Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 611350 (CVE-2017-2624) - <x11-base/xorg-server-1.19.2: timing attack against MIT Cookie
Summary: <x11-base/xorg-server-1.19.2: timing attack against MIT Cookie
Status: RESOLVED FIXED
Alias: CVE-2017-2624
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL: https://www.x41-dsec.de/lab/advisorie...
Whiteboard: A1 [glsa cve cleanup]
Keywords:
Depends on: 582406 611056 611712 CVE-2017-13721, CVE-2017-13723
Blocks: CVE-2013-6424
  Show dependency tree
 
Reported: 2017-03-01 23:54 UTC by Thomas Deutschmann
Modified: 2017-10-29 19:44 UTC (History)
1 user (show)

See Also:
Package list:
=x11-base/xorg-server-1.19.2
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-03-01 23:54:49 UTC
Vulnerabilities in xorg (server, libXdmcp, libICE) were recently
reported by Eric Sesterhenn of X41, and assigned CVEs by Red Hat.


> CVE-2017-2624 xorg-x11-server: timing attack against MIT Cookie

mitauth.c uses memcmp() to check the validity of MIT cookies, exposing a
possible timing attack on some platforms.

https://bugzilla.redhat.com/show_bug.cgi?id=1424984
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856398
https://bugzilla.novell.com/show_bug.cgi?id=1025029


> CVE-2017-2625 libXdmcp: weak entropy usage for session keys

In the absence of arc4random(), xdmcp session keys are generated based
on getpid() and time(), which may allow a local attacker to brute-force
the key.

https://bugzilla.redhat.com/show_bug.cgi?id=1424987
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856399
https://bugzilla.novell.com/show_bug.cgi?id=1025046


> CVE-2017-2626 libICE: weak entropy usage in session keys

In the absence of arc4random(), the Inter-Client Exchange session keys
are generated based on gettimeofday(), which may allow a local attacker
to brute-force the key.

https://bugzilla.redhat.com/show_bug.cgi?id=1424992
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856400
https://bugzilla.novell.com/show_bug.cgi?id=1025068


The first issue is mitigated with recent glibc's memcmp, particularly
with -D_FORTIFY_SOURCE=2, and the other two by providing an
implementation of arc4random at compile time, such as libbsd.
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-03-02 00:00:42 UTC
Splitting into multiple bugs.

From $URL:

X41 was not able to measure a significant difference using the optimised memcmp() version of a standard Linux system, but for a naive implementation consisting of a loop comparing the bytes. Since timing attacks against memcmp() have been successful in the past and fixed elsewhere X41 would consider this an issue. If this would be exploited, it would allow a local attacker to run code in the Xorg session of another user.

In order to prevent this, MIT-COOKIES should be removed or a memcmp() similar to timingsafe_memcmp() used. Other projects (e.g. openssl) use timing safe memcmp() implementations to compare cookies retrieved via the network.
Comment 2 Matt Turner gentoo-dev 2017-03-02 19:40:14 UTC
xorg-server-1.19.2 will be released today with the fix. We should stabilize it.

I'm not sure what I would like to do for older xorg-server versions.
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-03-03 16:10:05 UTC
Upstream's changelog: https://lists.x.org/archives/xorg-announce/2017-March/002779.html

Ebuild already in repository.

@ Maintainer(s): Can we already start stabilization?
Comment 4 Matt Turner gentoo-dev 2017-03-04 16:13:05 UTC
Stabilization will be handled in bug 611056.
Comment 5 Matt Turner gentoo-dev 2017-03-15 19:59:55 UTC
I have removed ati-drivers from the tree (bug 582406), which has now allowed me to remove xorg-server-1.17.

Removal of xorg-server-1.18 is blocked on bug 611712.

xorg-server 1.12 and 1.15 are only in the tree to support ancient versions of nvidia-drivers, which are themselves masked because of unfixed security vulnerabilities. I think it's appropriate to mask them for the same reason.
Comment 6 Thomas Deutschmann gentoo-dev Security 2017-03-18 13:16:52 UTC
Added to an existing GLSA request.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2017-04-10 21:35:41 UTC
This issue was resolved and addressed in
 GLSA 201704-03 at https://security.gentoo.org/glsa/201704-03
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 8 Yury German Gentoo Infrastructure gentoo-dev Security 2017-05-25 05:23:13 UTC
This was never cleaned upped before closing
Can we please revisit the cleanup stage of this and drop <x11-base/xorg-server-1.19.2
Comment 9 Matt Turner gentoo-dev 2017-05-25 06:26:49 UTC
(In reply to Yury German from comment #8)
> This was never cleaned upped before closing
> Can we please revisit the cleanup stage of this and drop
> <x11-base/xorg-server-1.19.2

Still waiting on bug 614308...
Comment 10 Matt Turner gentoo-dev 2017-10-21 01:19:55 UTC
1.18 is now gone from the tree, and versions <1.19.2 are now package.mask'd. Please proceed.
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-22 00:35:47 UTC
(In reply to Matt Turner from comment #10)
> 1.18 is now gone from the tree, and versions <1.19.2 are now package.mask'd.
> Please proceed.

Still have to hold, but thank you for masking.  Once dropped we can close.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-10-29 19:44:49 UTC
This issue was resolved and addressed in
 GLSA 201710-30 at https://security.gentoo.org/glsa/201710-30
by GLSA coordinator Aaron Bauman (b-man).