Bug 168264 - CAN-2005-0605, CAN-2005-2495 XFree86/Xorg - libXpm & other multiple integer overflows
CAN-2005-0605, CAN-2005-2495 XFree86/Xorg - libXpm & other multiple integer o...
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: XFree86 (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
https://bugs.freedesktop.org/show_bug...
LEGACY, rh73, rh90, 1, 2
: Security
: 153990 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-14 02:30 EDT by David Eisenstein
Modified: 2007-04-18 13:31 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-07 18:31:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
FreeDesktop.org (Old) 594 None None None Never

  None (edit)
Description David Eisenstein 2005-09-14 02:30:31 EDT
+++ This bug was initially created as a clone of Bug #166857 +++

https://bugs.freedesktop.org/show_bug.cgi?id=594

Quoting Josh Bressers from Bug #166856: "What is going on here is that an X
client is trying to allocate a pixmap of size 9GB. Because of an integer
overflow this is not caught and instead a pixmap of size 1GB is allocated.
When the client then tries to access the pixmap we get a server crash.

"This seems exploitable to me: a client could allocate a pixmap of size
4GB + 4byte, causing the server to allocate just 4 bytes. Then the client
could use XDrawPoint() and XGetImage() to read and write any location in
the X server address space. It could first use XGetImage to search
for the stack, then use XDrawPoint to rewrite it to return into another
pixmap the client allocated, thus getting the X server to execute arbitrary
code.

"This issue was discovered by Luke Hutchison, with the security implications
and patch found by Soeren Sandmann."

-- Additional comment from mjc@... on 2005-09-13 05:51 EST --
Public, removing embargo


References:
   CVE:  CAN-2005-2495
         https://bugs.freedesktop.org/show_bug.cgi?id=594
         Bug #166856, Bug #166857, Bug #166859

RHSA-2005-396  http://rhn.redhat.com/errata/RHSA-2005-396.html
Comment 1 David Eisenstein 2005-09-14 02:46:01 EDT
I am certain this affects Fedora Core 2 (which uses X.org), and believe this
vulnerability also affects FC1, Red Hat Linux 9, and Red Hat Linux 7.3.  There
are some test available in Freedesktop.org's Bug report that may allow users
of FC1, RH9, and RH7.3 to check their versions and see if/how they are affected.
Comment 2 Mike A. Harris 2005-09-27 22:24:38 EDT
Is Fedora Legacy project going to actually include this fix, or can
we just close the bug report "WONTFIX" with explanation to upgrade
to FC4?
Comment 3 David Eisenstein 2005-09-28 02:59:24 EDT
I am responding to comment 2's writer outside of Bugzilla, for now.
Comment 4 David Eisenstein 2005-09-29 10:21:09 EDT
Latest X sources likely affected by this security issue:

Distro     Size      Date         Source Package
------  ---------- ------------ -------------------------------------
RH7.3:    57964519 Feb 01  2005 XFree86-4.2.1-16.73.30.legacy.src.rpm
RH9:      66897306 Feb 02  2005 XFree86-4.3.0-2.90.60.legacy.src.rpm
FC1:      66897069 Feb 02  2005 XFree86-4.3.0-59.legacy.src.rpm
FC2:      54599063 Mar 29 16:50 xorg-x11-6.7.0-14.src.rpm

Red Hat has issued errata announcements that fix this issue:
   * RHSA-2005:501-01 for XFree86 (for RHEL3) XFree86-4.3.0-95.EL.src.rpm
      http://rhn.redhat.com/errata/RHSA-2005-501.html

   * RHSA-2005:396-01 for X.org (for RHEL4) xorg-x11-6.8.2-1.EL.13.16.src.rpm
      http://rhn.redhat.com/errata/RHSA-2005-396.html

   * FEDORA-2005-893 for X.org, updated by FEDORA-2005-914 (for FC3)
     xorg-x11-6.8.2-1.FC3.45.2.src.rpm
http://www.redhat.com/archives/fedora-announce-list/2005-September/msg00085.html

   * FEDORA-2005-894 for X.org, updated by FEDORA-2005-904 (for FC4)
     xorg-x11-6.8.2-37.FC4.49.2.src.rpm
http://www.redhat.com/archives/fedora-announce-list/2005-September/msg00077.html
Comment 5 David Eisenstein 2005-09-29 10:50:36 EDT
I am just now noticing Bug 153990 is open for the XFree86 issue CAN-2005-0605. 
Have suggested there that we close that bug as DUPLICATE of this bug so we can
proceed to work on XFree86/xorg bugs here.

Note that XFree86-4.3.0-81.EL.src.rpm (for RHEL3) was issued for CAN-2005-0605,
so XFree86-4.3.0-95.EL.src.rpm should contain fixes for both that CVE and for
CAN-2005-2495.  We may have to backport those fixes for RedHat Linux 7.3

Updating this bug's title to indicate the multiple CVE's to be worked on here. 
Soon, I hope!  :-)
Comment 6 David Eisenstein 2005-09-29 11:38:21 EDT
Ah, RHSA-2005:501-01 XFree86-4.3.0-95.EL.src.rpm has been superseded by
    RHBA-2005:787-5  XFree86-4.3.0-97.EL.src.rpm.

    http://rhn.redhat.com/errata/RHBA-2005-787.html
Comment 7 Marc Deslauriers 2006-02-13 18:25:03 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated XFree86/xorg packages to QA:

Changelog:
* Sun Feb 12 2006 Marc Deslauriers <marcdeslauriers@videotron.ca>
4.2.1-16.73.31.legacy
- - Add XFree86-4.1.0-xpm-security-fix-CAN-2005-0605.patch.
- - Add XFree86-4.3.0-security-CAN-2005-2495.patch to fix various integer
  overflows.

5d7e4958f28347292d249328e82f00260cda0c9f  7.3/XFree86-4.2.1-16.73.31.legacy.src.rpm
b7be065ec6e6f9006387b89b30b18c0b3a07972f  9/XFree86-4.3.0-2.90.61.legacy.src.rpm
2b8485c5a109e5d01759e2aadbe1f23ea751e89a  1/XFree86-4.3.0-60.legacy.src.rpm
0bc44a52286f25201379e386cda80dbabf664199  2/xorg-x11-6.7.0-14.1.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/XFree86-4.2.1-16.73.31.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/XFree86-4.3.0-2.90.61.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/XFree86-4.3.0-60.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/xorg-x11-6.7.0-14.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD8Rb2LMAs/0C4zNoRAlCjAJ9mYZNmoGXa05PKUJU0q8eZuhdDtgCcDE3x
XhjDktVCygjrx7LuS+KczYA=
=My9S
-----END PGP SIGNATURE-----
Comment 8 Pekka Savola 2006-02-14 02:37:35 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity OK
 - spec file changes minimal
 - patches verified to come from RHEL

+PUBLISH RHL73, RHL9, FC1, FC2

5d7e4958f28347292d249328e82f00260cda0c9f  XFree86-4.2.1-16.73.31.legacy.src.rpm
b7be065ec6e6f9006387b89b30b18c0b3a07972f  XFree86-4.3.0-2.90.61.legacy.src.rpm
2b8485c5a109e5d01759e2aadbe1f23ea751e89a  XFree86-4.3.0-60.legacy.src.rpm
0bc44a52286f25201379e386cda80dbabf664199  xorg-x11-6.7.0-14.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFD8YnTGHbTkzxSL7QRAqcmAJ9LeUFQ8Ul9iFWikFDnfQSaLZq9qwCgovV8
NOvNczpmY9/6YOe4632idAg=
=zymG
-----END PGP SIGNATURE-----
Comment 9 David Eisenstein 2006-02-16 00:17:11 EST
*** Bug 153990 has been marked as a duplicate of this bug. ***
Comment 10 Marc Deslauriers 2006-02-17 16:23:07 EST
Packages were pushed to updates-testing.
Comment 11 Pekka Savola 2006-03-04 00:53:46 EST
Timeout over.
Comment 12 Marc Deslauriers 2006-03-07 18:31:16 EST
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.