Bug 1168684 (CVE-2014-8092) - CVE-2014-8092 xorg-x11-server: integer overflow in X11 core protocol requests when calculating memory needs for requests
Summary: CVE-2014-8092 xorg-x11-server: integer overflow in X11 core protocol requests...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-8092
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1170916 1170917 1170918 1170919 1170932
Blocks: 1168310
TreeView+ depends on / blocked
 
Reported: 2014-11-27 15:23 UTC by Vasyl Kaigorodov
Modified: 2021-02-17 05:57 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Multiple integer overflow flaws were found in the way the X.Org server calculated memory requirements for certain X11 core protocol requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server or, potentially, execute arbitrary code with root privileges.
Clone Of:
Environment:
Last Closed: 2014-12-11 20:56:13 UTC


Attachments (Terms of Use)
0002-dix_integer_overflow_in_ProcPutImage_CVE-2014-8092_1-4.patch (1.29 KB, text/plain)
2014-11-27 15:24 UTC, Vasyl Kaigorodov
no flags Details
0003-dix_integer_overflow_in_GetHosts_CVE-2014-8092_2-4.patch (1.95 KB, text/plain)
2014-11-27 15:24 UTC, Vasyl Kaigorodov
no flags Details
0004-dix_integer_overflow_in_RegionSizeof_CVE-2014-8092_3-4.patch (4.38 KB, text/plain)
2014-11-27 15:24 UTC, Vasyl Kaigorodov
no flags Details
0005-dix_integer_overflow_in_REQUEST_FIXED_SIZE_CVE-2014-8092_4-4.patch (1.14 KB, text/plain)
2014-11-27 15:24 UTC, Vasyl Kaigorodov
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1982 0 normal SHIPPED_LIVE Important: xorg-x11-server security update 2014-12-11 22:34:45 UTC
Red Hat Product Errata RHSA-2014:1983 0 normal SHIPPED_LIVE Important: xorg-x11-server security update 2014-12-12 00:41:58 UTC

Description Vasyl Kaigorodov 2014-11-27 15:23:03 UTC
ProcPutImage(), GetHosts(), RegionSizeof(), REQUEST_FIXED_SIZE() calls do not check that their calculations for how much memory
is needed to handle the client's request have not overflowed, so can
result in out of bounds reads or writes.  These calls all occur only
after a client has successfully authenticated itself.

Introduced in X11R1 (1987).

Comment 1 Vasyl Kaigorodov 2014-11-27 15:24:35 UTC
Created attachment 962113 [details]
0002-dix_integer_overflow_in_ProcPutImage_CVE-2014-8092_1-4.patch

Comment 2 Vasyl Kaigorodov 2014-11-27 15:24:38 UTC
Created attachment 962114 [details]
0003-dix_integer_overflow_in_GetHosts_CVE-2014-8092_2-4.patch

Comment 3 Vasyl Kaigorodov 2014-11-27 15:24:46 UTC
Created attachment 962115 [details]
0004-dix_integer_overflow_in_RegionSizeof_CVE-2014-8092_3-4.patch

Comment 4 Vasyl Kaigorodov 2014-11-27 15:24:48 UTC
Created attachment 962116 [details]
0005-dix_integer_overflow_in_REQUEST_FIXED_SIZE_CVE-2014-8092_4-4.patch

Comment 5 Huzaifa S. Sidhpurwala 2014-12-05 05:32:04 UTC
In all the patches above, some calculation is done on data sent by the client and it results in a 32-bit integer overflow. That integer is used to malloc memory and client-controlled data is then copied into it. 

In most of the cases it could result in arbitrary code execution as root, and in Xorg client/server step could result in privilege escalation.

Comment 8 Vincent Danen 2014-12-09 20:15:45 UTC
External References:

http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/

Comment 9 errata-xmlrpc 2014-12-11 17:35:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:1982 https://rhn.redhat.com/errata/RHSA-2014-1982.html

Comment 10 errata-xmlrpc 2014-12-11 19:42:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2014:1983 https://rhn.redhat.com/errata/RHSA-2014-1983.html


Note You need to log in before you can comment on or make changes to this bug.