Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 204362 - x11-base/xorg-server|x11-libs/libXfont Multiple vulnerabilities (CVE-2007-{5760,5958,6427,6428,6429}CVE-2008-0006)
Summary: x11-base/xorg-server|x11-libs/libXfont Multiple vulnerabilities (CVE-2007-{57...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
Whiteboard: A1 [glsa]
: 206633 (view as bug list)
Depends on: 206490
  Show dependency tree
Reported: 2008-01-05 01:31 UTC by Robert Buchholz (RETIRED)
Modified: 2011-10-20 05:03 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

1.4-security-204362.patch (1.4-security-204362.patch,14.89 KB, patch)
2008-01-05 01:37 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff (,16.40 KB, patch)
2008-01-05 01:38 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
Tarred up x11-base/xorg-server/ (x11-base.tar.bz2,31.63 KB, application/octet-stream)
2008-01-11 19:09 UTC, Donnie Berkholz (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-01-05 01:31:44 UTC
Multiple vulnerabilities were reported in X.Org Server. 

  xorg does not enforce restrictions when a user specifies a security policy,
  allowing for disclosure of the existence of a file (and an attempt to open it)

  Invalid array index vulnerability in the XFree86-Misc extension when
  processing PassMessage requests, leading to arbitrary code execution.

  Heap memory corruption vulnerability in various functions within
  the XInput extension.

  Failure to sanitize an index value, leading to arbitrary memory access in
  the ProcGetReservedColormapEntries() function in the TOG-CUP extension.

  Integer overflow in the ProcEVIGetVisualInfo() function in the EVI extension
  and in the VERIFY_SHMSIZE macro in the MIT-SHM extension leading to buffer
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-01-05 01:35:13 UTC
Donnie, I'll be attaching patches to this bug in a moment.
Please prepare updated ebuilds (at least for our stable 1.3) and attach them to this bug. Do not commit anything yet as these vulnerabilities are under embargo until Jan. 8 (delay was requested).
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-01-05 01:37:48 UTC
Created attachment 140148 [details, diff]

Upstream proposed patch
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-01-05 01:38:50 UTC
Created attachment 140149 [details, diff]

Backported version for -- mostly declarations were changed, please check though.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-01-06 08:52:03 UTC
Delay accepted by upstream.
Comment 5 Donnie Berkholz (RETIRED) gentoo-dev 2008-01-07 23:01:51 UTC
I'll post ebuilds in the next couple of days. In case someone else wants to do it before I get to it, my plan is to add individual patches, one for each vuln, to the PATCHES variable of the ebuild. I'll make a and xorg-server-1.2 will not be supported anymore.

Just FYI, I follow upstream xorg security bugs so I have most of the info.
Comment 6 Donnie Berkholz (RETIRED) gentoo-dev 2008-01-11 19:09:58 UTC
Created attachment 140734 [details]
Tarred up x11-base/xorg-server/

Unpack this in the base of your overlay.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-01-11 23:11:22 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc x86"

CC'ing current Liaisons:
  alpha : ferdy
  amd64 : welp
   hppa : jer
    ppc : dertobi123
  ppc64 : corsair
  sparc : fmccor
    x86 : opfer
Comment 8 Ferris McCormick (RETIRED) gentoo-dev 2008-01-12 00:39:32 UTC
So that you know, I probably can't get to this before Monday because to test X things like this (the server) I need to be physically where the system I use for testing is.  I doubt that will be possible before the 14th.

fmccor for sparc.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-01-12 01:13:48 UTC
(In reply to comment #8)
> So that you know, I probably can't get to this before Monday

Not a problem, we have a buffer till Thursday, 17th currently. Thanks for notifying.

Comment 10 Christian Faulhammer (RETIRED) gentoo-dev 2008-01-12 12:32:31 UTC
Good to go on x86 (tested 1.3).
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2008-01-12 16:59:20 UTC
1.3 is OK for HPPA.
Comment 12 Markus Rothe (RETIRED) gentoo-dev 2008-01-12 21:27:23 UTC
looks good on ppc64
Comment 13 Ferris McCormick (RETIRED) gentoo-dev 2008-01-14 13:34:59 UTC
x11-base/xorg-server- good on sparc.
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2008-01-14 18:43:45 UTC
Adding Tobias (Blackb|rd) for alpha
Comment 15 Tobias Scherbaum (RETIRED) gentoo-dev 2008-01-14 21:19:00 UTC
Looks good on ppc
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2008-01-14 21:43:46 UTC
Tobias says it looks fine on alpha.

I say it looks fine on ia64.

1.3, that is.
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2008-01-15 16:22:00 UTC
amd64 -- looks good here.

We have all security-relevant stable keywords:
  "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 18 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-01-17 14:13:35 UTC
Hi arches, (i'm back :) )

The confidential delay has expired. It's public from now.

