Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1168688 - (CVE-2014-8093) CVE-2014-8093 xorg-x11-server: integer overflow in GLX extension requests when calculating memory needs for requests
CVE-2014-8093 xorg-x11-server: integer overflow in GLX extension requests whe...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20141209,repo...
: Security
Depends On: 1170916 1170917 1170918 1170919 1170932
Blocks: 1168310
  Show dependency treegraph
 
Reported: 2014-11-27 10:30 EST by Vasyl Kaigorodov
Modified: 2014-12-12 03:37 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Multiple integer overflow flaws were found in the way the X.Org server calculated memory requirements for certain GLX extension requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server or, potentially, execute arbitrary code with root privileges.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-12-11 15:56:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
0020-glx_Be_more_paranoid_about_variable-length_requests_CVE-2014-8093_1-6.patch (1.87 KB, text/plain)
2014-11-27 10:33 EST, Vasyl Kaigorodov 		no flags Details
0021-glx_Be_more_strict_about_rejecting_invalid_image_sizes_CVE-2014-8093_2-6.patch (6.16 KB, text/plain)
2014-11-27 10:33 EST, Vasyl Kaigorodov 		no flags Details
0022-glx_Additional_paranoia_in___glXGetAnswerBuffer_-___GLX_GET_ANSWER_BUFFER_(v2)_CVE-2014-8093_3-6.patch (2.05 KB, text/plain)
2014-11-27 10:33 EST, Vasyl Kaigorodov 		no flags Details
0024-glx_Add_safe_add,mul,pad_v3_CVE-2014-8093_4-6.patch (2.14 KB, text/plain)
2014-11-27 10:33 EST, Vasyl Kaigorodov 		no flags Details
0026-glx_Integer_overflow_protection_for_non-generated_render_requests_(v3)_CVE-2014-8093_5-6.patch (6.58 KB, text/plain)
2014-11-27 10:33 EST, Vasyl Kaigorodov 		no flags Details
0033-glx_Fix_mask_truncation_in___glXGetAnswerBuffer_CVE-2014-8093_6-6.patch (1.20 KB, text/plain)
2014-11-27 10:33 EST, Vasyl Kaigorodov 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1982 normal SHIPPED_LIVE Important: xorg-x11-server security update 2014-12-11 17:34:45 EST
Red Hat Product Errata RHSA-2014:1983 normal SHIPPED_LIVE Important: xorg-x11-server security update 2014-12-11 19:41:58 EST

  None (edit)
Description Vasyl Kaigorodov 2014-11-27 10:30:42 EST 
Various GLX extension functions calls do not check that their calculations for how much memory
is needed to handle the client's request have not overflowed, so can
result in out of bounds reads or writes.  These calls all occur only
after a client has successfully authenticated itself.

Affected functions:
 __glXDisp_ReadPixels()
 __glXDispSwap_ReadPixels()
 __glXDisp_GetTexImage()
 __glXDispSwap_GetTexImage()
 GetSeparableFilter()
 GetConvolutionFilter()
 GetHistogram()
 GetMinmax()
 GetColorTable()
 Map2Size()
 __glXGetAnswerBuffer()
 __GLX_GET_ANSWER_BUFFER()
 __glXMap1dReqSize()
 __glXMap1fReqSize()
 __glXMap2dReqSize()
 __glXMap2fReqSize()
 __glXImageSize()
 __glXSeparableFilter2DReqSize()

Originally developed by SGI and licensed to multiple vendors
prior to SGI open sourcing the code in 1999.
Included in XFree86 releases starting in XFree86 4.0 (2000).
Included in X.Org releases starting in X11R6.7 (2004).
Comment 1 Vasyl Kaigorodov 2014-11-27 10:33:08 EST 
Created attachment 962120 [details]
0020-glx_Be_more_paranoid_about_variable-length_requests_CVE-2014-8093_1-6.patch
Comment 2 Vasyl Kaigorodov 2014-11-27 10:33:11 EST 
Created attachment 962121 [details]
0021-glx_Be_more_strict_about_rejecting_invalid_image_sizes_CVE-2014-8093_2-6.patch
Comment 3 Vasyl Kaigorodov 2014-11-27 10:33:13 EST 
Created attachment 962122 [details]
0022-glx_Additional_paranoia_in___glXGetAnswerBuffer_-___GLX_GET_ANSWER_BUFFER_(v2)_CVE-2014-8093_3-6.patch
Comment 4 Vasyl Kaigorodov 2014-11-27 10:33:16 EST 
Created attachment 962123 [details]
0024-glx_Add_safe_add,mul,pad_v3_CVE-2014-8093_4-6.patch
Comment 5 Vasyl Kaigorodov 2014-11-27 10:33:18 EST 
Created attachment 962124 [details]
0026-glx_Integer_overflow_protection_for_non-generated_render_requests_(v3)_CVE-2014-8093_5-6.patch
Comment 6 Vasyl Kaigorodov 2014-11-27 10:33:21 EST 
Created attachment 962125 [details]
0033-glx_Fix_mask_truncation_in___glXGetAnswerBuffer_CVE-2014-8093_6-6.patch
Comment 7 Vasyl Kaigorodov 2014-11-27 10:40:24 EST 
Created attachment 962127 [details]
0006-dri2_integer_overflow_in_ProcDRI2GetBuffers_CVE-2014-8094.patch
Comment 8 Huzaifa S. Sidhpurwala 2014-12-05 00:38:10 EST 
Classical case of integer overflow and then malloc, resulting in authenticated-client controlled data being copied beyond buffer bounds. This time in GLX extension.
Comment 11 Vincent Danen 2014-12-09 15:17:43 EST 
External References:

http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/
Comment 12 errata-xmlrpc 2014-12-11 12:35:04 EST 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:1982 https://rhn.redhat.com/errata/RHSA-2014-1982.html
Comment 13 errata-xmlrpc 2014-12-11 14:42:19 EST 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2014:1983 https://rhn.redhat.com/errata/RHSA-2014-1983.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.