Bug 1381928 (CVE-2016-7950)

Summary: CVE-2016-7950 libXrender: Insufficient validation of server responses results out-of-bounds write in XRenderQueryFilters
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: btissoir, kbost, sandmann, slawomir
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libXrender 0.9.10 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:59:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1381930    
Bug Blocks: 1381939    

Description Andrej Nemec 2016-10-05 11:34:23 UTC 
It was found that when receiving a response from the server protocol data is not validated sufficiently. The memory for filter names is reserved right after receiving the reply. After that, filters are iterated and each individual filter name is stored in that reserved memory. The individual name lengths are not checked for validity, which means that a malicious server can reserve less memory than it will write to during each iteration.

Upstream patch:

https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=8fad00b0b647ee662ce4737ca15be033b7a21714

External References:

https://lists.x.org/archives/xorg-announce/2016-October/002720.html

CVE assignment:

http://seclists.org/oss-sec/2016/q4/17
Comment 1 Andrej Nemec 2016-10-05 11:35:02 UTC 
Created libXrender tracking bugs for this issue:

Affects: fedora-all [bug 1381930]