Re: Request for review: xorg-server 2:1.7.7-18+deb6u2 (CVE-2015-0255)

To: debian-lts@lists.debian.org
Cc: Debian X Strike Force <debian-x@lists.debian.org>
Subject: Re: Request for review: xorg-server 2:1.7.7-18+deb6u2 (CVE-2015-0255)
From: Mike Gabriel <sunweaver@debian.org>
Date: Wed, 22 Apr 2015 12:49:06 +0000
Message-id: <[🔎] 20150422124906.Horde.eSLGV2feDy2xuiKh1r2Msw1@mail.das-netzwerkteam.de>
In-reply-to: <[🔎] 20150422123140.Horde.3WZ6BfzrCVM5awA3wMTmjw1@mail.das-netzwerkteam.de>

Hi again...

On  Mi 22 Apr 2015 14:31:40 CEST, Mike Gabriel wrote:

Debdiff is attached to this mail. The .dsc file can be obtained via [1].


and here comes the missing .debdiff...

Mike
--

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

diff -u xorg-server-1.7.7/debian/changelog xorg-server-1.7.7/debian/changelog
--- xorg-server-1.7.7/debian/changelog
+++ xorg-server-1.7.7/debian/changelog
@@ -1,3 +1,12 @@
+xorg-server (2:1.7.7-18+deb6u2) squeeze-lts; urgency=high
+
+  * Non-maintainer upload by Debian LTS Team.
+  * debian/patches:
+    + Add 30-CVE-2015-0255.patch. Don't swap XkbSetGeometry data in the
+      input buffer, check strings length against request size (CVE-2015-0255).
+
+ -- Mike Gabriel <sunweaver@debian.org>  Wed, 22 Apr 2015 11:45:21 +0200
+
 xorg-server (2:1.7.7-18+deb6u1) squeeze-lts; urgency=high
 
