928520 – (CVE-2015-3418) VUL-1: CVE-2015-3418: Xserver: PutImage crashes Server when called with 0 height (Regression introduced by CVE-2014-8092)

Bug 928520 (CVE-2015-3418) - VUL-1: CVE-2015-3418: Xserver: PutImage crashes Server when called with 0 height (Regression introduced by CVE-2014-8092)

Summary: VUL-1: CVE-2015-3418: Xserver: PutImage crashes Server when called with 0 hei...

Status:	RESOLVED FIXED
Duplicates (1):	841777 (view as bug list)

Alias:	CVE-2015-3418

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Deadline:	2015-06-08
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle10-sp3:61807
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-04-24 11:01 UTC by Egbert Eich
Modified:	2015-11-13 08:51 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Fix (1.19 KB, patch) 2015-04-24 13:13 UTC, Egbert Eich	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Egbert Eich 2015-04-24 11:01:04 UTC

GWenview crashes with SIGFP Xserver when maximizing/resizing an image.

Reason is that PutImage() is called with 0 height.

Culprit is this code snippet in ProcPutImage():

    if (lengthProto >= (INT32_MAX / stuff->height))
        return BadLength;

Fix: test for 0 dimensions and bail early.

Issue was introduced with the fix for CVE-2014-8092
Fixed upstream with commit dc777c346d5d452a53b13b917c45f6a1bad2f20b


Affected: SLE11 SP1/2/3/4, SLE12, SLE10-SP3

Comment 1 Marcus Meissner 2015-04-24 12:56:24 UTC

did this also get a CVE? do you know?

Comment 3 Egbert Eich 2015-04-24 12:58:03 UTC

(In reply to Marcus Meissner from comment #1)
> did this also get a CVE? do you know?

No. It was just committed upstream.

Comment 4 Marcus Meissner 2015-04-24 13:11:08 UTC

http://cgit.freedesktop.org/xorg/xserver/commit/?id=dc777c346d5d452a53b13b917c45f6a1bad2f20b

is from january 2015.


do not use "mr" , use "sr" in the subdirectories.

Comment 5 Egbert Eich 2015-04-24 13:13:19 UTC

Created attachment 632315 [details]
Fix

Upstream fix.

Comment 6 Egbert Eich 2015-04-24 13:13:42 UTC

For SP4: SR#56230

Comment 8 Egbert Eich 2015-04-24 14:34:15 UTC

SLE11 SP1: SR#56238
SLE11 SP3: SR#56240
SLE12:     SR#56242

Comment 10 Egbert Eich 2015-04-24 15:35:25 UTC

SLE10-SP3: SR#56260

Comment 12 Egbert Eich 2015-04-25 05:41:42 UTC

This one is fixed.

Comment 13 Marcus Meissner 2015-04-25 14:18:45 UTC

CVE-2015-3418 for tracking

Comment 14 Swamp Workflow Management 2015-04-25 22:00:15 UTC

bugbot adjusting priority

Comment 15 Marcus Meissner 2015-04-28 13:36:10 UTC

could you add the CVEs to the changes files if possible?

Comment 16 Egbert Eich 2015-04-28 14:29:41 UTC

Now with CVE number in changes file and fixed license string:

SLE12:     SR#56588
SLE11 SP3: SR#56586
SLE11 SP1: SR#56584
SLE10 SP3: SR#56580

Comment 19 Swamp Workflow Management 2015-05-25 21:03:45 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-06-08.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61797

Comment 22 Swamp Workflow Management 2015-06-10 12:05:23 UTC

SUSE-SU-2015:1025-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 928520
CVE References: CVE-2015-3418
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xorg-x11-server-7.4-27.105.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    xorg-x11-server-7.4-27.105.1
SUSE Linux Enterprise Server 11 SP3 (src):    xorg-x11-server-7.4-27.105.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xorg-x11-server-7.4-27.105.1

Comment 23 Swamp Workflow Management 2015-06-23 16:05:59 UTC

SUSE-SU-2015:1127-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 923229,925019,925021,925022,928520
CVE References: CVE-2014-8092,CVE-2015-3418
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xorg-x11-server-7.6_1.15.2-28.4
SUSE Linux Enterprise Server 12 (src):    xorg-x11-server-7.6_1.15.2-28.4
SUSE Linux Enterprise Desktop 12 (src):    xorg-x11-server-7.6_1.15.2-28.4

Comment 24 Victor Pereira 2015-06-23 16:24:54 UTC

fixed and released

Comment 25 Egbert Eich 2015-11-11 09:30:51 UTC

Related openSUSE ticket: boo#928513

Comment 26 Egbert Eich 2015-11-13 08:51:05 UTC

*** Bug 841777 has been marked as a duplicate of this bug. ***