X.Org Security Advisory: Dec. 9, 2014 Protocol handling issues in X Window System servers =================================================== Description: ============ Ilja van Sprundel, a security researcher with IOActive, has discovered a large number of issues in the way the X server code base handles requests from X clients, and has worked with X.Org's security team to analyze, confirm, and fix these issues. Ilja's talk at the 30th Chaos Communication Congress (30C3) in Hamburg last year ("X Security: it's worse than it looks") gave a preview of these issues and discussed the general form of many of these, but did not disclose the exact details of them. The vulnerabilities could be exploited to cause the X server to access uninitialized memory or overwrite arbitrary memory in the X server process. This can cause a denial of service (e.g., an X server segmentation fault), or could be exploited to achieve arbitrary code execution. How critical these vulnerabilities are to any given installation depends on whether they run an X server with root privileges or reduced privileges; whether they run X servers exposed to network clients or limited to local connections; and whether or not they allow use of the affected protocol extensions, especially the GLX extension. The GLX extension to the X Window System allows an X client to send X protocol to the X server, to request that the X server perform OpenGL rendering on behalf of the X client. This is known as "GLX indirect rendering", as opposed to "GLX direct rendering" where the X client submits OpenGL rendering commands directly to the GPU, bypassing the X server and avoiding the X server code for GLX protocol handling. Most GLX indirect rendering implementations share some common ancestry, dating back to "Sample Implementation" code from Silicon Graphics, Inc (SGI), which SGI originally commercially licensed to other Unix workstation and graphics vendors, and later released as open source, so those vulnerabilities may affect other licensees of SGI's code base beyond those running code from the X.Org Foundation or the XFree86 Project. The vulnerabilities include: - denial of service due to unchecked malloc in client authentication CVE-2014-8091: In servers built with support for SUN-DES-1 (Secure RPC) authentication credentials, an unauthenticated client may be able to crash the X server by sending a connection request specifying values that cause malloc to fail, causing the authentication routines to attempt to write data to the returned NULL pointer. Since the request is limited to an unsigned 16-bit integer for the allocation size, it is unlikely to fail unless the server is severely memory constrained. Introduced in the initial revision of Secure RPC support in X11R5 (1991). - integer overflows calculating memory needs for requests These calls do not check that their calculations for how much memory is needed to handle the client's request have not overflowed, so can result in out of bounds reads or writes. These calls all occur only after a client has successfully authenticated itself. * CVE-2014-8092: X11 core protocol requests Affected functions: ProcPutImage(), GetHosts(), RegionSizeof(), REQUEST_FIXED_SIZE() Introduced in X11R1 (1987). * CVE-2014-8093: GLX extension Affected functions: __glXDisp_ReadPixels(), __glXDispSwap_ReadPixels(), __glXDisp_GetTexImage(), __glXDispSwap_GetTexImage(), GetSeparableFilter(), GetConvolutionFilter(), GetHistogram(), GetMinmax(), GetColorTable(), __glXGetAnswerBuffer(), __GLX_GET_ANSWER_BUFFER(), __glXMap1dReqSize(), __glXMap1fReqSize(), Map2Size(), __glXMap2dReqSize(), __glXMap2fReqSize(), __glXImageSize(), __glXSeparableFilter2DReqSize() Originally developed by SGI and licensed to multiple vendors prior to SGI open sourcing the code in 1999. Included in XFree86 releases starting in XFree86 4.0 (2000). Included in X.Org releases starting in X11R6.7 (2004). * CVE-2014-8094: DRI2 extension Affected functions: ProcDRI2GetBuffers() Introduced in xorg-server-1.7.0 (2009). - out of bounds access due to not validating length or offset values in requests These calls do not check that the lengths and/or indexes sent by the client are within the bounds specified by the caller or the bounds of the memory allocated to hold the request read from the client, so could read or write past the bounds of allocated memory while processing the request. These calls all occur only after a client has successfully authenticated itself. * CVE-2014-8095: XInput extension Affected functions: SProcXChangeDeviceControl(), ProcXChangeDeviceControl(), ProcXChangeFeedbackControl(), ProcXSendExtensionEvent(), SProcXIAllowEvents(), SProcXIChangeCursor(), ProcXIChangeHierarchy(), SProcXIGetClientPointer(), SProcXIGrabDevice(), SProcXIUngrabDevice(), ProcXIUngrabDevice(), SProcXIPassiveGrabDevice(), ProcXIPassiveGrabDevice(), SProcXIPassiveUngrabDevice(), ProcXIPassiveUngrabDevice(), SProcXListDeviceProperties(), SProcXDeleteDeviceProperty(), SProcXIListProperties(), SProcXIDeleteProperty(), SProcXIGetProperty(), SProcXIQueryDevice(), SProcXIQueryPointer(), SProcXISelectEvents(), SProcXISetClientPointer(), SProcXISetFocus(), SProcXIGetFocus(), SProcXIWarpPointer() Introduced in X11R4 (1989). * CVE-2014-8096: XC-MISC extension Affected functions: SProcXCMiscGetXIDList() Introduced in X11R6.0 (1994). * CVE-2014-8097: DBE extension Affected functions: ProcDbeSwapBuffers(), SProcDbeSwapBuffers() Introduced in X11R6.1 (1996). * CVE-2014-8098: GLX extension Affected functions: __glXDisp_Render(), __glXDisp_RenderLarge(), __glXDispSwap_VendorPrivate(), __glXDispSwap_VendorPrivateWithReply(), set_client_info(), __glXDispSwap_SetClientInfoARB(), DoSwapInterval(), DoGetProgramString(), DoGetString(), __glXDispSwap_RenderMode(), __glXDisp_GetCompressedTexImage(), __glXDispSwap_GetCompressedTexImage(), __glXDisp_FeedbackBuffer(), __glXDispSwap_FeedbackBuffer(), __glXDisp_SelectBuffer(), __glXDispSwap_SelectBuffer(), __glXDisp_Flush(), __glXDispSwap_Flush(), __glXDisp_Finish(), __glXDispSwap_Finish(), __glXDisp_ReadPixels(), __glXDispSwap_ReadPixels(), __glXDisp_GetTexImage(), __glXDispSwap_GetTexImage(), __glXDisp_GetPolygonStipple(), __glXDispSwap_GetPolygonStipple(), __glXDisp_GetSeparableFilter(), __glXDisp_GetSeparableFilterEXT(), __glXDisp_GetConvolutionFilter(), __glXDisp_GetConvolutionFilterEXT(), __glXDisp_GetHistogram(), __glXDisp_GetHistogramEXT(), __glXDisp_GetMinmax(), __glXDisp_GetMinmaxEXT(), __glXDisp_GetColorTable(), __glXDisp_GetColorTableSGI(), GetSeparableFilter(), GetConvolutionFilter(), GetHistogram(), GetMinmax(), GetColorTable() Originally developed by SGI and licensed to multiple vendors prior to SGI open sourcing the code in 1999. Included in XFree86 releases starting in XFree86 4.0 (2000). Included in X.Org releases starting in X11R6.7 (2004). * CVE-2014-8099: XVideo extension Affected functions: SProcXvQueryExtension(), SProcXvQueryAdaptors(), SProcXvQueryEncodings(), SProcXvGrabPort(), SProcXvUngrabPort(), SProcXvPutVideo(), SProcXvPutStill(), SProcXvGetVideo(), SProcXvGetStill(), SProcXvPutImage(), SProcXvShmPutImage(), SProcXvSelectVideoNotify(), SProcXvSelectPortNotify(), SProcXvStopVideo(), SProcXvSetPortAttribute(), SProcXvGetPortAttribute(), SProcXvQueryBestSize(), SProcXvQueryPortAttributes(), SProcXvQueryImageAttributes(), SProcXvListImageFormats() Introduced in XFree86 4.0.0 (2000). Included in X.Org releases starting in X11R6.7 (2004). * CVE-2014-8100: Render extension Affected functions: ProcRenderQueryVersion(), SProcRenderQueryVersion(), SProcRenderQueryPictFormats(), SProcRenderQueryPictIndexValues(), SProcRenderCreatePicture(), SProcRenderChangePicture(), SProcRenderSetPictureClipRectangles(), SProcRenderFreePicture(), SProcRenderComposite(), SProcRenderScale(), SProcRenderCreateGlyphSet(), SProcRenderReferenceGlyphSet(), SProcRenderFreeGlyphSet(), SProcRenderFreeGlyphs(), SProcRenderCompositeGlyphs() Introduced in XFree86 4.0.1 (2000). Included in X.Org releases starting in X11R6.7 (2004). * CVE-2014-8101: RandR extension Affected functions: SProcRRQueryVersion(), SProcRRGetScreenInfo(), SProcRRSelectInput(), SProcRRConfigureOutputProperty() Introduced in XFree86 4.2.0 (2002). Included in X.Org releases starting in X11R6.7 (2004). * CVE-2014-8102: XFixes extension Affected functions: SProcXFixesSelectSelectionInput() Introduced in X11R6.8.0 (2004). * CVE-2014-8103: DRI3 & Present extensions Affected functions: sproc_dri3_query_version(), sproc_dri3_open(), sproc_dri3_pixmap_from_buffer(), sproc_dri3_buffer_from_pixmap(), sproc_dri3_fence_from_fd(), sproc_dri3_fd_from_fence(), proc_present_query_capabilities(), sproc_present_query_version(), sproc_present_pixmap(), sproc_present_notify_msc(), sproc_present_select_input(), sproc_present_query_capabilities() Introduced in xorg-server-1.15.0 (2013). Affected Versions ================= X.Org believes all versions of the affected functions contain these flaws, dating back to their introduction. In the above listings, we've listed the earliest date of any of the affected functions in a given protocol or area - some functions listed may not have been introduced until later versions. Fixes ===== Fixes are available in git commits and patches which will be listed on http://www.x.org/wiki/Development/Security/Advisory-2014-12-09 when this advisory is released. Fixes are also planned to be included in the xorg-server-1.17.0 and xorg-server-1.16.3 releases Other providers of Xserver or GLX implementations based on the same code base (the X Consortium or X.Org Foundation X sources, or the SGI GLX sources) will announce the availability of any fixes necessary for their implementations. Mitigation ========== While the fixes cover all the cases currently known to X.Org, these are not the first issues in this area and are unlikely to be the last. Users can reduce their exposure to issues similar to the ones in this advisory via these methods: * Configure the X server to prohibit X connections from the network by passing the "-nolisten tcp" command line option to the X server. Many OS distributions already set this option by default, and it will be set by default in the upstream X.Org release starting with Xorg 1.17. * Disable GLX indirect contexts. Some implementations have a configuration option for this. In Xorg 1.16 or newer, this can be achieved by setting the '-iglx' X server command line option. This option will be the default in Xorg 1.17 and later releases. Consult your operating system's documentation for details on setting X server command line options, as X servers are started by a variety of different methods on different platforms (startx, gdm, kdm, xdm, etc.). Thanks ====== X.Org thanks Ilja van Sprundel of IOActive for reporting these issues to our security team and assisting them in understanding them and evaluating our fixes, and the following X.Org contributors for developing and reviewing the fixes, tests, and advisory for these issues, and coordinating the X.Org response to them: Adam Jackson (Red Hat) Alan Coopersmith (Oracle) Andy Ritger (NVIDIA) Julien Cristau (Debian) Keith Packard (Intel) Michal Srb (SuSE) Peter Hutterer (Red Hat) Robert Morell (NVIDIA)
*xorg-server-1.16.2.901 (09 Dec 2014) 09 Dec 2014; Rémi Cardona <remi@gentoo.org> +xorg-server-1.16.2.901.ebuild: Bump to 1.16.2.901 (without Michał's eselect-opengl overhaul). This fixes all the referenced CVEs in the summary.
(In reply to Rémi Cardona from comment #1) > *xorg-server-1.16.2.901 (09 Dec 2014) > > 09 Dec 2014; Rémi Cardona <remi@gentoo.org> +xorg-server-1.16.2.901.ebuild: > Bump to 1.16.2.901 (without Michał's eselect-opengl overhaul). > > This fixes all the referenced CVEs in the summary. Hi. I just synced portage and it seems I cannot install this package. eselect-opengl-1.2.7 is the only visible version of that package (via package.mask). However eselect-opengl-1.2.7 blocks this package: RDEPEND=">=app-admin/eselect-1.2.4 !<media-libs/mesa-8.0.3-r1 !<x11-proto/glproto-1.4.15-r1 !=media-libs/mesa-10.3.4-r1 !>=media-libs/mesa-10.3.5-r1 !>=x11-proto/glproto-1.4.17-r1 !>=x11-base/xorg-server-1.16.2-r1" <----- here This is in the ~amd64 branch. I am unsure how to proceed.
(In reply to Albert W. Hopkins from comment #2) > Hi. I just synced portage and it seems I cannot install this package. > > eselect-opengl-1.2.7 is the only visible version of that package (via > package.mask). However eselect-opengl-1.2.7 blocks this package: The blocker has been relaxed by Patrick in portage. Sync again, it should work. Sorry for the hasty bump.
