SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   X Vendors:   X.org
X Window Client Library Protocol Handling Flaws Let Remote Authenticated or Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1028590
SecurityTracker URL:  http://securitytracker.com/id/1028590
CVE Reference:   CVE-2013-1981, CVE-2013-1982, CVE-2013-1983, CVE-2013-1984, CVE-2013-1985, CVE-2013-1986, CVE-2013-1987, CVE-2013-1988, CVE-2013-1989, CVE-2013-1990, CVE-2013-1991, CVE-2013-1992, CVE-2013-1993, CVE-2013-1994, CVE-2013-1995, CVE-2013-1996, CVE-2013-1997, CVE-2013-1998, CVE-2013-1999, CVE-2013-2000, CVE-2013-2001, CVE-2013-2002, CVE-2013-2003, CVE-2013-2004, CVE-2013-2005, CVE-2013-2062, CVE-2013-2063, CVE-2013-2064, CVE-2013-2066   (Links to External Site)
Date:  May 23 2013
Impact:   User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.5.99.902
Description:   Multiple vulnerabilities were reported in X. A remote authenticated or local user can obtain elevated privileges on the target system.

Several X Window System client libraries do not properly validate data returned from an X server.

A remote authenticated or local user may be able to exploit this to cause arbitrary code to be executed by the target X client. If the X client runs with privileges, the user may be able to obtain those privileges.

An integer overflow in libX11 may occur in XQueryFont(), _XF86BigfontQueryFont(), XListFontsWithInfo(), XGetMotionEvents(), XListHosts(), XGetModifierMapping(), XGetPointerMapping(), XGetKeyboardMapping(), XGetWindowProperty(), and XGetImage() [CVE-2013-1981].

An integer overflow in libXext may occur in XcupGetReservedColormapEntries(), XcupStoreColors(), XdbeGetVisualInfo(), XeviGetVisualInfo(), and XShapeGetRectangles(), XSyncListSystemCounters() [CVE-2013-1982].

An integer overflow in libXfixes may occur in XFixesGetCursorImage() [CVE-2013-1983].

An integer overflow in libXi may occur in XGetDeviceControl(), XGetFeedbackControl(), XGetDeviceDontPropagateList(), XGetDeviceMotionEvents(), XIGetProperty(), XIGetSelectedEvents(), XGetDeviceProperties(), and XListInputDevices() [CVE-2013-1984].

An integer overflow in libXinerama may occur in XineramaQueryScreens() [CVE-2013-1985].

An integer overflow in libXp may occur in XpGetAttributes(), XpGetOneAttribute(), XpGetPrinterList(), and XpQueryScreens() [CVE-2013-2062].

An integer overflow in libXrandr may occur in XRRQueryOutputProperty() and XRRQueryProviderProperty() [CVE-2013-1986].

An integer overflow in libXrender may occur in XRenderQueryFilters(), XRenderQueryFormats(), and XRenderQueryPictIndexValues() [CVE-2013-1987].

An integer overflow in libXRes may occur in XResQueryClients() and XResQueryClientResources() [CVE-2013-1988].

An integer overflow in libXtst may occur in XRecordGetContext() [CVE-2013-2063].

An integer overflow in libXv may occur in XvQueryPortAttributes(), XvListImageFormats(), and XvCreateImage() [CVE-2013-1989].

An integer overflow in libXvMC may occur in XvMCListSurfaceTypes() and XvMCListSubpictureTypes() [CVE-2013-1990].

An integer overflow in libXxf86dga may occur in XDGAQueryModes() and XDGASetMode() [CVE-2013-1991].

An integer overflow in libdmx may occur in DMXGetScreenAttributes(), DMXGetWindowAttributes(), and DMXGetInputAttributes() [CVE-2013-1992].

An integer overflow in libxcb may occur in read_packet() [CVE-2013-2064].

An integer overflow in libGLX may occur in XF86DRIOpenConnection() and XF86DRIGetClientDriverName() [CVE-2013-1993].

An integer overflow in libchromeXvMC and libchromeXvMCPro in openChrome may occur in uniDRIOpenConnection(), and uniDRIGetClientDriverName() [CVE-2013-1994].

A sign extension flaw in libXi may occur in XListInputDevices() [CVE-2013-1995].

A sign extension flaw in libFS may occur in FSOpenServer() [CVE-2013-1996].

A buffer overflow in libX11 may occur in XAllocColorCells(), _XkbReadGetDeviceInfoReply(), _XkbReadGeomShapes(), _XkbReadGetGeometryReply(), _XkbReadKeySyms(), _XkbReadKeyActions(), _XkbReadKeyBehaviors(), _XkbReadModifierMap(), _XkbReadExplicitComponents(), _XkbReadVirtualModMap(), _XkbReadGetNamesReply(), _XkbReadGetMapReply(), _XimXGetReadData(), XListFonts(), XListExtensions(), and XGetFontPath() [CVE-2013-1997].

