Bug 843652 (CVE-2013-4396) - VUL-0: CVE-2013-4396: xorg-x11-server: Use after free in Xserver handling of ImageText requests
Summary: VUL-0: CVE-2013-4396: xorg-x11-server: Use after free in Xserver handling of ...
Status: RESOLVED FIXED
Alias: CVE-2013-4396
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2014-04-25
Assignee: Stefan Dirsch
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp3:54824 maint:...
Keywords:
Depends on: 848302
Blocks: 876577
  Show dependency treegraph
 
Reported: 2013-10-02 08:33 UTC by Marcus Meissner
Modified: 2014-06-11 07:40 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-10-02 08:33:54 UTC 
via linux-distros, EMBARGOED, keep inside SUSE

CRD October 8th 2013

CVE-2013-4396

Dear Distro security teams,

X.Org plans to release the following security advisory and patch next
Tuesday, October 8.   While X.Org does not consider authenticated clients
killing the X server to be a denial of service, since they can do so via the
X protocol by design, in this case it was unclear if the memory corruption
involving a buffer containing data an attacker can control could lead to
a path in which the attacker could execute code, so we are going ahead
with the advisory release out of an abundance of caution.

As always, if you have any feedback, questions, or suggestions, please
let xorg-security@lists.x.org (our private security contact list) know.

In the meantime, can we get a CVE id assigned for this please?

        -Alan Coopersmith-              alan.coopersmith@oracle.com
          X.Org Security Response Team - xorg-security@lists.x.org

-------------------------------------------------------------------------------

X.Org Security Advisory:  October 8, 2013
Use after free in Xserver handling of ImageText requests
========================================================

Description:
============

Pedro Ribeiro (pedrib@gmail.com) reported an issue to the X.Org security
team in which an authenticated X client can cause an X server to use memory
after it was freed, potentially leading to crash and/or memory corruption.

Affected Versions
=================

This bug appears to have been introduced in RCS version 1.42 on 1993/09/18,
and is thus believed to be present in every X server release starting with
X11R6.0 up to the current xorg-server 1.14.3.  (Manual inspection shows it
is present in the sources from the X11R6 tarballs, but not in those from the
X11R5 tarballs.)

Fixes
=====

A fix is available via the attached patch, which is intended to be included
in xorg-server 1.15.0 and 1.14.4.

Thanks
======

X.Org thanks Pedro Ribeiro for reporting this issues to our security team at
xorg-security@lists.x.org.

-- 
        -Alan Coopersmith-              alan.coopersmith@oracle.com
          X.Org Security Response Team - xorg-security@lists.x.org
Comment 2 Swamp Workflow Management 2013-10-02 22:00:20 UTC 
bugbot adjusting priority
Comment 3 Marcus Meissner 2013-10-09 08:55:16 UTC 
public
Comment 4 Stefan Dirsch 2013-10-15 13:50:39 UTC 
factory: SR#203393
13.1:    SR#203394
Comment 5 Bernhard Wiedemann 2013-10-15 14:00:42 UTC 
This is an autogenerated message for OBS integration:
This bug (843652) was mentioned in
https://build.opensuse.org/request/show/203393 Factory / xorg-x11-server
https://build.opensuse.org/request/show/203394 13.1 / xorg-x11-server
Comment 6 Swamp Workflow Management 2013-10-15 15:03:03 UTC 
The SWAMPID for this issue is 54718.
This issue was rated as moderate.
Please submit fixed packages until 2013-10-29.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 7 Marcus Meissner 2013-10-15 15:04:59 UTC 
please also submit for old products, opensuses, sle11 sp1 (teradata), sp2, sp3,
sle10 sp3 (teradata)