Donnie, or X11 maintainers, could you commit the stuff please, thanks. The GLSA is ready. You did good work, thanks.
Comment 19 Donnie Berkholz (RETIRED) gentoo-dev 2008-01-17 18:46:11 UTC
(In reply to comment #18)
> Donnie, or X11 maintainers, could you commit the stuff please, thanks. The GLSA
> is ready. You did good work, thanks.

Working on it. We missed a libXfont patch, so we'll need to re-add arches once I get that in. It will be a few hours.
Comment 20 Donnie Berkholz (RETIRED) gentoo-dev 2008-01-17 18:55:50 UTC
libXfont 1.3.1-r1 is in the tree, targeted for stable. Please re-add arches to get it there.
Comment 21 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-01-17 20:11:38 UTC
Thx Donnie.

Arches please test and mark stable. Target keywords are:

libXfont-1.3.1-r1.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"

Adding CVE-2008-0006 for the libXfont issue.
Comment 22 Markus Meier gentoo-dev 2008-01-17 20:49:57 UTC
x86 stable
Comment 23 Jonas Pedersen 2008-01-17 21:23:38 UTC
x11-libs/libXfont-1.3.1-r1  USE="ipv6 -debug"

1. Emerges on AMD64. 
2. No collisions etc. 
3. Works. XOrg still works after upgrade. 

Portage (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r3 x86_64)
System uname: 2.6.23-gentoo-r3 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz
Timestamp of tree: Fri, 11 Jan 2008 22:46:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p17-r1
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.10-r5
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.23-r2
CFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer"
FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTDIR_OVERLAY="/usr/portage/local/layman/php-testing /usr/portage/local/layman/mozilla /usr/portage/local/layman/kde /usr/local/portage"
USE="X a52 aac acl acpi aiglx alsa amd64 apache2 arts atk berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss encode evo fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2 gpm gstreamer gtk hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde kerberos live lm_sensors mad midi mikmod mjpeg mmx mozilla mp2 mp3 mpeg mplayer msn mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python qt qt3 qt3support qt4 quicktime readline reflection samba sdl session spell spl sse sse2 sse3 ssl svg tcpd test threads tiff truetype truetype-fonts type1-fonts unicode vorbis x264 xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon"

Comment 24 Brent Baude (RETIRED) gentoo-dev 2008-01-18 01:38:57 UTC
ppc64 done
Comment 25 Ferris McCormick (RETIRED) gentoo-dev 2008-01-18 12:43:49 UTC
libXfont-1.3.1-r1 stable on sparc, and we are done.
Comment 26 Raúl Porcel (RETIRED) gentoo-dev 2008-01-18 12:46:51 UTC
alpha/ia64 stable
Comment 27 Tobias Scherbaum (RETIRED) gentoo-dev 2008-01-18 20:18:56 UTC
ppc stable
Comment 28 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-01-18 20:38:55 UTC
Seems like the patch introduced a regression with xine-ui, vlc and others. Back to ebuild for now.;a=commitdiff;h=e9fa7c1c88a8130a48f772c92b186b8b777986b5

Donnie please verify and update patches accordingly. Sorry for the extra work.
Comment 29 Donnie Berkholz (RETIRED) gentoo-dev 2008-01-18 21:33:47 UTC
I just revbumped, maintaining the same keywords as in the original security-marked revisions since this is a small modification to that.
Comment 30 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-01-18 22:07:34 UTC
Thx for the quick fix Donnie. Back to stable marking.
Comment 31 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-01-18 22:28:36 UTC
And now even with arches CC'ed :)
Comment 32 Jeroen Roovers (RETIRED) gentoo-dev 2008-01-19 06:17:01 UTC
Stable for HPPA.
Comment 33 Jakub Moc (RETIRED) gentoo-dev 2008-01-19 14:17:00 UTC
*** Bug 206633 has been marked as a duplicate of this bug. ***
Comment 34 Robert Buchholz (RETIRED) gentoo-dev 2008-01-20 18:18:04 UTC
libXfont-1.3.1-r1.ebuild: amd64 stable

Let's get the GLSA out.
Comment 35 Robert Buchholz (RETIRED) gentoo-dev 2008-01-20 21:41:22 UTC
GLSA 200801-09, thanks.
Comment 36 T Chan 2008-01-21 22:23:53 UTC
Failed to update libXfont for me, probably because it was typoed as libxfont. According to glsa-check --dump 200801-09:

Affected package:  x11-libs/libxfont
Affected archs:    All
Vulnerable:        <1.3.1-r1
Unaffected:        >=1.3.1-r1
Comment 37 Robert Buchholz (RETIRED) gentoo-dev 2008-01-21 23:03:53 UTC
(In reply to comment #36)
> Failed to update libXfont for me, probably because it was typoed as libxfont.
> According to glsa-check --dump 200801-09:

Sorry, the error is fixed in CVS, please emerge --sync.
I don't think this warrants an errata mail, as the "Resolution" section was correct and the affected/unaffected section is mostly used by automated tools, which will get the updated XML.