   * Non-maintainer upload by the Debian LTS Team.
diff -u xorg-server-1.7.7/debian/patches/series xorg-server-1.7.7/debian/patches/series
--- xorg-server-1.7.7/debian/patches/series
+++ xorg-server-1.7.7/debian/patches/series
@@ -58,0 +59 @@
+30-CVE-2015-0255.patch
only in patch2:
unchanged:
--- xorg-server-1.7.7.orig/debian/patches/30-CVE-2015-0255.patch
+++ xorg-server-1.7.7/debian/patches/30-CVE-2015-0255.patch
@@ -0,0 +1,175 @@
+Description: fix information leak and denial of service in XkbSetGeometry
+Origin: backport, http://cgit.freedesktop.org/xorg/xserver/commit/?id=81c90dc8f0aae3b65730409b1b615b5fa7280ebd
+Origin: backport, http://cgit.freedesktop.org/xorg/xserver/commit/?id=20079c36cf7d377938ca5478447d8b9045cb7d43
+
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -4819,27 +4819,30 @@
+ 
+ /***====================================================================***/
+ 
+-static char *
+-_GetCountedString(char **wire_inout,Bool swap)
++static Status
++_GetCountedString(char **wire_inout,ClientPtr client, char **str)
+ {
+-char *	wire,*str;
+-CARD16	len,*plen;
++char    *wire,*next;
++CARD16	len;
+ 
+     wire= *wire_inout;
+-    plen= (CARD16 *)wire;
+-    if (swap) {
++    len = *(CARD16 *) wire;
++    if (client->swapped) {
+ 	register int n;
+-	swaps(plen,n);
+-    }
+-    len= *plen;
+-    str= xalloc(len+1);
+-    if (str) {
+-	memcpy(str,&wire[2],len);
+-	str[len]= '\0';
++	swaps(&len,n);
+     }
+-    wire+= XkbPaddedSize(len+2);
+-    *wire_inout= wire;
+-    return str;
++    next = wire + XkbPaddedSize(len + 2);
++    /* Check we're still within the size of the request */
++    if (client->req_len <
++	bytes_to_int32(next - (char *) client->requestBuffer))
++	return BadValue;
++    *str = malloc(len + 1);
++    if (!*str)
++	return BadAlloc;
++    memcpy(*str, &wire[2], len);
++    *(*str + len) = '\0';
++    *wire_inout = next;
++    return Success;
+ }
+ 
+ static Status
+@@ -4850,26 +4853,30 @@
+ {
+ char *			wire;
+ xkbDoodadWireDesc *	dWire;
++xkbAnyDoodadWireDesc	any;
++xkbTextDoodadWireDesc	text;
+ XkbDoodadPtr		doodad;
++Status			status;
+ 
+     dWire= (xkbDoodadWireDesc *)(*wire_inout);
++    any = dWire->any;
+     wire= (char *)&dWire[1];
+     if (client->swapped) {
+ 	register int n;
+-	swapl(&dWire->any.name,n);
+-	swaps(&dWire->any.top,n);
+-	swaps(&dWire->any.left,n);
+-	swaps(&dWire->any.angle,n);
++	swapl(&any.name,n);
++	swaps(&any.top,n);
++	swaps(&any.left,n);
++	swaps(&any.angle,n);
+     }
+     CHK_ATOM_ONLY(dWire->any.name);
+-    doodad= XkbAddGeomDoodad(geom,section,dWire->any.name);
++    doodad= XkbAddGeomDoodad(geom,section,any.name);
+     if (!doodad)
+ 	return BadAlloc;
+     doodad->any.type= dWire->any.type;
+     doodad->any.priority= dWire->any.priority;
+-    doodad->any.top= dWire->any.top;
+-    doodad->any.left= dWire->any.left;
+-    doodad->any.angle= dWire->any.angle;
++    doodad->any.top= any.top;
++    doodad->any.left= any.left;
++    doodad->any.angle= any.angle;
+     switch (doodad->any.type) {
+ 	case XkbOutlineDoodad:
+ 	case XkbSolidDoodad:
+@@ -4892,16 +4899,23 @@
+ 							dWire->text.colorNdx);
+ 		return BadMatch;
+ 	    }
++	    text = dWire->text;
+ 	    if (client->swapped) {
+ 		register int n;
+-		swaps(&dWire->text.width,n);
+-		swaps(&dWire->text.height,n);
++		swaps(&text.width,n);
++		swaps(&text.height,n);
+ 	    }
+-	    doodad->text.width= dWire->text.width;
+-	    doodad->text.height= dWire->text.height;
++	    doodad->text.width= text.width;
++	    doodad->text.height= text.height;
+ 	    doodad->text.color_ndx= dWire->text.colorNdx;
+-	    doodad->text.text= _GetCountedString(&wire,client->swapped);
+-	    doodad->text.font= _GetCountedString(&wire,client->swapped);
++	    status = _GetCountedString(&wire, client, &doodad->text.text);
++	    if (status != Success)
++	        return status;
++	    status = _GetCountedString(&wire, client, &doodad->text.font);
++	    if (status != Success) {
++	        free (doodad->text.text);
++	        return status;
++	    }
+ 	    break;
+ 	case XkbIndicatorDoodad:
+ 	    if (dWire->indicator.onColorNdx>=geom->num_colors) {
+@@ -4936,7 +4950,9 @@
+ 	    }
+ 	    doodad->logo.color_ndx= dWire->logo.colorNdx;
+ 	    doodad->logo.shape_ndx= dWire->logo.shapeNdx;
+-	    doodad->logo.logo_name= _GetCountedString(&wire,client->swapped);
++	    status = _GetCountedString(&wire, client, &doodad->logo.logo_name);
++	    if (status != Success)
++	        return status;
+ 	    break;
+ 	default:
+ 	    client->errorValue= _XkbErrCode2(0x4F,dWire->any.type);
+@@ -5171,18 +5187,20 @@
+ char *		wire;
+ 
+     wire= (char *)&req[1];
+-    geom->label_font= _GetCountedString(&wire,client->swapped);
++    status = _GetCountedString(&wire, client, &geom->label_font);
++    if (status != Success)
++	return status;
+ 
+     for (i=0;i<req->nProperties;i++) {
+ 	char *name,*val;
+-	name= _GetCountedString(&wire,client->swapped);
+-        if (!name)
+-            return BadAlloc;
+-	val= _GetCountedString(&wire,client->swapped);
+-        if (!val) {
++	status = _GetCountedString(&wire, client, &name);
++	if (status != Success)
++            return status;
++	status = _GetCountedString(&wire, client, &val);
++	if (status != Success) {
+             xfree(name);
+-            return BadAlloc;
+-        }
++            return status;
++	}
+ 	if (XkbAddGeomProperty(geom,name,val)==NULL) {
+             xfree(name);
+             xfree(val);
+@@ -5212,9 +5230,9 @@
+ 
+     for (i=0;i<req->nColors;i++) {
+ 	char *name;
+-	name= _GetCountedString(&wire,client->swapped);
+-	if (!name)
+-            return BadAlloc;
++        status = _GetCountedString(&wire, client, &name);
++        if (status != Success)
++            return status;
+         if (!XkbAddGeomColor(geom,name,geom->num_colors)) {
+             xfree(name);
+ 	    return BadAlloc;

Attachment: pgp5A2YWl6pni.pgp
Description: Digitale PGP-Signatur

Reply to:

References:
- Request for review: xorg-server 2:1.7.7-18+deb6u2 (CVE-2015-0255)
  - From: Mike Gabriel <sunweaver@debian.org>

Prev by Date: Request for review: xorg-server 2:1.7.7-18+deb6u2 (CVE-2015-0255)
Next by Date: Request for review xdg-utils 1.0.2+cvs20100307-2+deb6u1
Previous by thread: Request for review: xorg-server 2:1.7.7-18+deb6u2 (CVE-2015-0255)
Next by thread: Request for review xdg-utils 1.0.2+cvs20100307-2+deb6u1
Index(es):
- Date
- Thread