Bugzilla – Bug 927220
VUL-0: CVE-2013-7439 : libX11,xorg-x11-libX11: buffer overflow in MakeBigReq macro
Last modified: 2018-04-11 14:41:30 UTC
http://lists.x.org/archives/xorg-announce/2015-April/002561.html X.Org Security Advisory: April 14, 2015 Buffer overflow in MakeBigReq macro in libX11 prior to 1.6 [CVE-2013-7439] ========================================================================== Description: ============ It's been brought to X.Org's attention that this commit: http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=39547d600a13713e15429f49768e54c3173c828d which was included in libX11 1.5.99.901 (1.6 RC1) and later releases fixed an issue which may be exploitable when X clients are rendering untrusted content, such as in web browsers. Mitre has thus issued CVE-2013-7439 for tracking this vulnerability. Further discussion is available in the oss-security thread starting at http://seclists.org/oss-sec/2015/q2/73 . Note that as this affects a macro in a header file, all software using this macro will need to be recompiled for the fix to take effect. Since the Xlibint.h header provides access to the internals of libX11, it should not be directly accessed by most clients, but nearly all of the Xlib-based extension libraries are affected, as are some third-party client libraries and programs who have ill-advisedly relied on libX11 internals. X.Org software known to use these macros includes: libXext libXfixes libXi libXp libXrandr libXrender libXv libXxf86misc xf86-video-vmware Some uses of the macros in other software may be found at: http://codesearch.debian.net/results/SetReqLen http://codesearch.debian.net/results/MakeBigReq but of course, only a search of your own code base will be exhaustive. Affected Versions ================= The off-by-one-word error in the amount of memory to copy was introduced in the original integration of the BigRequests extension for X11R6.0: http://cgit.freedesktop.org/~alanc/xc-historical/commit/?id=57ae039acec35ee7df4bc3f3c02abd957780b026 thus X.Org believes all versions of X11R6.x are affected, as are all versions of the standalone libX11 prior to the libX11 1.6.0 release in June 2013. Fixes ===== As noted above, the fix is already available in this libX11 git commit: 39547d600a13713e15429f49768e54c3173c828d which is also included in libX11 1.6.0 and later module releases from X.Org, however, for the fix to be effective, all software which references the MakeBigReq() or SetReqLen() macros from Xlibint.h must be recompiled with the new header. -- -Alan Coopersmith- alan.coopersmith at oracle.com X.Org Security Response Team - xorg-security at lists.x.org References: https://bugzilla.redhat.com/show_bug.cgi?id=1209943 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7439 http://seclists.org/oss-sec/2015/q2/81 http://www.debian.org/security/2015/dsa-3224 http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7439.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7439 http://www.heise.de/newsticker/meldung/Alte-Xorg-Luecke-bedroht-haufenweise-Drittsoftware-2606536.html
SLE 12 GA libX11 1.6.2 not affected. Version is newer, code lines are fixed. As all of SLE 12 GA was build with this, it is not affected with other packages.
SLE 11 xorg-x11-libX11 7.5 (libX11 1.1.5) affected. Checking dependent packages for potential use of header macros, as they would need to be included as rebuilt packages in update as well.
openSUSE 13.2 libX11 1.6.2 not affected. openSUSE 13.1 libX11 1.6.2 not affected.
SLE11: packages to be fixed: - xorg-x11-libX11 packages to be rebuilt and released as well: - xorg-x11-libXext - xorg-x11-libXfixes - xorg-x11-libs (libXi, libXrandr, libXxf86misc) - xorg-x11-libXp - xorg-x11-libXrender - xorg-x11-libXv - xorg-x11-driver-video (xf86-video-vmware)
SLE10: packages to be fixed and rebuilt: - xorg-x11
bugbot adjusting priority
Andreas, I need to add that I've only mentioned the affected packages coming from X.Org. I would prefer to leave it up to you/security team to extract any package source of sle <= 11 to grep for the usage of the affected macros.
(In reply to Stefan Dirsch from comment #9) > Andreas, I need to add that I've only mentioned the affected packages coming > from X.Org. > > I would prefer to leave it up to you/security team to extract any package > source of sle <= 11 to grep for the usage of the affected macros. My analysis is as follows: SLE 11: packages to be fixed: - xorg-x11-libX11 packages to be rebuilt and released as well: - xorg-x11-libXext - xorg-x11-libXfixes - xorg-x11-libs (libXi, libXrandr, libXxf86misc) - xorg-x11-libXp - xorg-x11-libXrender - xorg-x11-libXv - xorg-x11-driver-video (xf86-video-vmware) - SDL SLE 10: packages to be fixed: - xorg-x11 packages to be rebuilt and released as well: - SDL
sle11-sp3: SR#55684 sle11-sp4: SR#55688 sle11-sp1: SR#55686 sle10-sp4: SR#55690
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2015-05-22. https://swamp.suse.de/webswamp/wf/61607
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-07-10. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62128
sle10:sp3: SR#61154 (for Teradata customer)
Hello Andreas, Stefan Here the guy have the reproducer: https://bugs.freedesktop.org/show_bug.cgi?id=56508 " Peter Hutterer 2013-02-18 01:19:30 UTC Confirmed and I have a reliable reproducer here. Requirement for the overrun is that the fixed-length bit of the request is aligned at the end of the dpy buffer." Can we have the reproducer as well?
(In reply to Viktor Kijasev from comment #19) > Here the guy have the reproducer: > > https://bugs.freedesktop.org/show_bug.cgi?id=56508 > > " Peter Hutterer 2013-02-18 01:19:30 UTC > > Confirmed and I have a reliable reproducer here. Requirement for the overrun > is that the fixed-length bit of the request is aligned at the end of the dpy > buffer." > > Can we have the reproducer as well? We do not have it.
Reproducer from Peter Huterer: it's part of the XIT here: http://cgit.freedesktop.org/xorg/test/xorg-integration-tests/tree/tests/lib/libX11.cpp#n59
Viktor, xtest isn't easy to use. Please concentrate on regression tests instead.
SUSE-SU-2015:1334-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 927220 CVE References: CVE-2013-7439 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): xorg-x11-libX11-7.4-5.11.15.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): xorg-x11-libX11-7.4-5.11.15.1 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): xorg-x11-libX11-7.4-5.11.15.1 SUSE Linux Enterprise Server 11-SP4 (src): xorg-x11-libX11-7.4-5.11.15.1 SUSE Linux Enterprise Server 11-SP3 (src): xorg-x11-libX11-7.4-5.11.15.1 SUSE Linux Enterprise Server 11-SP2-LTSS (src): xorg-x11-libX11-7.4-5.11.15.1 SUSE Linux Enterprise Server 11-SP1-LTSS (src): xorg-x11-libX11-7.4-5.11.15.1 SUSE Linux Enterprise Desktop 11-SP4 (src): xorg-x11-libX11-7.4-5.11.15.1 SUSE Linux Enterprise Desktop 11-SP3 (src): xorg-x11-libX11-7.4-5.11.15.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): xorg-x11-libX11-7.4-5.11.15.1
Cant this bug be closed as resolved?
Well, I'm afraid maintenance/release team needs to decide, whether we want to rebuild affected packages and push them to our update repo. Some of the affected packages meanwhile have seen updates due to different security issues.
we meanwhile also pushed quite some of the other X packages. so we can consider this resolved