oss-sec mailing list archives
Re: Re: CVE Request: libX11: buffer overflow in MakeBigReq macro
From: Yann Droneaud <ydroneaud () opteya com>
Date: Thu, 09 Apr 2015 17:00:08 +0200
Hi, Le jeudi 09 avril 2015 à 07:44 -0400, Marc Deslauriers a écrit :
On 2015-04-09 07:10 AM, Florian Weimer wrote:On 04/09/2015 09:09 AM, cve-assign () mitre org wrote:The MakeBigReq macro in libX11 contained a 4-byte buffer overflow:https://bugs.freedesktop.org/show_bug.cgi?id=56508Fixed by the following commit in libX11 1.5.99.901:http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=39547d600a13713e15429f49768e54c3173c828d(for the "#ifdef LONG64")- memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \ + memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \(for the "else")- memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \ + memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \Use CVE-2013-7439.Does this assignment cover application code which has to be recompiled because it included an expansion of broken macro? (The question is hypothetical. I could find copies of the header file, but not actual users of the macro.)Actually, libx11 contains the following macro also: #define SetReqLen(req,n,badlen) \ if ((req->length + n) > (unsigned)65535) { \ if (dpy->bigreq_size) { \ MakeBigReq(req,n) \ } else { \ n = badlen; \ req->length += n; \ } \ } else \ req->length += n which means anything that uses SetReqLen also needs to be rebuilt, and so far I've found: libxext libxrender libxi libxfixes libxrandr libsdl1.2 libxv libxp texlive-bin xserver-xorg-video-vmware
There's more candidates for SetReqLen: http://codesearch.debian.net/results/SetReqLen/page_0 I've noted in particular cairo. And then indirectly through a embedded copy of cairo: firefox (iceweasel), thunderbird (icedove), texlive-bin, indigo, wine-gecko. Additionally vnc4 through its own libX11 copy. Finally open-vm-tools is also a possible candidate. (Please note I haven't check if the SetReqLen macro is actually used in a way that might trigger a buffer overflow in MakeBigReq macro). Regards. -- Yann Droneaud OPTEYA
Current thread:
- CVE Request: libX11: buffer overflow in MakeBigReq macro Marc Deslauriers (Apr 07)
- Re: CVE Request: libX11: buffer overflow in MakeBigReq macro cve-assign (Apr 09)
- Re: Re: CVE Request: libX11: buffer overflow in MakeBigReq macro Florian Weimer (Apr 09)
- Re: Re: CVE Request: libX11: buffer overflow in MakeBigReq macro Marc Deslauriers (Apr 09)
- Re: Re: CVE Request: libX11: buffer overflow in MakeBigReq macro Yann Droneaud (Apr 09)
- Re: Re: CVE Request: libX11: buffer overflow in MakeBigReq macro Alan Coopersmith (Apr 14)
- Re: Re: CVE Request: libX11: buffer overflow in MakeBigReq macro Alan Coopersmith (Apr 09)
- Re: Re: CVE Request: libX11: buffer overflow in MakeBigReq macro Florian Weimer (Apr 09)
- Re: CVE Request: libX11: buffer overflow in MakeBigReq macro cve-assign (Apr 09)
- Re: CVE Request: libX11: buffer overflow in MakeBigReq macro cve-assign (Apr 09)