915810 – (CVE-2015-0255) VUL-0: CVE-2015-0255: xorg-x11-server: Information leak in the XkbSetGeometry request of X servers

Bug 915810 (CVE-2015-0255) - VUL-0: CVE-2015-0255: xorg-x11-server: Information leak in the XkbSetGeometry request of X servers

Summary: VUL-0: CVE-2015-0255: xorg-x11-server: Information leak in the XkbSetGeometry...

Status:	RESOLVED FIXED

Alias:	CVE-2015-0255

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2015-02-17
Assignee:	Michal Srb
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp1:60607 maint:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-02-02 15:00 UTC by Johannes Segitz
Modified:	2016-04-27 19:20 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2015-02-02 15:00:53 UTC

Created attachment 621610 [details]
Patch for CVE-2015-0255

X.Org Security Advisory: Feb 17, 2015 - CVE-2015-0255
Information leak in the XkbSetGeometry request of X servers
===========================================================
Description:
============
Olivier Fourdan from Red Hat has discovered a protocol handling issue
in the way the X server code base handles the XkbSetGeometry request.

The issue stems from the server trusting the client to send valid
string lengths in the request data. A malicious client with string
lengths exceeding the request length can cause the server to copy
adjacent memory data into the XKB structs. This data is then available
to the client via the XkbGetGeometry request.
The data length is at least up to 64k, it is possible to obtain more
data by chaining strings, each string length is then determined by
whatever happens to be in that 16-bit region of memory.

A similarly crafted request can likely cause the X server to crash.

This issue has been assigned CVE-2015-0255

Affected Versions:
==================
This bug appears to have been introduced in X11R6.6 (March 1996) and
is thus believed to be present in every X server release since,
including the current stable release 1.16.3

Fixes:
======
A fix is available via the attached patch which is intended to be
included in xorg-server-1.16.4 and 1.17.0

Thanks:
=======
The X.Org Foundation thanks Olivier for bringing this issue to our
attention and providing the fixes.

Comment 2 Swamp Workflow Management 2015-02-02 23:00:22 UTC

bugbot adjusting priority

Comment 3 Swamp Workflow Management 2015-02-03 10:05:31 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-02-17.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60516

Comment 21 Egbert Eich 2015-02-10 12:36:01 UTC

So let's assign this to the security team. We can worry about openSUSE when the embargo is lifted and there are no other things to do.

Comment 22 Johannes Segitz 2015-02-11 08:09:40 UTC

public: http://www.x.org/wiki/Development/Security/Advisory-2015-02-10/

Comment 23 Johannes Segitz 2015-02-12 09:43:52 UTC

is public, please fix openSUSE

Comment 25 Bernhard Wiedemann 2015-02-19 14:00:06 UTC

This is an autogenerated message for OBS integration:
This bug (915810) was mentioned in
https://build.opensuse.org/request/show/286762 13.2 / xorg-x11-server

Comment 26 Swamp Workflow Management 2015-02-20 12:04:59 UTC

openSUSE-SU-2015:0337-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 915810
CVE References: CVE-2015-0255
Sources used:
openSUSE 13.2 (src):    xorg-x11-server-7.6_1.16.1-9.1
openSUSE 13.1 (src):    xorg-x11-server-7.6_1.14.3.901-16.1

Comment 27 Swamp Workflow Management 2015-02-20 12:05:11 UTC

openSUSE-SU-2015:0338-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 915810
CVE References: CVE-2015-0255
Sources used:
openSUSE 13.2 (src):    tigervnc-1.4.1-6.26.1

Comment 29 Swamp Workflow Management 2015-02-28 11:47:16 UTC

SUSE-SU-2015:0401-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 915810
CVE References: CVE-2015-0255
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xorg-x11-server-7.6_1.15.2-21.1
SUSE Linux Enterprise Server 12 (src):    xorg-x11-server-7.6_1.15.2-21.1
SUSE Linux Enterprise Desktop 12 (src):    xorg-x11-server-7.6_1.15.2-21.1

Comment 30 Swamp Workflow Management 2015-02-28 11:47:29 UTC

SUSE-SU-2015:0400-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 915810
CVE References: CVE-2015-0255
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xorg-x11-server-7.6_1.15.2-21.1
SUSE Linux Enterprise Server 12 (src):    xorg-x11-server-7.6_1.15.2-21.1
SUSE Linux Enterprise Desktop 12 (src):    xorg-x11-server-7.6_1.15.2-21.1

Comment 31 Swamp Workflow Management 2015-02-28 11:47:41 UTC

SUSE-SU-2015:0402-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 915810
CVE References: CVE-2015-0255
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xorg-x11-server-7.6_1.15.2-21.1
SUSE Linux Enterprise Server 12 (src):    xorg-x11-server-7.6_1.15.2-21.1
SUSE Linux Enterprise Desktop 12 (src):    xorg-x11-server-7.6_1.15.2-21.1

Comment 32 Swamp Workflow Management 2015-02-28 11:48:28 UTC

SUSE-SU-2015:0403-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 915810
CVE References: CVE-2015-0255
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xorg-x11-server-7.6_1.15.2-21.1
SUSE Linux Enterprise Server 12 (src):    xorg-x11-server-7.6_1.15.2-21.1
SUSE Linux Enterprise Desktop 12 (src):    xorg-x11-server-7.6_1.15.2-21.1

Comment 33 Swamp Workflow Management 2015-02-28 11:50:04 UTC

SUSE-SU-2015:0399-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 915810
CVE References: CVE-2015-0255
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xorg-x11-server-7.6_1.15.2-21.1
SUSE Linux Enterprise Server 12 (src):    xorg-x11-server-7.6_1.15.2-21.1
SUSE Linux Enterprise Desktop 12 (src):    xorg-x11-server-7.6_1.15.2-21.1

Comment 34 Swamp Workflow Management 2015-02-28 11:52:00 UTC

SUSE-SU-2015:0398-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 915810
CVE References: CVE-2015-0255
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xorg-x11-server-7.6_1.15.2-21.1
SUSE Linux Enterprise Server 12 (src):    xorg-x11-server-7.6_1.15.2-21.1
SUSE Linux Enterprise Desktop 12 (src):    xorg-x11-server-7.6_1.15.2-21.1

Comment 35 Marcus Meissner 2015-03-04 15:11:29 UTC

erleased

Comment 36 Swamp Workflow Management 2015-03-05 00:06:17 UTC

SUSE-SU-2015:0427-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 883051,915810
CVE References: CVE-2015-0255
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xorg-x11-server-7.4-27.103.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    xorg-x11-server-7.4-27.103.1
SUSE Linux Enterprise Server 11 SP3 (src):    xorg-x11-server-7.4-27.103.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xorg-x11-server-7.4-27.103.1

Comment 43 Swamp Workflow Management 2015-05-26 09:05:50 UTC

SUSE-SU-2015:0939-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (moderate)
Bug References: 908738,911577,915782,915810,920969
CVE References: CVE-2015-0255
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    fltk-1.3.2-10.2
SUSE Linux Enterprise Server 12 (src):    fltk-1.3.2-10.2, tigervnc-1.4.1-32.1
SUSE Linux Enterprise Desktop 12 (src):    fltk-1.3.2-10.2, tigervnc-1.4.1-32.1

Comment 44 Bernhard Wiedemann 2015-07-16 07:00:10 UTC

This is an autogenerated message for OBS integration:
This bug (915810) was mentioned in
https://build.opensuse.org/request/show/317024 42 / tigervnc