Bart Massey, a X.Org user reported that "When running rendertest from XCB xcb/xcb-demo, the Xorg X server crashes partway through. 100% reproducible on a wide variety of graphics architectures". Analyzing the bug Eric Anholt found out that a typo in render/mitri.c causes the X render extension to mis-calculate the size of a buffer, leading to an overflow, which can problably be exploited by clients of the X server on most systems. This is Freedesktop.org bugzilla #6642. It has been marked confidential, after the security implications of the problem were identified. X.Org releases 6.8.0 and later are affected by this bug. Previous versions (and XFree86 versions) are not affected.
Created attachment 85279 [details, diff] xrender-mitri.diff Upstream patch.
Donnie please advise on severity and attach an updated ebuild to this bug. We will call Arch Security Liaisons to test. Do NOT commit anything yet.
For severity, you can just read the description. Buffer overflow, probably exploitable by X clients (any X-using program). I'll be pushing out a new 6.8.2-r7, 6.9-r1 and xorg-server 1.0.2 and 1.0.99.901-r2. Ah, the joys of so many parallel ebuilds. Testers will probably want to test either 6.8.2 or 1.0.2, current stable and ~arch. Ebuilds coming today or tomorrow.
Thx Donnie, just remember don't commit the updates to Portage just yet:-)
You didn't need to tell me the first time, let alone a second. I don't really appreciate being treated like I'm clueless.
To be on the safe side I'd rather say it too often. This was obviously too often. I was just not sure after reading your comment #3, OTOH you've handled stuff like this before and I should have remembered. Sorry about that.
Created attachment 85322 [details, diff] modular patch
Created attachment 85323 [details, diff] monolith patch
Created attachment 85325 [details] xorg-x11-6.8.2-r7.ebuild
Created attachment 85326 [details] xorg-x11-6.9.0-r1.ebuild
Created attachment 85327 [details] xorg-server-1.0.2-r4.ebuild
Created attachment 85328 [details] xorg-server-1.0.99.901-r2.ebuild
Thx Donnie. Arch Security Liaisons please test and report back on this bug.
I've confirmed the fix no longer crashes the server. Although the rendertest client crashes now, that's a separate issue.
(In reply to comment #14) > I've confirmed the fix no longer crashes the server. Although the rendertest > client crashes now, that's a separate issue. I'm running xorg-x11-6.8.2-r6 on amd64 and I'd like to be able to confirm this. I tried checking out xcb-demo from cvs because it appears that xcb-demo isn't in portage. The cvs version fails on ./configure, it says: checking for XCB... configure: error: Package requirements (xcb) were not met: No package 'xcb' found and I have x11-misc/xcb-2.4 installed. Any hints? http://webcvs.freedesktop.org/xcb/xcb-demo/ cvs -d :pserver:anoncvs@cvs.freedesktop.org:/cvs/xcb co xcb-demo
I have compile tested xorg-x11-6.8.2-r7 and xorg-server-1.0.2-r4 on PPC64 now. they compile just fine, but unfortunately I don't have access to the bug on fd.o bugzilla, so I don't know how to trigger this bug. Is there a testcase?
(In reply to comment #15) > (In reply to comment #14) > > I've confirmed the fix no longer crashes the server. Although the rendertest > > client crashes now, that's a separate issue. > > I'm running xorg-x11-6.8.2-r6 on amd64 and I'd like to be able to confirm this. > I tried checking out xcb-demo from cvs because it appears that xcb-demo isn't > in portage. The cvs version fails on ./configure, it says: > > checking for XCB... configure: error: Package requirements (xcb) > were not met: No package 'xcb' found > > and I have x11-misc/xcb-2.4 installed. Any hints? X Cut Buffers != X C Bindings XCB is no longer maintained in CVS, it's in git. You'll need to install stuff in roughly this order: xcb-proto, xcb, xcb-util, xcb-demo.
Created attachment 85366 [details, diff] xcb-build.diff This hacky patch fixes the build of xcb-util and xcb-demos.
(In reply to comment #16) > I have compile tested xorg-x11-6.8.2-r7 and xorg-server-1.0.2-r4 on PPC64 now. > > they compile just fine, but unfortunately I don't have access to the bug on > fd.o bugzilla, so I don't know how to trigger this bug. Is there a testcase? As mentioned in comment #0, rendertest from xcb/xcb-demo is the testcase. http://xcb.freedesktop.org/wiki/ has all the info.
Adding Ferris since he's our xorg man in the sparc team.
Um, for me, repoman hates -r6.
There's no -r6 anywhere on this bug, so it's a little unclear what you're talking about.
Seems fine to me. (x86)
Seems fine to me. (amd64)
Looks good on hppa
Looks good on sparc 2.6/ati-pci.
sparc with 2.6 kernel/sunffb video driver builds and seems fine when using xorg-server-1.0.99.901-r2 + the modular patch.
Still missing test reports from alpha, ppc and ppc64 teams
cc'ign ferdy on behalf of alpha.
Looks ok on Alpha.
6.8.2-r7 looks good on ppc
ppc64 please test and report back, disclosure date is tomorrow.
sorry for being late. looks good on ppc64.
Thx Markus. Security please review draft GLSA so we can release on time.
Opening since it is public now. Donnie/someone with commit rights please commit the ebuilds, GLSA is ready.
Ebuilds committed.
Thx Joshua. This one is ready for GLSA. Let's give the mirrors a chance to sync before sending the GLSA.
Thx everyone. GLSA 200605-02