CVE-2014-8103 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8103): X.Org Server (aka xserver and xorg-server) 1.15.0 through 1.16.x before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) sproc_dri3_query_version, (2) sproc_dri3_open, (3) sproc_dri3_pixmap_from_buffer, (4) sproc_dri3_buffer_from_pixmap, (5) sproc_dri3_fence_from_fd, (6) sproc_dri3_fd_from_fence, (7) proc_present_query_capabilities, (8) sproc_present_query_version, (9) sproc_present_pixmap, (10) sproc_present_notify_msc, (11) sproc_present_select_input, or (12) sproc_present_query_capabilities function in the (a) DRI3 or (b) Present extension. CVE-2014-8102 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8102): The SProcXFixesSelectSelectionInput function in the XFixes extension in X.Org X Window System (aka X11 or X) X11R6.8.0 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length value. CVE-2014-8101 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8101): The RandR extension in XFree86 4.2.0, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) SProcRRQueryVersion, (2) SProcRRGetScreenInfo, (3) SProcRRSelectInput, or (4) SProcRRConfigureOutputProperty function. CVE-2014-8100 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8100): The Render extension in XFree86 4.0.1, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) ProcRenderQueryVersion, (2) SProcRenderQueryVersion, (3) SProcRenderQueryPictFormats, (4) SProcRenderQueryPictIndexValues, (5) SProcRenderCreatePicture, (6) SProcRenderChangePicture, (7) SProcRenderSetPictureClipRectangles, (8) SProcRenderFreePicture, (9) SProcRenderComposite, (10) SProcRenderScale, (11) SProcRenderCreateGlyphSet, (12) SProcRenderReferenceGlyphSet, (13) SProcRenderFreeGlyphSet, (14) SProcRenderFreeGlyphs, or (15) SProcRenderCompositeGlyphs function. CVE-2014-8099 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8099): The XVideo extension in XFree86 4.0.0, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) SProcXvQueryExtension, (2) SProcXvQueryAdaptors, (3) SProcXvQueryEncodings, (4) SProcXvGrabPort, (5) SProcXvUngrabPort, (6) SProcXvPutVideo, (7) SProcXvPutStill, (8) SProcXvGetVideo, (9) SProcXvGetStill, (10) SProcXvPutImage, (11) SProcXvShmPutImage, (12) SProcXvSelectVideoNotify, (13) SProcXvSelectPortNotify, (14) SProcXvStopVideo, (15) SProcXvSetPortAttribute, (16) SProcXvGetPortAttribute, (17) SProcXvQueryBestSize, (18) SProcXvQueryPortAttributes, (19) SProcXvQueryImageAttributes, or (20) SProcXvListImageFormats function. CVE-2014-8098 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8098): The GLX extension in XFree86 4.0, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) __glXDisp_Render, (2) __glXDisp_RenderLarge, (3) __glXDispSwap_VendorPrivate, (4) __glXDispSwap_VendorPrivateWithReply, (5) set_client_info, (6) __glXDispSwap_SetClientInfoARB, (7) DoSwapInterval, (8) DoGetProgramString, (9) DoGetString, (10) __glXDispSwap_RenderMode, (11) __glXDisp_GetCompressedTexImage, (12) __glXDispSwap_GetCompressedTexImage, (13) __glXDisp_FeedbackBuffer, (14) __glXDispSwap_FeedbackBuffer, (15) __glXDisp_SelectBuffer, (16) __glXDispSwap_SelectBuffer, (17) __glXDisp_Flush, (18) __glXDispSwap_Flush, (19) __glXDisp_Finish, (20) __glXDispSwap_Finish, (21) __glXDisp_ReadPixels, (22) __glXDispSwap_ReadPixels, (23) __glXDisp_GetTexImage, (24) __glXDispSwap_GetTexImage, (25) __glXDisp_GetPolygonStipple, (26) __glXDispSwap_GetPolygonStipple, (27) __glXDisp_GetSeparableFilter, (28) __glXDisp_GetSeparableFilterEXT, (29) __glXDisp_GetConvolutionFilter, (30) __glXDisp_GetConvolutionFilterEXT, (31) __glXDisp_GetHistogram, (32) __glXDisp_GetHistogramEXT, (33) __glXDisp_GetMinmax, (34) __glXDisp_GetMinmaxEXT, (35) __glXDisp_GetColorTable, (36) __glXDisp_GetColorTableSGI, (37) GetSeparableFilter, (38) GetConvolutionFilter, (39) GetHistogram, (40) GetMinmax, or (41) GetColorTable function. CVE-2014-8097 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8097): The DBE extension in X.Org X Window System (aka X11 or X) X11R6.1 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) ProcDbeSwapBuffers or (2) SProcDbeSwapBuffers function. CVE-2014-8096 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8096): The SProcXCMiscGetXIDList function in the XC-MISC extension in X.Org X Window System (aka X11 or X) X11R6.0 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value. CVE-2014-8095 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8095): The XInput extension in X.Org X Window System (aka X11 or X) X11R4 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) SProcXChangeDeviceControl, (2) ProcXChangeDeviceControl, (3) ProcXChangeFeedbackControl, (4) ProcXSendExtensionEvent, (5) SProcXIAllowEvents, (6) SProcXIChangeCursor, (7) ProcXIChangeHierarchy, (8) SProcXIGetClientPointer, (9) SProcXIGrabDevice, (10) SProcXIUngrabDevice, (11) ProcXIUngrabDevice, (12) SProcXIPassiveGrabDevice, (13) ProcXIPassiveGrabDevice, (14) SProcXIPassiveUngrabDevice, (15) ProcXIPassiveUngrabDevice, (16) SProcXListDeviceProperties, (17) SProcXDeleteDeviceProperty, (18) SProcXIListProperties, (19) SProcXIDeleteProperty, (20) SProcXIGetProperty, (21) SProcXIQueryDevice, (22) SProcXIQueryPointer, (23) SProcXISelectEvents, (24) SProcXISetClientPointer, (25) SProcXISetFocus, (26) SProcXIGetFocus, or (27) SProcXIWarpPointer function. CVE-2014-8094 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8094): Integer overflow in the ProcDRI2GetBuffers function in the DRI2 extension in X.Org Server (aka xserver and xorg-server) 1.7.0 through 1.16.x before 1.16.3 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request, which triggers an out-of-bounds read or write. CVE-2014-8093 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8093): Multiple integer overflows in the GLX extension in XFree86 4.0, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request to the (1) __glXDisp_ReadPixels, (2) __glXDispSwap_ReadPixels, (3) __glXDisp_GetTexImage, (4) __glXDispSwap_GetTexImage, (5) GetSeparableFilter, (6) GetConvolutionFilter, (7) GetHistogram, (8) GetMinmax, (9) GetColorTable, (10) __glXGetAnswerBuffer, (11) __GLX_GET_ANSWER_BUFFER, (12) __glXMap1dReqSize, (13) __glXMap1fReqSize, (14) Map2Size, (15) __glXMap2dReqSize, (16) __glXMap2fReqSize, (17) __glXImageSize, or (18) __glXSeparableFilter2DReqSize function, which triggers an out-of-bounds read or write. CVE-2014-8092 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8092): Multiple integer overflows in X.Org X Window System (aka X11 or X) X11R1 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request to the (1) ProcPutImage, (2) GetHosts, (3) RegionSizeof, or (4) REQUEST_FIXED_SIZE function, which triggers an out-of-bounds read or write. CVE-2014-8091 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8091): X.Org X Window System (aka X11 and X) X11R5 and X.Org Server (aka xserver and xorg-server) before 1.16.3, when using SUN-DES-1 (Secure RPC) authentication credentials, does not check the return value of a malloc call, which allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a crafted connection request.
x11-base/xorg-server-1.12.4-r3 and x11-base/xorg-server-1.15.2-r1 have been committed to the tree.
Arches, please stabilize x11-base/xorg-server-1.12.4-r3 x11-base/xorg-server-1.15.2-r1
amd64 stable
x86 done.
Stable for HPPA.
sparc stable
ppc64 stable
ppc stable
ia64 stable
arm stable
alpha stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Vulnerable versions >=1.15.0 have been dropped, vulnerable versions before 1.15.0 have been lastrited and package.mask'ed.
In the future please follow the Whiteboard in the GLSA Coordinator Guide, there is a reason for the glsa? It lets security know that action needs to be done. In this case file a GLSA. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201504-06 at https://security.gentoo.org/glsa/201504-06 by GLSA coordinator Sergey Popov (pinkbyte).