Various GLX extension functions calls do not check that their calculations for how much memory is needed to handle the client's request have not overflowed, so can result in out of bounds reads or writes. These calls all occur only after a client has successfully authenticated itself. Affected functions: __glXDisp_ReadPixels() __glXDispSwap_ReadPixels() __glXDisp_GetTexImage() __glXDispSwap_GetTexImage() GetSeparableFilter() GetConvolutionFilter() GetHistogram() GetMinmax() GetColorTable() Map2Size() __glXGetAnswerBuffer() __GLX_GET_ANSWER_BUFFER() __glXMap1dReqSize() __glXMap1fReqSize() __glXMap2dReqSize() __glXMap2fReqSize() __glXImageSize() __glXSeparableFilter2DReqSize() Originally developed by SGI and licensed to multiple vendors prior to SGI open sourcing the code in 1999. Included in XFree86 releases starting in XFree86 4.0 (2000). Included in X.Org releases starting in X11R6.7 (2004).
Created attachment 962120 [details] 0020-glx_Be_more_paranoid_about_variable-length_requests_CVE-2014-8093_1-6.patch
Created attachment 962121 [details] 0021-glx_Be_more_strict_about_rejecting_invalid_image_sizes_CVE-2014-8093_2-6.patch
Created attachment 962122 [details] 0022-glx_Additional_paranoia_in___glXGetAnswerBuffer_-___GLX_GET_ANSWER_BUFFER_(v2)_CVE-2014-8093_3-6.patch
Created attachment 962123 [details] 0024-glx_Add_safe_add,mul,pad_v3_CVE-2014-8093_4-6.patch
Created attachment 962124 [details] 0026-glx_Integer_overflow_protection_for_non-generated_render_requests_(v3)_CVE-2014-8093_5-6.patch
Created attachment 962125 [details] 0033-glx_Fix_mask_truncation_in___glXGetAnswerBuffer_CVE-2014-8093_6-6.patch
Created attachment 962127 [details] 0006-dri2_integer_overflow_in_ProcDRI2GetBuffers_CVE-2014-8094.patch
Classical case of integer overflow and then malloc, resulting in authenticated-client controlled data being copied beyond buffer bounds. This time in GLX extension.
External References: http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2014:1982 https://rhn.redhat.com/errata/RHSA-2014-1982.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2014:1983 https://rhn.redhat.com/errata/RHSA-2014-1983.html