Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 412609 (CVE-2012-2118) - <x11-base/xorg-server-{1.10.6-r1,1.11.4-r1}: DoS and possible format string flaw in Xorg's logging subsystem (CVE-2012-2118)
Summary: <x11-base/xorg-server-{1.10.6-r1,1.11.4-r1}: DoS and possible format string f...
Status: RESOLVED FIXED
Alias: CVE-2012-2118
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa]
Keywords:
Depends on: 418193
Blocks: 419549
  Show dependency tree
 
Reported: 2012-04-19 08:06 UTC by Agostino Sarubbo
Modified: 2012-07-09 22:23 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-04-19 08:06:06 UTC
Kees Cook from oss-security mailing list:


Hello,

Adding an input device with a malicious name can trigger a format
string flaw in Xorg's logging subsystem. For builds of Xorg lacking
-D_FORTIFY_SOURCE=2 (or 32-bit systems lacking the fix to fortify[1])
this can lead to arbitrary code execution as the Xorg user, usually
root. When built with fortify, this is a denial of service, since Xorg
will abort.

Proposed solution patch series can be found here:
    1/4 http://patchwork.freedesktop.org/patch/10000/
    2/4 http://patchwork.freedesktop.org/patch/9998/
    3/4 http://patchwork.freedesktop.org/patch/9999/
    4/4 http://patchwork.freedesktop.org/patch/10001/

-Kees

[1] http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=7c1f4834d398163d1ac8101e35e9c36fc3176e6e
Comment 1 Agostino Sarubbo gentoo-dev 2012-04-19 08:08:07 UTC
In gentoo the effect should be a DoS, but the format string could be in system(s) where an user has disabled fortify.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-05-20 23:33:13 UTC
CVE-2012-2118 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2118):
  Format string vulnerability in the LogVHdrMessageVerb function in os/log.c
  in X.Org X11 1.11 allows attackers to cause a denial of service or possibly
  execute arbitrary code via format string specifiers in an input device name.
Comment 3 Chí-Thanh Christopher Nguyễn gentoo-dev 2012-05-22 23:24:33 UTC
This is now fixed in xorg-server-1.12.1.902. However, I don't think that version is ready to go stable yet.
Upstream patch does not apply to xorg-server-1.11 and older.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-05-23 03:05:56 UTC
Makes sense, thank you. Since xorg-server-1.12.1.902 is already ~arch, can we stabilize in say two weeks?
Comment 5 Chí-Thanh Christopher Nguyễn gentoo-dev 2012-05-23 15:30:38 UTC
From  Launchpad #996250 I took the patch for xorg-server-1.11 and added to xorg-server-1.11.4-r1 ebuild. That version should be better suited for stable right now.

The patch looks correct to me. However, I do not have the means to test whether it actually fixes the problem. Also neither upstream nor any other distribution applied this patch yet, which makes me a bit uncomfortable.
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2012-05-25 03:08:28 UTC
Ok, thanks. Is 1.11.4-r1 going to get much testing since there are higher versions at ~arch? I think we can wait a bit for testing, if it will actually get tested.
Comment 7 Chí-Thanh Christopher Nguyễn gentoo-dev 2012-06-02 12:30:03 UTC
Adjusting severity per comment #1 (local privilege escalation in specific configurations).

Arches, please stabilize:

x11-base/xorg-server-1.11.4-r1
x11-base/xorg-server-1.10.6-r1

Target keywords: alpha amd64 arm hppa ia64 ~mips ppc ppc64 sh sparc x86 ~x86-fbsd
Comment 8 Jeroen Roovers gentoo-dev 2012-06-02 17:47:51 UTC
Would this require a net-misc/tigervnc bump or perhaps just an RDEPEND adjustment?
Comment 9 Chí-Thanh Christopher Nguyễn gentoo-dev 2012-06-03 12:34:42 UTC
(In reply to comment #8)
It is not strictly needed, as tigervnc depends on xorg-server, not the other way round.
It is correct that this would make tigervnc users miss out on the security update though. Un-CC'ing arches until bug 418193 is fixed.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2012-06-03 22:38:13 UTC
Bug 418193 has been resolved. Readding arches (and armin76 and x11).
Comment 11 Agostino Sarubbo gentoo-dev 2012-06-04 08:41:42 UTC
amd64 stable
Comment 12 Jeroen Roovers gentoo-dev 2012-06-06 04:23:38 UTC
Stable for HPPA.
Comment 13 Brent Baude (RETIRED) gentoo-dev 2012-06-06 14:52:02 UTC
ppc64 done
Comment 14 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-06-08 12:07:56 UTC
x86 stable
Comment 15 Brent Baude (RETIRED) gentoo-dev 2012-06-08 17:54:30 UTC
ppc done
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2012-06-09 18:44:46 UTC
alpha/arm/ia64/sh/sparc stable
Comment 17 Chí-Thanh Christopher Nguyễn gentoo-dev 2012-06-09 20:11:47 UTC
Vulnerable versions have been removed from the tree.

xorg-server-1.9 is not affected by this issue.
Comment 18 Tim Sammut (RETIRED) gentoo-dev 2012-06-10 15:41:42 UTC
Thanks, folks. GLSA request filed.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2012-07-09 22:23:58 UTC
This issue was resolved and addressed in
 GLSA 201207-04 at http://security.gentoo.org/glsa/glsa-201207-04.xml
by GLSA coordinator Sean Amoss (ackle).