Bug 1168688 (CVE-2014-8093) - CVE-2014-8093 xorg-x11-server: integer overflow in GLX extension requests when calculating memory needs for requests
Summary: CVE-2014-8093 xorg-x11-server: integer overflow in GLX extension requests whe...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-8093
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1170916 1170917 1170918 1170919 1170932
Blocks: 1168310
TreeView+ depends on / blocked
 
Reported: 2014-11-27 15:30 UTC by Vasyl Kaigorodov
Modified: 2021-02-17 05:57 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2014-12-11 20:56:22 UTC
Embargoed:


Attachments (Terms of Use)
0020-glx_Be_more_paranoid_about_variable-length_requests_CVE-2014-8093_1-6.patch (1.87 KB, text/plain)
2014-11-27 15:33 UTC, Vasyl Kaigorodov
no flags Details
0021-glx_Be_more_strict_about_rejecting_invalid_image_sizes_CVE-2014-8093_2-6.patch (6.16 KB, text/plain)
2014-11-27 15:33 UTC, Vasyl Kaigorodov
no flags Details
0022-glx_Additional_paranoia_in___glXGetAnswerBuffer_-___GLX_GET_ANSWER_BUFFER_(v2)_CVE-2014-8093_3-6.patch (2.05 KB, text/plain)
2014-11-27 15:33 UTC, Vasyl Kaigorodov
no flags Details
0024-glx_Add_safe_add,mul,pad_v3_CVE-2014-8093_4-6.patch (2.14 KB, text/plain)
2014-11-27 15:33 UTC, Vasyl Kaigorodov
no flags Details
0026-glx_Integer_overflow_protection_for_non-generated_render_requests_(v3)_CVE-2014-8093_5-6.patch (6.58 KB, text/plain)
2014-11-27 15:33 UTC, Vasyl Kaigorodov
no flags Details
0033-glx_Fix_mask_truncation_in___glXGetAnswerBuffer_CVE-2014-8093_6-6.patch (1.20 KB, text/plain)
2014-11-27 15:33 UTC, Vasyl Kaigorodov
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1982 0 normal SHIPPED_LIVE Important: xorg-x11-server security update 2014-12-11 22:34:45 UTC
Red Hat Product Errata RHSA-2014:1983 0 normal SHIPPED_LIVE Important: xorg-x11-server security update 2014-12-12 00:41:58 UTC

Description Vasyl Kaigorodov 2014-11-27 15:30:42 UTC
Various GLX extension functions calls do not check that their calculations for how much memory
is needed to handle the client's request have not overflowed, so can
result in out of bounds reads or writes.  These calls all occur only
after a client has successfully authenticated itself.

Affected functions:
 __glXDisp_ReadPixels()
 __glXDispSwap_ReadPixels()
 __glXDisp_GetTexImage()
 __glXDispSwap_GetTexImage()
 GetSeparableFilter()
 GetConvolutionFilter()
 GetHistogram()
 GetMinmax()
 GetColorTable()
 Map2Size()
 __glXGetAnswerBuffer()
 __GLX_GET_ANSWER_BUFFER()
 __glXMap1dReqSize()
 __glXMap1fReqSize()
 __glXMap2dReqSize()
 __glXMap2fReqSize()
 __glXImageSize()
 __glXSeparableFilter2DReqSize()

Originally developed by SGI and licensed to multiple vendors
prior to SGI open sourcing the code in 1999.
Included in XFree86 releases starting in XFree86 4.0 (2000).
Included in X.Org releases starting in X11R6.7 (2004).

Comment 1 Vasyl Kaigorodov 2014-11-27 15:33:08 UTC
Created attachment 962120 [details]
0020-glx_Be_more_paranoid_about_variable-length_requests_CVE-2014-8093_1-6.patch

Comment 2 Vasyl Kaigorodov 2014-11-27 15:33:11 UTC
Created attachment 962121 [details]
0021-glx_Be_more_strict_about_rejecting_invalid_image_sizes_CVE-2014-8093_2-6.patch

Comment 3 Vasyl Kaigorodov 2014-11-27 15:33:13 UTC
Created attachment 962122 [details]
0022-glx_Additional_paranoia_in___glXGetAnswerBuffer_-___GLX_GET_ANSWER_BUFFER_(v2)_CVE-2014-8093_3-6.patch

Comment 4 Vasyl Kaigorodov 2014-11-27 15:33:16 UTC
Created attachment 962123 [details]
0024-glx_Add_safe_add,mul,pad_v3_CVE-2014-8093_4-6.patch

Comment 5 Vasyl Kaigorodov 2014-11-27 15:33:18 UTC
Created attachment 962124 [details]
0026-glx_Integer_overflow_protection_for_non-generated_render_requests_(v3)_CVE-2014-8093_5-6.patch

Comment 6 Vasyl Kaigorodov 2014-11-27 15:33:21 UTC
Created attachment 962125 [details]
0033-glx_Fix_mask_truncation_in___glXGetAnswerBuffer_CVE-2014-8093_6-6.patch

Comment 7 Vasyl Kaigorodov 2014-11-27 15:40:24 UTC
Created attachment 962127 [details]
0006-dri2_integer_overflow_in_ProcDRI2GetBuffers_CVE-2014-8094.patch

Comment 8 Huzaifa S. Sidhpurwala 2014-12-05 05:38:10 UTC
Classical case of integer overflow and then malloc, resulting in authenticated-client controlled data being copied beyond buffer bounds. This time in GLX extension.

Comment 11 Vincent Danen 2014-12-09 20:17:43 UTC
External References:

http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/

Comment 12 errata-xmlrpc 2014-12-11 17:35:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:1982 https://rhn.redhat.com/errata/RHSA-2014-1982.html

Comment 13 errata-xmlrpc 2014-12-11 19:42:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2014:1983 https://rhn.redhat.com/errata/RHSA-2014-1983.html


Note You need to log in before you can comment on or make changes to this bug.