Bug 680196 (CVE-2011-0465)
Summary: | CVE-2011-0465 xorg: xrdb code execution via crafted X client hostname | |||
---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | |
Status: | CLOSED ERRATA | QA Contact: | ||
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | unspecified | CC: | ajax, bressers, bugreports2005, georgi.georgiev, j.s.peatfield, marco, mjc, security-response-team, solgato, tis, vdanen | |
Target Milestone: | --- | Keywords: | Security | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 696310 696316 696317 (view as bug list) | Environment: | ||
Last Closed: | 2012-06-20 15:48:15 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 681589, 681590, 681591, 681592, 681593, 833998 | |||
Bug Blocks: | 696310, 696316, 696317 |
Description
Jan Lieskovsky
2011-02-24 16:03:28 UTC
Public now via xrdb release 1.0.9: http://lists.freedesktop.org/archives/xorg-announce/2011-April/001636.html http://lists.freedesktop.org/archives/xorg-announce/2011-April/001635.html Upstream commit: http://cgit.freedesktop.org/xorg/app/xrdb/commit/?id=1027d5df07398c1507fb1fe3a9981aa6b4bc3a56 Acknowledgements: Red Hat would like to thank Matthieu Herrb for reporting this issue. Upstream acknowledges Sebastian Krahmer of the SuSE Security Team as the original reporter. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2011:0433 https://rhn.redhat.com/errata/RHSA-2011-0433.html This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2011:0432 https://rhn.redhat.com/errata/RHSA-2011-0432.html Source files for RHSA-2011-0433 are missing from ftp.redhat.com. (In reply to comment #9) > Source files for RHSA-2011-0433 are missing from ftp.redhat.com. Corrected now. It looks like the patch that was created for the RHEL6 build didn't quite match the upstream changes. Here is what the upstream patch section looked like: @@ -449,8 +457,9 @@ AddDefQ(String *buff, char *title, char *value) else #endif if (value && (value[0] != '\0')) { - AddDef(buff, title, "\""); - addstring(buff, value); + AddSimpleDef(buff, title); + addstring(buff, "=\""); + addescapedstring(buff, value); addstring(buff, "\""); } else AddDef(buff, title, NULL); This is what ended up in the new 7.4-15.el6.1 source RPM: @@ -411,7 +413,7 @@ AddDefQ(String *buff, char *title, char #endif if (value && (value[0] != '\0')) { AddDef(buff, title, "\""); - addstring(buff, value); + addescapedstring(buff, value); addstring(buff, "\""); } else AddDef(buff, title, NULL); This is causing a mismatched set of quotes for at least the VENDOR def: -DVENDOR=_Red Hat, Inc.\" And is causing xrdb to fail with the following errors: sh: -c: line 0: unexpected EOF while looking for matching `"' sh: -c: line 1: syntax error: unexpected end of file I had the same problem (xrdb fail, as explained in Comment 11) but under 5.6 (Tikanga) after upgrading from xorg-x11-server-utils-7.1-4.fc6.i386 to xorg-x11-server-utils-7.1-5.el5_6.1.i386 Confirming that xrdb appears broken in both RHEL5 and RHEL6, giving just the error message cited in Comment 11. Following bugs were created to track fixing of that regression: bug #696310, bug #696316 and bug #696317. |