Bug 1168684 (CVE-2014-8092)

Summary: CVE-2014-8092 xorg-x11-server: integer overflow in X11 core protocol requests when calculating memory needs for requests
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: airlied, ajax, chazlett, jrusnack, peter.hutterer, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Multiple integer overflow flaws were found in the way the X.Org server calculated memory requirements for certain X11 core protocol requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server or, potentially, execute arbitrary code with root privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-11 20:56:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1170916, 1170917, 1170918, 1170919, 1170932    
Bug Blocks: 1168310    
Attachments:
Description Flags
0002-dix_integer_overflow_in_ProcPutImage_CVE-2014-8092_1-4.patch
none
0003-dix_integer_overflow_in_GetHosts_CVE-2014-8092_2-4.patch
none
0004-dix_integer_overflow_in_RegionSizeof_CVE-2014-8092_3-4.patch
none
0005-dix_integer_overflow_in_REQUEST_FIXED_SIZE_CVE-2014-8092_4-4.patch none

Description Vasyl Kaigorodov 2014-11-27 15:23:03 UTC 
ProcPutImage(), GetHosts(), RegionSizeof(), REQUEST_FIXED_SIZE() calls do not check that their calculations for how much memory
is needed to handle the client's request have not overflowed, so can
result in out of bounds reads or writes.  These calls all occur only
after a client has successfully authenticated itself.

Introduced in X11R1 (1987).
Comment 1 Vasyl Kaigorodov 2014-11-27 15:24:35 UTC 
Created attachment 962113 [details]
0002-dix_integer_overflow_in_ProcPutImage_CVE-2014-8092_1-4.patch
Comment 2 Vasyl Kaigorodov 2014-11-27 15:24:38 UTC 
Created attachment 962114 [details]
0003-dix_integer_overflow_in_GetHosts_CVE-2014-8092_2-4.patch
Comment 3 Vasyl Kaigorodov 2014-11-27 15:24:46 UTC 
Created attachment 962115 [details]
0004-dix_integer_overflow_in_RegionSizeof_CVE-2014-8092_3-4.patch
Comment 4 Vasyl Kaigorodov 2014-11-27 15:24:48 UTC 
Created attachment 962116 [details]
0005-dix_integer_overflow_in_REQUEST_FIXED_SIZE_CVE-2014-8092_4-4.patch
Comment 5 Huzaifa S. Sidhpurwala 2014-12-05 05:32:04 UTC 
In all the patches above, some calculation is done on data sent by the client and it results in a 32-bit integer overflow. That integer is used to malloc memory and client-controlled data is then copied into it. 

In most of the cases it could result in arbitrary code execution as root, and in Xorg client/server step could result in privilege escalation.
Comment 8 Vincent Danen 2014-12-09 20:15:45 UTC 
External References:

http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/
Comment 9 errata-xmlrpc 2014-12-11 17:35:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:1982 https://rhn.redhat.com/errata/RHSA-2014-1982.html
Comment 10 errata-xmlrpc 2014-12-11 19:42:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2014:1983 https://rhn.redhat.com/errata/RHSA-2014-1983.html