Re: [XFree86] CAN-2005-2495: Current XFree86 and Recent CVE Advisory

[Marc Aurele La France]

On Wed, 28 Sep 2005, jayjwa wrote:


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2495



CAN-2005-2495:


This issue seems to effect both Xfree86 and X.Org versions of X. Many linux 
distro's have now begun to patch. Debian's advisory is really

unclear, as they seem to imply that only versions *before* XFree86 4.30
are affected. Checking out some of the links and advisories from the
other distro's, I find this Slackware one, which implies current X.Org
is affected:


[...]


So are XFree86's version 4.5.0 binaries off their web/ftp servers affected
or not? It would appear that before 4.3.0 of XFree86 only is, but then
why would Slackware Linux and Mandrake be going so far as to replace
current X.Org stuff?


Any X server based on what used to be called the Sample Implementation is 
affected.  That includes all releases of XFree86 and X.Org.



Only one problem, there doesn't seem to BE a security upgrade for XFree86.


There is a source patch available on our ftp server.  It merely has yet to be 
announced.


In summary, can users expect fixed binary releases, or prehaps they already 
are patched (no info about this on the XFree86 website)? If it IS just the 
Xserver itself, (that is, the XFree86/X binary) I can probably rob a patched 
one from some distro's package. What are other users doing about this?


We currently have no plans to provide updated binaries, nor to back-port our 
fix to prior releases as others have done.  We are about to embark onto a new 
release cycle anyway.


Marc.

+--+---+
|  Marc Aurele La France   |  work:   1-780-492-9310   |
|  Academic Information and|  fax:1-780-492-1729   |
|Communications Technologies   |  email:  [EMAIL PROTECTED]  |
|  352 General Services Building   +---+
|  University of Alberta   |   |
|  Edmonton, Alberta   | Standard disclaimers apply|
|  T6G 2H1 |   |
|  CANADA  |   |
+--+---+
XFree86 developer and VP.  ATI driver and X server internals.
___
XFree86 mailing list
XFree86@XFree86.Org
http://XFree86.Org/mailman/listinfo/xfree86

[XFree86] CAN-2005-2495: Current XFree86 and Recent CVE Advisory

[jayjwa]

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2495

CAN-2005-2495:

This issue seems to effect both Xfree86 and X.Org versions of X. Many 
linux distro's have now begun to patch. Debian's advisory is really

unclear, as they seem to imply that only versions *before* XFree86 4.30
are affected. Checking out some of the links and advisories from the
other distro's, I find this Slackware one, which implies current X.Org
is affected:

Tue Sep 13 02:15:06 PDT 2005
x/x11-6.8.2-i486-3.tgz:  Patched an integer overflow in the X server pixmap
  memory allocation that could potentially allow any X user to execute
  arbitrary code with root privileges.
  For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2495
  (* Security fix *)
x/x11-devel-6.8.2-i486-3.tgz:  Recompiled.
x/x11-docs-6.8.2-noarch-3.tgz:  Rebuilt.

(*snip*)


At http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2495 --


Name  CAN-2005-2495 (under review)

Description: 
Multiple integer overflows in XFree86 before 4.3.0
   
allow user-complicit attackers to execute arbitrary 
code via a crafted pixmap image. 
References* GENTOO:GLSA-200509-07


* URL:http://www.gentoo.org/security/en/glsa/glsa-200509-07.xml 
* MANDRAKE:MDKSA-2005:164 
* URL:http://www.mandriva.com/security/advisories?name=MDKSA-2005:164 
* REDHAT:RHSA-2005:501 
* URL:http://www.redhat.com/support/errata/RHSA-2005-501.html 
* TRUSTIX:2005-0049 
* URL:http://marc.theaimsgroup.com/?l=bugtraqm=112690609622266w=2



So all of us using XFree86's binaries for linux at version 4.5.0 should
be OK, right? Well...

Mandriva Security Advisories

Package name XFree86
DateSeptember 13th, 2005
Advisory ID MDKSA-2005:164 
Affected versions 10.0, 10.1, CS2.1, CS3.0, 10.2

Synopsis Updated XFree86/x.org packages fix vulnerability


Problem Description

A vulnerability was discovered in the pixmap allocation handling of the X 
server that can lead to local privilege escalation. By allocating a huge 
pixmap, a local user could trigger an integer overflow that resulted in a 
memory allocation that was too small for the requested pixmap, leading to 
a buffer overflow which could then be exploited to execute arbitrary code 
with full root privileges.


The updated packages have been patched to address these issues.

Updated Packages


Mandrakelinux 10.0

a22ae2b3b2cc019d7769a29fb8d15104  10.0/RPMS/libxfree86-4.3-32.5.100mdk.i586.rpm
d13d37d18a49addab3b0a2d0531499da  
10.0/RPMS/libxfree86-devel-4.3-32.5.100mdk.i586.rpm
09b8bbc447d39afb1cd67ca808c3c409  
10.0/RPMS/libxfree86-static-devel-4.3-32.5.100mdk.i586.rpm
739c0d36b7de1927718087e6b58107a3  
10.0/RPMS/X11R6-contrib-4.3-32.5.100mdk.i586.rpm
8fbce53ac64d76dd1f3c01c1697a37f7  
10.0/RPMS/XFree86-100dpi-fonts-4.3-32.5.100mdk.i586.rpm
7

(*snip*)

So are XFree86's version 4.5.0 binaries off their web/ftp servers affected
or not? It would appear that before 4.3.0 of XFree86 only is, but then
why would Slackware Linux and Mandrake be going so far as to replace
current X.Org stuff?

To put it another way, why are these linux distro's issuing
advisories for their current X.Org stuff when it seems only super old
XFree86 versions are affected? 4.3.0 is 2 whole versions behind 4.5.0.

But then, on http://www.x.org/ :

This advisory affects all known versions and releases of the X Window 
System whether from X.Org or other vendors. Therefore users are strongly 
recommended to upgrade.



Only one problem, there doesn't seem to BE a security upgrade for XFree86.



Where does this leave users of current XFree86? As the issue and its fix 
seem to deal with Xserver source code, that would like mean at least 
downloading a full source of X11 and re-making the Xserver target (if it 
was implemented this way, eg, is able to just build one part instead of 
having to do a full rebuild, such as make xserver instead of make all) 
I'm not looking forward to patching and rebuilding a complete X11; one of 
my machine has room, the other doesn't, which will mean NFS/SMBFS build 
over the network on a PII (glibc 2.3.5 took 17 hours to compile like this, 
to give an idea of what it's like).


In summary, can users expect fixed binary releases, or prehaps they 
already are patched (no info about this on the XFree86 website)? If it IS 
just the Xserver itself, (that is, the XFree86/X binary) I can probably 
rob a patched one from some distro's package. What are other users doing 
about this?


___
XFree86 mailing list
XFree86@XFree86.Org
http://XFree86.Org/mailman/listinfo/xfree86