Bug 740954 (CVE-2010-4818)
Summary: | CVE-2010-4818 X.org: multiple GLX input sanitization flaws | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | ajax, jlieskov, rcvalle, xgl-maint |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-04-24 04:15:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 741649, 741650, 741651, 741652, 741654, 744008 | ||
Bug Blocks: | 740962 |
Description
Vincent Danen
2011-09-23 21:21:48 UTC
I emailed Adam regarding this, with concern about possible WebGL ramifications and he returned the following analysis: 402b329c3aa8ddbebaa1f593306a02d4cd6fed26 has no security implications. It works around a bug in older Mesa versions by allowing certain requests with excess data (and ignoring that data). 1137c11be0f82049d28024eaf963c6f76e0d4334 has no security implications. It corrects a bug in processing of that request: it is allowed to be followed by a variable-length list of attributes, but we were requiring a fixed size. a883cf1545abd89bb2cadfa659718884b56fd234 has no security implications, for the same reasons as 1137c11. d9225b9602c85603ae616a7381c784f5cf5e811c has no security implications. In the worst case it prevents reading from arbitrary server memory (linearly, so anything you're interested in has to be above you in memory), and the memory so read does not propagate back to the client so it can't be used to discover the server's memory map. d9225b9602c85603ae616a7381c784f5cf5e811c has no security implications. It simply corrects the endianness of a list of attributes when the X client is the other endianness from the server. 6c69235a9dfc52e4b4e47630ff4bab1a820eb543 allows swapped clients to overwrite malloc bookkeeping information if a suitably truncated request happens to fall close enough to the end of the request buffer. Coercing the server to free request buffers is mildly difficult but feasible. You'd need to do your own protocol, libGL won't create malformed requests like this. The attack then follows the normal free() exploit path. ec9c97c6bf70b523bc500bd3adf62176f1bb33a4 could be a code injection attack if you can precisely craft the 'length' field of the request (ie, if you're not interfacing through libGL, like WebGL does). This would involve arranging for a pixmap at a known location in server memory, with fairly precise contents (that _depend_ on the location in memory, as there's complicated sequences of pointer chasing involved), which would eventually contain a function pointer that you can trigger a call to later in the request. So that'd be shellcode, assuming you can probe the memory layout, or you get lucky. 3f0d3f4d97bce75c1828635c322b6560a45a037f could be a code injection attack if you can precisely set the 'screen' field of the request, following the same attack as ec9c97c. Again, this vector requires that you write your own protocol, since libGL does not send invalid screen numbers (and actually checks on the client side). So, three that are theoretical code injections, but none that are exposed through typical use of GLX. As always, you'd need to be able and authorized to connect to the display server already. Disabling GLX is an effective workaround. For Fedora 14, the code change in 3f0d3f4 is present, but it doesn't look like the code in ec9c97c is. Likewise the code changes in 6c69235 is not present either, so I believe this would affect Fedora 14's xorg-server-1.9.5. For Fedora 15, it looks all code changes are present (xorg-server-1.10.4). The RHEL6 rpm ships xorg-server 1.7.7, which has the vulnerable code for : 6c69235a9dfc52e4b4e47630ff4bab1a820eb543 ec9c97c6bf70b523bc500bd3adf62176f1bb33a4 3f0d3f4d97bce75c1828635c322b6560a45a037f also please note that 3f0d3f4d97bce75c1828635c322b6560a45a037f introduces a regression fixed later on https://bugs.freedesktop.org/show_bug.cgi?id=33324 The RHEL5 rpm ships xorg-server 1.1.1 and RHEL4 rpm ships X11R6.8.1 which has the vulnerable code (different function names but the code is nearly identical otherwise) for : 6c69235a9dfc52e4b4e47630ff4bab1a820eb543 ec9c97c6bf70b523bc500bd3adf62176f1bb33a4 3f0d3f4d97bce75c1828635c322b6560a45a037f also please note that 3f0d3f4d97bce75c1828635c322b6560a45a037f introduces a regression fixed later on https://bugs.freedesktop.org/show_bug.cgi?id=33324 This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2011:1359 https://rhn.redhat.com/errata/RHSA-2011-1359.html This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2011:1360 https://rhn.redhat.com/errata/RHSA-2011-1360.html Created xorg-x11-server tracking bugs for this issue Affects: fedora-14 [bug 744008] |