Bug 130979 - x11-base/xorg-x11 mis-computation of buffer size (CVE-2006-1526)
|
Bug#:
130979
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: critical
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: jaervosz@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://lists.freedesktop.org/archives/xorg/2006-May/015136.html
|
|
Summary: x11-base/xorg-x11 mis-computation of buffer size (CVE-2006-1526)
|
|
Keywords:
|
|
Status Whiteboard: A1 [glsa] jaervosz
|
|
Opened: 2006-04-23 09:19 0000
|
Bart Massey, a X.Org user reported that "When running rendertest from
XCB xcb/xcb-demo, the Xorg X server crashes partway through. 100%
reproducible on a wide variety of graphics architectures".
Analyzing the bug Eric Anholt found out that a typo in render/mitri.c
causes the X render extension to mis-calculate the size of a
buffer, leading to an overflow, which can problably be exploited by
clients of the X server on most systems.
This is Freedesktop.org bugzilla #6642. It has been marked confidential,
after the security implications of the problem were identified.
X.Org releases 6.8.0 and later are affected by this bug. Previous
versions (and XFree86 versions) are not affected.
Donnie please advise on severity and attach an updated ebuild to this bug. We
will call Arch Security Liaisons to test. Do NOT commit anything yet.
For severity, you can just read the description. Buffer overflow, probably
exploitable by X clients (any X-using program).
I'll be pushing out a new 6.8.2-r7, 6.9-r1 and xorg-server 1.0.2 and
1.0.99.901-r2. Ah, the joys of so many parallel ebuilds.
Testers will probably want to test either 6.8.2 or 1.0.2, current stable and
~arch. Ebuilds coming today or tomorrow.
Thx Donnie, just remember don't commit the updates to Portage just yet:-)
You didn't need to tell me the first time, let alone a second. I don't really
appreciate being treated like I'm clueless.
To be on the safe side I'd rather say it too often. This was obviously too
often. I was just not sure after reading your comment #3, OTOH you've handled
stuff like this before and I should have remembered. Sorry about that.
Thx Donnie.
Arch Security Liaisons please test and report back on this bug.
I've confirmed the fix no longer crashes the server. Although the rendertest
client crashes now, that's a separate issue.
(In reply to comment #14)
> I've confirmed the fix no longer crashes the server. Although the rendertest
> client crashes now, that's a separate issue.
I'm running xorg-x11-6.8.2-r6 on amd64 and I'd like to be able to confirm this.
I tried checking out xcb-demo from cvs because it appears that xcb-demo isn't
in portage. The cvs version fails on ./configure, it says:
checking for XCB... configure: error: Package requirements (xcb)
were not met: No package 'xcb' found
and I have x11-misc/xcb-2.4 installed. Any hints?
http://webcvs.freedesktop.org/xcb/xcb-demo/
cvs -d :pserver:anoncvs@cvs.freedesktop.org:/cvs/xcb co xcb-demo
I have compile tested xorg-x11-6.8.2-r7 and xorg-server-1.0.2-r4 on PPC64 now.
they compile just fine, but unfortunately I don't have access to the bug on
fd.o bugzilla, so I don't know how to trigger this bug. Is there a testcase?
(In reply to comment #15)
> (In reply to comment #14)
> > I've confirmed the fix no longer crashes the server. Although the rendertest
> > client crashes now, that's a separate issue.
>
> I'm running xorg-x11-6.8.2-r6 on amd64 and I'd like to be able to confirm this.
> I tried checking out xcb-demo from cvs because it appears that xcb-demo isn't
> in portage. The cvs version fails on ./configure, it says:
>
> checking for XCB... configure: error: Package requirements (xcb)
> were not met: No package 'xcb' found
>
> and I have x11-misc/xcb-2.4 installed. Any hints?
X Cut Buffers != X C Bindings
XCB is no longer maintained in CVS, it's in git. You'll need to install stuff
in roughly this order: xcb-proto, xcb, xcb-util, xcb-demo.
(In reply to comment #16)
> I have compile tested xorg-x11-6.8.2-r7 and xorg-server-1.0.2-r4 on PPC64 now.
>
> they compile just fine, but unfortunately I don't have access to the bug on
> fd.o bugzilla, so I don't know how to trigger this bug. Is there a testcase?
As mentioned in comment #0, rendertest from xcb/xcb-demo is the testcase.
http://xcb.freedesktop.org/wiki/ has all the info.
Adding Ferris since he's our xorg man in the sparc team.
Um, for me, repoman hates -r6.
There's no -r6 anywhere on this bug, so it's a little unclear what you're
talking about.
Seems fine to me. (amd64)
Looks good on sparc 2.6/ati-pci.
sparc with 2.6 kernel/sunffb video driver builds and seems fine when using
xorg-server-1.0.99.901-r2 + the modular patch.
Still missing test reports from alpha, ppc and ppc64 teams
cc'ign ferdy on behalf of alpha.
6.8.2-r7 looks good on ppc
ppc64 please test and report back, disclosure date is tomorrow.
sorry for being late. looks good on ppc64.
Thx Markus.
Security please review draft GLSA so we can release on time.
Opening since it is public now.
Donnie/someone with commit rights please commit the ebuilds, GLSA is ready.
Thx Joshua.
This one is ready for GLSA. Let's give the mirrors a chance to sync before
sending the GLSA.
Thx everyone.
GLSA 200605-02