include bug 816813 too into the update.
Comment 9 Stefan Dirsch 2013-10-21 13:06:22 UTC 
12.2/12.3: SR#204149
Comment 11 Bernhard Wiedemann 2013-10-21 14:00:40 UTC 
This is an autogenerated message for OBS integration:
This bug (843652) was mentioned in
https://build.opensuse.org/request/show/204149 12.2+12.3 / xorg-x11-server
Comment 13 Stefan Dirsch 2013-10-22 12:13:14 UTC 
Ok. So no sle10-sp4. Thanks!
Comment 14 Stefan Dirsch 2013-10-22 12:19:29 UTC 
sle11-sp3: SR#29010
sle11-sp2: SR#29011
Comment 16 Stefan Dirsch 2013-10-22 14:44:47 UTC 
sle11-sp1: SR#29014
Comment 18 Stefan Dirsch 2013-10-22 16:14:03 UTC 
sle10-sp3 (td): SR#29018
Comment 20 Stefan Dirsch 2013-10-23 13:27:51 UTC 
sles9-sp3-teradata (td): SR#29032
Comment 23 Bernhard Wiedemann 2013-10-28 16:00:41 UTC 
This is an autogenerated message for OBS integration:
This bug (843652) was mentioned in
https://build.opensuse.org/request/show/205025 Maintenance /
Comment 24 Swamp Workflow Management 2013-10-30 10:05:26 UTC 
openSUSE-SU-2013:1610-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 816813,843652
CVE References: CVE-2013-4396
Sources used:
openSUSE 12.3 (src):    xorg-x11-server-7.6_1.13.2-1.17.1
openSUSE 12.2 (src):    xorg-x11-server-7.6_1.12.3-1.37.1
Comment 25 Forgotten User 9PoxeohwoU 2013-10-30 15:58:43 UTC 
I'm guessing the fix made available in openSUE 12.3 (see comment#24) is the root cause of bug#848302.  After updating openSUSE 12.3 with this fix, various operation now crash the X session.
Comment 26 Swamp Workflow Management 2013-10-30 18:04:34 UTC 
openSUSE-SU-2013:1614-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 816813,843652
CVE References: CVE-2013-4396
Sources used:
openSUSE 11.4 (src):    xorg-x11-server-7.6_1.9.3-15.44.1
Comment 27 Marcus Meissner 2013-10-31 07:58:53 UTC 
Stefan, there might be a regression... see #c25 amnd bug 848302
Comment 28 Swamp Workflow Management 2013-11-18 13:14:02 UTC 
Update released for: xorg-x11-Xvnc, xorg-x11-server, xorg-x11-server-debuginfo, xorg-x11-server-debugsource, xorg-x11-server-extra, xorg-x11-server-sdk
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 29 Swamp Workflow Management 2013-11-18 13:59:47 UTC 
Update released for: xorg-x11-Xvnc, xorg-x11-server, xorg-x11-server-debuginfo, xorg-x11-server-debugsource, xorg-x11-server-extra, xorg-x11-server-sdk
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 30 Swamp Workflow Management 2013-11-18 14:04:21 UTC 
Update released for: XFree86, XFree86-Mesa, XFree86-Mesa-devel, XFree86-Xnest, XFree86-Xprt, XFree86-Xvfb, XFree86-Xvnc, XFree86-devel, XFree86-doc, XFree86-driver-options, XFree86-fonts-100dpi, XFree86-fonts-75dpi, XFree86-fonts-cyrillic, XFree86-fonts-scalable, XFree86-fonts-syriac, XFree86-libs, XFree86-man, XFree86-server, XFree86-server-glx, km_drm
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 31 Swamp Workflow Management 2013-11-18 14:04:41 UTC 
Update released for: xorg-x11-Xvnc, xorg-x11-server, xorg-x11-server-debuginfo, xorg-x11-server-debugsource, xorg-x11-server-extra, xorg-x11-server-sdk
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 32 Swamp Workflow Management 2013-11-18 14:05:02 UTC 
Update released for: xorg-x11, xorg-x11-Xnest, xorg-x11-Xprt, xorg-x11-Xvfb, xorg-x11-Xvnc, xorg-x11-debuginfo, xorg-x11-devel, xorg-x11-devel-32bit, xorg-x11-doc, xorg-x11-driver-options, xorg-x11-fonts-100dpi, xorg-x11-fonts-75dpi, xorg-x11-fonts-cyrillic, xorg-x11-fonts-scalable, xorg-x11-fonts-syriac, xorg-x11-libs, xorg-x11-libs-32bit, xorg-x11-man, xorg-x11-sdk, xorg-x11-server, xorg-x11-server-glx
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 33 Stefan Dirsch 2014-01-31 15:12:42 UTC 
This one somewhat got lost from my radar. :-( I would need a gdb backtrace here - with xorg-x11-server-debug{info,source} package been installed.
Comment 34 Forgotten User 9PoxeohwoU 2014-01-31 15:17:44 UTC 
Sorry, I won't be able to help with this now.  Perhaps one of the commenters on bug#848302 that can still dup this can.  The machine I had that had this problem has been replaced.  My new machine is running openSuSE 13.1 and does NOT exhibit this problem.  I'm not in a state where I can dup it any more.
Comment 36 Swamp Workflow Management 2014-04-11 13:31:20 UTC 
The SWAMPID for this issue is 57000.
This issue was rated as moderate.
Please submit fixed packages until 2014-04-25.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 44 Swamp Workflow Management 2014-06-02 16:27:19 UTC 
Update released for: xorg-x11-Xvnc, xorg-x11-server, xorg-x11-server-debuginfo, xorg-x11-server-debugsource, xorg-x11-server-extra, xorg-x11-server-sdk
Products:
SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
Comment 45 Swamp Workflow Management 2014-06-02 20:08:13 UTC 
SUSE-SU-2014:0744-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 813178,813683,814653,816813,843652,853846
CVE References: CVE-2013-1940,CVE-2013-4396,CVE-2013-6424
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    xorg-x11-server-7.4-27.40.70.1