Re: Fixing CVE-2013-4396 in squeeze-backports
- To: Debian X Strike Force <debian-x@lists.debian.org>
- Subject: Re: Fixing CVE-2013-4396 in squeeze-backports
- From: intrigeri <intrigeri@debian.org>
- Date: Mon, 02 Dec 2013 12:38:26 +0100
- Message-id: <[🔎] 854n6rmqj1.fsf@boum.org>
- In-reply-to: <20131023200213.GM4002@betterave.cristau.org> (Julien Cristau's message of "Wed, 23 Oct 2013 22:02:13 +0200")
- References: <85d2mwpgx0.fsf@boum.org> <20131023200213.GM4002@betterave.cristau.org>
Hi,
Julien Cristau wrote (23 Oct 2013 20:02:13 GMT) :
> On Wed, Oct 23, 2013 at 09:47:39 +0200, intrigeri wrote:
>> do you have any plans to fix CVE-2013-4396 in squeeze-backports?
>> (Rationale: Tails ships Xorg from squeeze-backports.)
>>
>> If you don't, may I assume that the following would work:
>>
>> 1. set up a Squeeze + backports chroot
>> 2. retrieve the xorg-server source package from squeeze-backports
>> 3. add the patch that was applied in the Wheezy security update
>> 4. build in the aforementioned chroot
>>
>> ?
>>
> That should work. I think either the squeeze or the wheezy patch should
> apply just fine, modulo whitespace.
I did it, and the resulting packages seem to work fine (I've tested
xserver-common and xserver-xorg-core in a live Squeeze + X from
squeeze-backports system). I did not try to exploit the CVE and see if
it is really fixed, though.
Anyone willing to ACK the attached commits and push them to the
debian-squeeze-backports branch, before I upload to the archive?
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
>From 2dffdefa2ff8ca90fb108581162075f5d8c4e0da Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@debian.org>
Date: Mon, 2 Dec 2013 11:08:20 +0000
Subject: [PATCH 1/2] Add 14_CVE-2013-4396.diff to fix CVE-2013-4396
(DSA-2784-1).
---
debian/patches/14_CVE-2013-4396.diff | 73 ++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 74 insertions(+)
create mode 100644 debian/patches/14_CVE-2013-4396.diff
diff --git a/debian/patches/14_CVE-2013-4396.diff b/debian/patches/14_CVE-2013-4396.diff
new file mode 100644
index 0000000..eed6dae
--- /dev/null
+++ b/debian/patches/14_CVE-2013-4396.diff
@@ -0,0 +1,73 @@
+From 73b2660d7273d175d279d22f8ca0c3932a14ff1c Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Tue, 17 Sep 2013 04:47:16 +0000
+Subject: Avoid use-after-free in dix/dixfonts.c: doImageText() [CVE-2013-4396]
+
+Save a pointer to the passed in closure structure before copying it
+and overwriting the *c pointer to point to our copy instead of the
+original. If we hit an error, once we free(c), reset c to point to
+the original structure before jumping to the cleanup code that
+references *c.
+
+Since one of the errors being checked for is whether the server was
+able to malloc(c->nChars * itemSize), the client can potentially pass
+a number of characters chosen to cause the malloc to fail and the
+error path to be taken, resulting in the read from freed memory.
+
+Since the memory is accessed almost immediately afterwards, and the
+X server is mostly single threaded, the odds of the free memory having
+invalid contents are low with most malloc implementations when not using
+memory debugging features, but some allocators will definitely overwrite
+the memory there, leading to a likely crash.
+
+Reported-by: Pedro Ribeiro <pedrib@gmail.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+---
+ dix/dixfonts.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/dix/dixfonts.c b/dix/dixfonts.c
+index fbac124..62feaed 100644
+--- a/dix/dixfonts.c
++++ b/dix/dixfonts.c
+@@ -1479,6 +1479,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ GC *pGC;
+ unsigned char *data;
+ ITclosurePtr new_closure;
++ ITclosurePtr old_closure;
+
+ /* We're putting the client to sleep. We need to
+ save some state. Similar problem to that handled
+@@ -1491,6 +1492,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ err = BadAlloc;
+ goto bail;
+ }
++ old_closure = c;
+ *new_closure = *c;
+ c = new_closure;
+
+@@ -1498,6 +1500,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ if (!data)
+ {
+ free(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
+@@ -1509,6 +1512,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ {
+ free(c->data);
+ free(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
+@@ -1522,6 +1526,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ FreeScratchGC(pGC);
+ free(c->data);
+ free(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 2e0f947..0308bc8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,4 +4,5 @@
02_Add-libnettle-as-option-for-sha1.diff
07-xfree86-fix-build-with-xv-disabled.diff
#13_debian_add_xkbpath_env_variable.diff
+14_CVE-2013-4396.diff
15-nouveau.diff
--
1.8.5
>From 87ab5736bf997fab5c26471a61c2a68188f722e4 Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@debian.org>
Date: Mon, 2 Dec 2013 10:32:40 +0000
Subject: [PATCH 2/2] Upload to squeeze-backports.
---
debian/changelog | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index d61d908..15be2b9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+xorg-server (2:1.10.4-1~bpo60+2) squeeze-backports; urgency=low
+
+ * Add 14_CVE-2013-4396.diff to fix CVE-2013-4396 (DSA-2784-1).
+
+ -- intrigeri <intrigeri@debian.org> Mon, 02 Dec 2013 11:30:11 +0100
+
xorg-server (2:1.10.4-1~bpo60+1) squeeze-backports; urgency=low
* Rebuild for squeeze-backports.
--
1.8.5
Reply to: