pool/libX11
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- u_off-by-one-write-in-XListExtensions.patch

Browse Source 
* fixes off-by-one write in XListExtensions (bsc#1102062, CVE-2018-14599)
- u_out-of-boundary-write-in-XListExtensions.patch
  * fixes out of boundary write in XListExtensions (bsc#1102068, CVE-2018-14600)
- u_crash-on-invalid-reply-in-XListExtensions.patch
  * crash on invalid reply in XListExtensions (bsc#1102073, CVE-2018-14598)

OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=43
This commit is contained in:
Stefan Dirsch 2018-08-20 12:20:21 +00:00 committed by Git OBS Bridge
parent a408f8b0c3
commit b3142d5467
5 changed files with 173 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
libX11.changes
View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Mon Aug 20 12:15:47 UTC 2018 - sndirsch@suse.com
- u_off-by-one-write-in-XListExtensions.patch
* fixes off-by-one write in XListExtensions (bsc#1102062, CVE-2018-14599)
- u_out-of-boundary-write-in-XListExtensions.patch
* fixes out of boundary write in XListExtensions (bsc#1102068, CVE-2018-14600)
- u_crash-on-invalid-reply-in-XListExtensions.patch
* crash on invalid reply in XListExtensions (bsc#1102073, CVE-2018-14598)
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Mar 15 09:01:19 UTC 2018 - msrb@suse.com Thu Mar 15 09:01:19 UTC 2018 - msrb@suse.com

9
libX11.spec
View File

@ -36,6 +36,12 @@ Patch9: p_xlib_skip_ext_env.diff
Patch15: en-locales.diff Patch15: en-locales.diff
# PATCH-FIX-UPSTREAM u_Use-flexible-array-member-instead-of-fake-size.patch -- Fix build error with gcc8. # PATCH-FIX-UPSTREAM u_Use-flexible-array-member-instead-of-fake-size.patch -- Fix build error with gcc8.
Patch16: u_Use-flexible-array-member-instead-of-fake-size.patch Patch16: u_Use-flexible-array-member-instead-of-fake-size.patch
# CVE-2018-14599
Patch1102062: u_off-by-one-write-in-XListExtensions.patch
# CVE-2018-14600
Patch1102068: u_out-of-boundary-write-in-XListExtensions.patch
# CVE-2018-14598
Patch1102073: u_crash-on-invalid-reply-in-XListExtensions.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: autoconf >= 2.60 BuildRequires: autoconf >= 2.60
@ -145,6 +151,9 @@ test -f nls/ja.S90/XLC_LOCALE.pre && exit 1
%patch9 -p0 %patch9 -p0
%patch15 -p0 %patch15 -p0
%patch16 -p1 %patch16 -p1
%patch1102062 -p1
%patch1102068 -p1
%patch1102073 -p1
%build %build
# Got patches which change auto*files # Got patches which change auto*files

46
u_crash-on-invalid-reply-in-XListExtensions.patch Normal file
View File

@ -0,0 +1,46 @@
From 060fc58795737e13639f381a7ea55675fd5339c2 Mon Sep 17 00:00:00 2001
From: Stefan Dirsch <sndirsch@suse.de>
Date: Tue, 14 Aug 2018 11:46:40 +0200
Subject: [PATCH] crash on invalid reply in XListExtensions
References: bsc#1102073 CVE-2018-14598
If the server sends a reply in which even the first string would
overflow the transmitted bytes, list[0] will be set to NULL and
a count of 0 is returned.
If the resulting list is freed with XFreeExtensionList later on,
the first Xfree call:
Xfree (list[0]-1)
turns into
Xfree (NULL-1)
which will most likely trigger a segmentation fault.
I have modified the code to return NULL if the first string would
overflow, thus protecting XFreeExtensionList later on.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
src/ListExt.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/ListExt.c b/src/ListExt.c
index 6537c4dc..ece9ba31 100644
--- a/src/ListExt.c
+++ b/src/ListExt.c
@@ -83,6 +83,11 @@ char **XListExtensions(
length = (unsigned char) *ch;
*ch = '\0'; /* and replace with null-termination */
count++;
+ } else if (i == 0) {
+ Xfree(list);
+ Xfree(ch);
+ list = NULL;
+ break;
} else
list[i] = NULL;
}
--
2.16.4

67
u_off-by-one-write-in-XListExtensions.patch Normal file
View File

@ -0,0 +1,67 @@
From b4692168dfd66cdcd91d970ff255ded144d6ef95 Mon Sep 17 00:00:00 2001
From: Stefan Dirsch <sndirsch@suse.de>
Date: Mon, 23 Jul 2018 14:26:05 +0200
Subject: [PATCH] off-by-one write in XListExtensions
References: bsc#1102062 CVE-2018-14599
The function XListExtensions is vulnerable to an off-by-one override on
malicious server responses.
The server reply consists of extension names consisting of a length byte
followed by actual string, which is not NUL-terminated.
While parsing the response, the length byte is overridden with '\0',
thus the memory area can be used as storage of C strings later on. To
be able to NUL-terminate the last string, the buffer is reserved with
an additional byte of space.
For a boundary check, the variable chend (end of ch) was introduced,
pointing at the end of the buffer which ch initially points to.
Unfortunately there is a difference in handling "the end of ch".
While chend points at the first byte that must not be written to,
the for-loop uses chend as the last byte that can be written to.
Therefore, an off-by-one can occur.
I have refactored the code so chend actually points to the last byte
that can be written to without an out of boundary access. As it is not
possible to achieve "ch + length < chend" and "ch + length + 1 > chend"
with the corrected chend meaning, I removed the inner if-check.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
src/ListExt.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/src/ListExt.c b/src/ListExt.c
index 7fdf9932..8f344ac0 100644
--- a/src/ListExt.c
+++ b/src/ListExt.c
@@ -74,19 +74,15 @@ char **XListExtensions(
/*
* unpack into null terminated strings.
*/
- chend = ch + (rlen + 1);
+ chend = ch + rlen;
length = *ch;
for (i = 0; i < rep.nExtensions; i++) {
if (ch + length < chend) {
list[i] = ch+1; /* skip over length */
ch += length + 1; /* find next length ... */
- if (ch <= chend) {
- length = *ch;
- *ch = '\0'; /* and replace with null-termination */
- count++;
- } else {
- list[i] = NULL;
- }
+ length = *ch;
+ *ch = '\0'; /* and replace with null-termination */
+ count++;
} else
list[i] = NULL;
}
--
2.16.4

41
u_out-of-boundary-write-in-XListExtensions.patch Normal file
View File

@ -0,0 +1,41 @@
From 7ca52a28d0423642b6640b15fb150cac3eef7177 Mon Sep 17 00:00:00 2001
From: Stefan Dirsch <sndirsch@suse.de>
Date: Mon, 23 Jul 2018 14:30:54 +0200
Subject: [PATCH] out of boundary write in XListExtensions
References: bsc#1102068 CVE-2018-14600
The length value is interpreted as signed char on many systems
(depending on default signedness of char), which can lead to an out of
boundary write up to 128 bytes in front of the allocated storage, but
limited to NUL byte(s).
Casting the length value to unsigned char fixes the problem and allows
string values with up to 255 characters.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
src/ListExt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/ListExt.c b/src/ListExt.c
index 8f344ac0..6537c4dc 100644
--- a/src/ListExt.c
+++ b/src/ListExt.c
@@ -75,12 +75,12 @@ char **XListExtensions(
* unpack into null terminated strings.
*/
chend = ch + rlen;
- length = *ch;
+ length = (unsigned char) *ch;
for (i = 0; i < rep.nExtensions; i++) {
if (ch + length < chend) {
list[i] = ch+1; /* skip over length */
ch += length + 1; /* find next length ... */
- length = *ch;
+ length = (unsigned char) *ch;
*ch = '\0'; /* and replace with null-termination */
count++;
} else
--
2.16.4