oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: CVE Request: libX11: buffer overflow in MakeBigReq macro

From: Marc Deslauriers <marc.deslauriers () canonical com>
Date: Thu, 09 Apr 2015 07:44:52 -0400
On 2015-04-09 07:10 AM, Florian Weimer wrote:

On 04/09/2015 09:09 AM, cve-assign () mitre org wrote:

The MakeBigReq macro in libX11 contained a 4-byte buffer overflow:



https://bugs.freedesktop.org/show_bug.cgi?id=56508



Fixed by the following commit in libX11 1.5.99.901:



http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=39547d600a13713e15429f49768e54c3173c828d


(for the "#ifdef LONG64")

- memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
+ memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \


(for the "else")

- memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
+ memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \


Use CVE-2013-7439.


Does this assignment cover application code which has to be recompiled
because it included an expansion of broken macro?

(The question is hypothetical.  I could find copies of the header file,
but not actual users of the macro.)



Actually, libx11 contains the following macro also:

#define SetReqLen(req,n,badlen) \
    if ((req->length + n) > (unsigned)65535) { \
        if (dpy->bigreq_size) { \
            MakeBigReq(req,n) \
        } else { \
            n = badlen; \
            req->length += n; \
        } \
    } else \
        req->length += n

which means anything that uses SetReqLen also needs to be rebuilt, and so far
I've found:

libxext
libxrender
libxi
libxfixes
libxrandr
libsdl1.2
libxv
libxp
texlive-bin
xserver-xorg-video-vmware


Marc.
Previous By Date Next
Previous By Thread Next

Current thread: