you going to do for people stuck on those older versions?

Can the maintainers backport the appropriate patch?  We are not trying to isolate anyone here.  Should these last arches not be stabilized?
Comment 7 Agostino Sarubbo gentoo-dev 2016-10-22 11:32:44 UTC
Already stable on alpha amd64 hppa x86.
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2016-10-22 14:16:09 UTC
(In reply to Agostino Sarubbo from comment #7)
> Already stable on alpha amd64 hppa x86.

Yes, I am aware, but his concern seems to be the older versions.
Comment 9 Agostino Sarubbo gentoo-dev 2016-10-22 14:38:34 UTC
(In reply to Aaron Bauman from comment #8)
> Yes, I am aware, but his concern seems to be the older versions.

Fine for me. CC back the interested arches when there will be a defined target.
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2016-11-21 11:30:59 UTC
@arches, please finalize stabilization.
Comment 11 Markus Meier gentoo-dev 2016-11-29 17:23:16 UTC
arm stable
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2016-12-24 07:45:05 UTC
Ping for final arches.
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2016-12-31 06:46:01 UTC
ping for final arches.
Comment 14 Mart Raudsepp gentoo-dev 2017-01-01 23:34:50 UTC
It mustn't only be xorg-server-1.18.4 to be stabled. There's a few other things that should be done in parallel (xorg-drivers, various drivers that might need to be stabled to actually be compatible with that xserver, etc), and these are included in the dependent bug 579266 (though there's some things that don't HAVE to be done at the same time, but...).
sanity-check+ is happening because kensingtons checker also included all the atoms in bug 579266 in the check as well, because it's marked as a dependency.
I am removing xorg-server atom here to avoid confusion that might end up with only xserver being stabilized without all the rest. xorg-server-1.18.4 is already included in bug 579266 list.
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2017-01-01 23:43:37 UTC
(In reply to Mart Raudsepp from comment #14)
> It mustn't only be xorg-server-1.18.4 to be stabled. There's a few other
> things that should be done in parallel (xorg-drivers, various drivers that
> might need to be stabled to actually be compatible with that xserver, etc),
> and these are included in the dependent bug 579266 (though there's some
> things that don't HAVE to be done at the same time, but...).
> sanity-check+ is happening because kensingtons checker also included all the
> atoms in bug 579266 in the check as well, because it's marked as a
> dependency.
> I am removing xorg-server atom here to avoid confusion that might end up
> with only xserver being stabilized without all the rest. xorg-server-1.18.4
> is already included in bug 579266 list.

Thanks, my bad on missing that.
Comment 16 Pacho Ramos gentoo-dev 2017-01-03 17:40:02 UTC
pending arches should do bug 579266 then
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2017-01-25 13:06:48 UTC
This issue was resolved and addressed in
 GLSA 201701-64 at https://security.gentoo.org/glsa/201701-64
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 18 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-25 13:16:02 UTC
Re-opening for cleanup.

@ Maintainer(s): Please cleanup and drop <x11-base/xorg-server-1.18.4 or apply masks indicating a security problem.
Comment 19 Yury German Gentoo Infrastructure gentoo-dev 2017-05-25 05:27:05 UTC
Cleanup dependency Bug 611350
Comment 20 Matt Turner gentoo-dev 2017-10-21 01:19:52 UTC
1.18 is now gone from the tree, and versions <1.19.2 are now package.mask'd. Please proceed.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2017-10-29 19:44:41 UTC
This issue was resolved and addressed in
 GLSA 201710-30 at https://security.gentoo.org/glsa/201710-30
by GLSA coordinator Aaron Bauman (b-man).