Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 172752 - x11-libs/libX11 XGetPixel() integer overflow (CVE-2007-1667)
Summary: x11-libs/libX11 XGetPixel() integer overflow (CVE-2007-1667)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/bugzilla/...
Whiteboard: A1 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2007-03-30 06:30 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2007-11-20 05:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-30 06:30:49 UTC
A bug recently showed up in the Debian BTS that describes an integer overflow in
X's XGetPixel() function

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=414045

The report incorrectly states it is a buffer overflow.  The bug also has a
proposed patch and reproducer for this flaw.

The issue is that the XInitImage() function allows the caller to supply silly
values, which can cause several integer overflow.  A call to XGetPixel() can
also result in integer overflows.  While one would expect the calling
application to sanitize the data passed to XInitImage(), the library should also
be smart enough to prevent the caller from giving it bad data.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-30 06:32:25 UTC
x11 please advise.
Comment 2 Donnie Berkholz (RETIRED) gentoo-dev 2007-03-30 07:39:41 UTC
Quoting from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=414045;msg=85 -- in particular, see the end of this quote for security relevance.

"For both the broken.xwd and broken2.xwd files in bug #414045,
the offending operation is in libx11-1.0.3/src/ImUtil.c:505
   dst++ = *src++;
and in fact it's the src pointer that is out of range.
This suggests it's "only" a DOS problem, or at worst an
information leak problem, but no direct exploit is possible."
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-30 07:50:42 UTC
I'm not sure of the severity but RH states integer overflow and the bug with the patch is restricted (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=231694)

Should we just put it as upstream until more information becomes available (ie. CVE id)?

Comment 4 Donnie Berkholz (RETIRED) gentoo-dev 2007-03-30 17:08:13 UTC
(In reply to comment #3)
> Should we just put it as upstream until more information becomes available (ie.
> CVE id)?

Sure, if you want. But there seems to be a CVE ID in the subject already..
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-30 19:52:41 UTC
Donnie if you're eager to commit just go ahead, I was just being cautious :)

Though CVE ids can be both rejected and contested, so the id in itself doesn't guarantee anything other than giving a common naming system across vendors.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-04 06:39:42 UTC
Redhat issued an errata here (this also covers the issues from bug #172575):

http://rhn.redhat.com/errata/RHSA-2007-0125.html
Comment 7 Donnie Berkholz (RETIRED) gentoo-dev 2007-04-05 07:02:01 UTC
Arches need to stable x11-libs/libX11-1.0.3-r2 or libX11-1.1.1-r1, at their option.
Comment 8 DrChandra the Gentoo Person 2007-04-05 19:26:42 UTC
libX11-1.1.1-r1.ebuild was recently introduced into ~x86 to do nothing different but additionally apply this patch:

xorg-libX11-1.1.1-xinitimage.diff

The cvs comment for the change refers to the number of this bug.

I had to downdrade to libX11-1.1.1 because this change causes opera
to segfault. I recommend *not* stablizing this change.
Comment 9 Donnie Berkholz (RETIRED) gentoo-dev 2007-04-05 22:50:15 UTC
Perhaps this should block on bug #173505.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-11 10:28:58 UTC
As far as I can see from that bug it's a bug in the client application and not in the patch itself so I suppose we can start marking this one stable. Donnie what do you say?
Comment 11 Donnie Berkholz (RETIRED) gentoo-dev 2007-04-11 18:15:12 UTC
(In reply to comment #10)
> As far as I can see from that bug it's a bug in the client application and not
> in the patch itself so I suppose we can start marking this one stable. Donnie
> what do you say?

Agreed.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-11 19:39:49 UTC
Arches please test and mark stable. Target keywords are:

libX11-1.1.1-r1.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
Comment 13 Markus Rothe (RETIRED) gentoo-dev 2007-04-11 20:22:51 UTC
stable on ppc64:

dev-libs/libpthread-stubs-0.1
x11-proto/xcb-proto-1.0
x11-libs/libxcb-1.0
x11-libs/libX11-1.1.1-r1
Comment 14 Peter Weller (RETIRED) gentoo-dev 2007-04-11 20:34:47 UTC
ditto on amd64
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2007-04-11 20:40:08 UTC
stable on ia64:

x11-proto/xcb-proto-1.0
x11-libs/libxcb-1.0

stable on x86 + ia64:
x11-libs/libX11-1.1.1-r1
Comment 16 Jeroen Roovers (RETIRED) gentoo-dev 2007-04-11 21:06:17 UTC
Stable for HPPA.
Comment 17 Gustavo Zacarias (RETIRED) gentoo-dev 2007-04-12 19:46:41 UTC
sparc stable.
Comment 18 Tobias Scherbaum (RETIRED) gentoo-dev 2007-04-13 15:43:05 UTC
ppc stable
Comment 19 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-04-18 10:52:28 UTC
alpha done
Comment 20 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-05-05 23:11:34 UTC
GLSA 200705-06, thanks everybody
Comment 21 Joshua Kinard gentoo-dev 2007-11-20 05:35:26 UTC
1.1.2 is stable for us (at some point)