oss-sec mailing list archives
Re: Re: CVE Request: libX11: buffer overflow in MakeBigReq macro
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Thu, 09 Apr 2015 08:23:37 -0700
On 04/ 9/15 04:44 AM, Marc Deslauriers wrote:
On 2015-04-09 07:10 AM, Florian Weimer wrote:On 04/09/2015 09:09 AM, cve-assign () mitre org wrote:The MakeBigReq macro in libX11 contained a 4-byte buffer overflow:https://bugs.freedesktop.org/show_bug.cgi?id=56508Fixed by the following commit in libX11 1.5.99.901:http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=39547d600a13713e15429f49768e54c3173c828d(for the "#ifdef LONG64")- memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \ + memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \(for the "else")- memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \ + memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \Use CVE-2013-7439.Does this assignment cover application code which has to be recompiled because it included an expansion of broken macro? (The question is hypothetical. I could find copies of the header file, but not actual users of the macro.)Actually, libx11 contains the following macro also: #define SetReqLen(req,n,badlen) \ if ((req->length + n) > (unsigned)65535) { \ if (dpy->bigreq_size) { \ MakeBigReq(req,n) \ } else { \ n = badlen; \ req->length += n; \ } \ } else \ req->length += n which means anything that uses SetReqLen also needs to be rebuilt, and so far I've found: libxext libxrender libxi libxfixes libxrandr libsdl1.2 libxv libxp texlive-bin xserver-xorg-video-vmware
I'd expect it in most of the X.Org libraries for the various extensions (the ones based on Xlib instead of XCB at least), which includes some of the Xorg
drivers which provide extension code for their extensions, but I'm surprised
by it in other applications.
--
-Alan Coopersmith- alan.coopersmith () oracle com
X.Org Security Response Team - xorg-security () lists x org
Current thread:
- CVE Request: libX11: buffer overflow in MakeBigReq macro Marc Deslauriers (Apr 07)
- Re: CVE Request: libX11: buffer overflow in MakeBigReq macro cve-assign (Apr 09)
- Re: Re: CVE Request: libX11: buffer overflow in MakeBigReq macro Florian Weimer (Apr 09)
- Re: Re: CVE Request: libX11: buffer overflow in MakeBigReq macro Marc Deslauriers (Apr 09)
- Re: Re: CVE Request: libX11: buffer overflow in MakeBigReq macro Yann Droneaud (Apr 09)
- Re: Re: CVE Request: libX11: buffer overflow in MakeBigReq macro Alan Coopersmith (Apr 14)
- Re: Re: CVE Request: libX11: buffer overflow in MakeBigReq macro Alan Coopersmith (Apr 09)
- Re: Re: CVE Request: libX11: buffer overflow in MakeBigReq macro Florian Weimer (Apr 09)
- Re: CVE Request: libX11: buffer overflow in MakeBigReq macro cve-assign (Apr 09)
- Re: CVE Request: libX11: buffer overflow in MakeBigReq macro cve-assign (Apr 09)