diff --git a/libX11.changes b/libX11.changes index 7e58644..6e64cf8 100644 --- a/libX11.changes +++ b/libX11.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Mon Aug 20 12:15:47 UTC 2018 - sndirsch@suse.com + +- u_off-by-one-write-in-XListExtensions.patch + * fixes off-by-one write in XListExtensions (bsc#1102062, CVE-2018-14599) +- u_out-of-boundary-write-in-XListExtensions.patch + * fixes out of boundary write in XListExtensions (bsc#1102068, CVE-2018-14600) +- u_crash-on-invalid-reply-in-XListExtensions.patch + * crash on invalid reply in XListExtensions (bsc#1102073, CVE-2018-14598) + ------------------------------------------------------------------- Thu Mar 15 09:01:19 UTC 2018 - msrb@suse.com diff --git a/libX11.spec b/libX11.spec index 48f4111..b1aea0a 100644 --- a/libX11.spec +++ b/libX11.spec @@ -36,6 +36,12 @@ Patch9: p_xlib_skip_ext_env.diff Patch15: en-locales.diff # PATCH-FIX-UPSTREAM u_Use-flexible-array-member-instead-of-fake-size.patch -- Fix build error with gcc8. Patch16: u_Use-flexible-array-member-instead-of-fake-size.patch +# CVE-2018-14599 +Patch1102062: u_off-by-one-write-in-XListExtensions.patch +# CVE-2018-14600 +Patch1102068: u_out-of-boundary-write-in-XListExtensions.patch +# CVE-2018-14598 +Patch1102073: u_crash-on-invalid-reply-in-XListExtensions.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf >= 2.60 @@ -145,6 +151,9 @@ test -f nls/ja.S90/XLC_LOCALE.pre && exit 1 %patch9 -p0 %patch15 -p0 %patch16 -p1 +%patch1102062 -p1 +%patch1102068 -p1 +%patch1102073 -p1 %build # Got patches which change auto*files diff --git a/u_crash-on-invalid-reply-in-XListExtensions.patch b/u_crash-on-invalid-reply-in-XListExtensions.patch new file mode 100644 index 0000000..0ae9185 --- /dev/null +++ b/u_crash-on-invalid-reply-in-XListExtensions.patch @@ -0,0 +1,46 @@ +From 060fc58795737e13639f381a7ea55675fd5339c2 Mon Sep 17 00:00:00 2001 +From: Stefan Dirsch +Date: Tue, 14 Aug 2018 11:46:40 +0200 +Subject: [PATCH] crash on invalid reply in XListExtensions +References: bsc#1102073 CVE-2018-14598 + +If the server sends a reply in which even the first string would +overflow the transmitted bytes, list[0] will be set to NULL and +a count of 0 is returned. + +If the resulting list is freed with XFreeExtensionList later on, +the first Xfree call: + + Xfree (list[0]-1) + turns into + Xfree (NULL-1) + +which will most likely trigger a segmentation fault. + +I have modified the code to return NULL if the first string would +overflow, thus protecting XFreeExtensionList later on. + +Signed-off-by: Tobias Stoeckmann +--- + src/ListExt.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/ListExt.c b/src/ListExt.c +index 6537c4dc..ece9ba31 100644 +--- a/src/ListExt.c ++++ b/src/ListExt.c +@@ -83,6 +83,11 @@ char **XListExtensions( + length = (unsigned char) *ch; + *ch = '\0'; /* and replace with null-termination */ + count++; ++ } else if (i == 0) { ++ Xfree(list); ++ Xfree(ch); ++ list = NULL; ++ break; + } else + list[i] = NULL; + } +-- +2.16.4 + diff --git a/u_off-by-one-write-in-XListExtensions.patch b/u_off-by-one-write-in-XListExtensions.patch new file mode 100644 index 0000000..00ded64 --- /dev/null +++ b/u_off-by-one-write-in-XListExtensions.patch @@ -0,0 +1,67 @@ +From b4692168dfd66cdcd91d970ff255ded144d6ef95 Mon Sep 17 00:00:00 2001 +From: Stefan Dirsch +Date: Mon, 23 Jul 2018 14:26:05 +0200 +Subject: [PATCH] off-by-one write in XListExtensions +References: bsc#1102062 CVE-2018-14599 + +The function XListExtensions is vulnerable to an off-by-one override on +malicious server responses. + +The server reply consists of extension names consisting of a length byte +followed by actual string, which is not NUL-terminated. + +While parsing the response, the length byte is overridden with '\0', +thus the memory area can be used as storage of C strings later on. To +be able to NUL-terminate the last string, the buffer is reserved with +an additional byte of space. + +For a boundary check, the variable chend (end of ch) was introduced, +pointing at the end of the buffer which ch initially points to. +Unfortunately there is a difference in handling "the end of ch". + +While chend points at the first byte that must not be written to, +the for-loop uses chend as the last byte that can be written to. + +Therefore, an off-by-one can occur. + +I have refactored the code so chend actually points to the last byte +that can be written to without an out of boundary access. As it is not +possible to achieve "ch + length < chend" and "ch + length + 1 > chend" +with the corrected chend meaning, I removed the inner if-check. + +Signed-off-by: Tobias Stoeckmann +--- + src/ListExt.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/src/ListExt.c b/src/ListExt.c +index 7fdf9932..8f344ac0 100644 +--- a/src/ListExt.c ++++ b/src/ListExt.c +@@ -74,19 +74,15 @@ char **XListExtensions( + /* + * unpack into null terminated strings. + */ +- chend = ch + (rlen + 1); ++ chend = ch + rlen; + length = *ch; + for (i = 0; i < rep.nExtensions; i++) { + if (ch + length < chend) { + list[i] = ch+1; /* skip over length */ + ch += length + 1; /* find next length ... */ +- if (ch <= chend) { +- length = *ch; +- *ch = '\0'; /* and replace with null-termination */ +- count++; +- } else { +- list[i] = NULL; +- } ++ length = *ch; ++ *ch = '\0'; /* and replace with null-termination */ ++ count++; + } else + list[i] = NULL; + } +-- +2.16.4 + diff --git a/u_out-of-boundary-write-in-XListExtensions.patch b/u_out-of-boundary-write-in-XListExtensions.patch new file mode 100644 index 0000000..fe0a5ba --- /dev/null +++ b/u_out-of-boundary-write-in-XListExtensions.patch @@ -0,0 +1,41 @@ +From 7ca52a28d0423642b6640b15fb150cac3eef7177 Mon Sep 17 00:00:00 2001 +From: Stefan Dirsch +Date: Mon, 23 Jul 2018 14:30:54 +0200 +Subject: [PATCH] out of boundary write in XListExtensions +References: bsc#1102068 CVE-2018-14600 + +The length value is interpreted as signed char on many systems +(depending on default signedness of char), which can lead to an out of +boundary write up to 128 bytes in front of the allocated storage, but +limited to NUL byte(s). + +Casting the length value to unsigned char fixes the problem and allows +string values with up to 255 characters. + +Signed-off-by: Tobias Stoeckmann +--- + src/ListExt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/ListExt.c b/src/ListExt.c +index 8f344ac0..6537c4dc 100644 +--- a/src/ListExt.c ++++ b/src/ListExt.c +@@ -75,12 +75,12 @@ char **XListExtensions( + * unpack into null terminated strings. + */ + chend = ch + rlen; +- length = *ch; ++ length = (unsigned char) *ch; + for (i = 0; i < rep.nExtensions; i++) { + if (ch + length < chend) { + list[i] = ch+1; /* skip over length */ + ch += length + 1; /* find next length ... */ +- length = *ch; ++ length = (unsigned char) *ch; + *ch = '\0'; /* and replace with null-termination */ + count++; + } else +-- +2.16.4 +