A buffer overflow in libXi may occur in XGetDeviceButtonMapping(), _XIPassiveGrabDevice(), and XQueryDeviceState() [CVE-2013-1998].

A buffer overflow in libXv may occur in XvQueryPortAttributes() [CVE-2013-2066].

A buffer overflow in libXvMC may occur in XvMCGetDRInfo() [CVE-2013-1999].

A buffer overflow in libXxf86dga may occur in XDGAQueryModes() and XDGASetMode() [CVE-2013-2000].

A buffer overflow in libXxf86vm may occur in XF86VidModeGetGammaRamp() [CVE-2013-2001].

A buffer overflow in libXt may occur in _XtResourceConfigurationEH() [CVE-2013-2002].

An integer overflow in libX11 may occur in LoadColornameDB(), XrmGetFileDatabase(),
_XimParseStringFile(), and TransFileName() [CVE-2013-1981].

An integer overflow in libXcursor may occur in _XcursorFileHeaderCreate() [CVE-2013-2003].

An unbounded recursion parsing error in libX11 may occur in GetDatabase() and _XimParseStringFile() [CVE-2013-2004].

A memory corruption error in libXt may occur in ReqCleanup(), HandleSelectionEvents(), ReqTimedOut(), HandleNormal(), and HandleSelectionReplies() [CVE-2013-2005].

Ilja van Sprundel of IOActive reported these vulnerabilities.

Impact:   A remote authenticated or local user can obtain elevated privileges on the target system.
Solution:   The vendor has issued source code fixes, listed in their advisory.

The fixes will be included in the following versions:

libX11 1.5.99.902 (1.6 RC2)
libXcursor 1.1.14
libXext 1.3.2
libXfixes 5.0.1
libXi 1.7.2
libXinerama 1.1.3
libXp 1.0.2
libXrandr 1.4.1
libXrender 0.9.8
libXRes 1.0.7
libXv 1.0.8
libXvMC 1.0.8
libXxf86dga 1.1.4
libXxf86vm 1.1.3
libdmx 1.1.3
libxcb 1.9.1
libFS 1.0.5
libXt 1.1.4

The vendor's advisory is available at:

http://www.x.org/wiki/Development/Security/Advisory-2013-05-23

Vendor URL:  www.x.org/wiki/Development/Security/Advisory-2013-05-23 (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 26 2013 (Oracle Issues Fix for Solaris) X Window Client Library Protocol Handling Flaws Let Remote Authenticated or Local Users Gain Elevated Privileges
Oracle has issued a fix for Solaris 10 and 11.1.
Sep 26 2013 (Oracle Issues Fix for Solaris) X Window Client Library Protocol Handling Flaws Let Remote Authenticated or Local Users Gain Elevated Privileges
Oracle has issued a fix for Solaris 8, 9, 10, and 11.1.



 Source Message Contents

Date:  Thu May 23 08:05:22 PDT 2013
Subject:  [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries

X.Org Security Advisory:  May 23, 2013
Protocol handling issues in X Window System client libraries
============================================================

Description:
============

Ilja van Sprundel, a security researcher with IOActive, has discovered
a large number of issues in the way various X client libraries handle
the responses they receive from servers, and has worked with X.Org's
security team to analyze, confirm, and fix these issues.

Most of these issues stem from the client libraries trusting the server
to send correct protocol data, and not verifying that the values will
not overflow or cause other damage.   Most of the time X clients & servers
are run by the same user, with the server more privileged from the clients,
so this is not a problem, but there are scenarios in which a privileged
client can be connected to an unprivileged server, for instance, connecting
a setuid X client (such as a screen lock program) to a virtual X server
(such as Xvfb or Xephyr) which the user has modified to return invalid
data, potentially allowing the user to escalate their privileges.

The X.Org security team would like to take this opportunity to remind
X client authors that current best practices suggest separating code
that requires privileges from the GUI, to reduce the attack surface of
issues like this.

The vulnerabilities include:

- integer overflows calculating memory needs for replies

    These calls do not check that their calculations for how much memory
    is needed to handle the returned data have not overflowed, so can
    result in allocating too little memory and then writing the returned
    data past the end of the allocated buffer.

    * CVE-2013-1981: libX11 1.5.99.901 (1.6 RC1) and earlier
      Affected functions:  XQueryFont(), _XF86BigfontQueryFont(),
          XListFontsWithInfo(), XGetMotionEvents(), XListHosts(),
          XGetModifierMapping(), XGetPointerMapping(), XGetKeyboardMapping(),
          XGetWindowProperty(), XGetImage()

    * CVE-2013-1982: libXext 1.3.1 and earlier
      Affected functions:  XcupGetReservedColormapEntries(),
          XcupStoreColors(), XdbeGetVisualInfo(), XeviGetVisualInfo(),
          XShapeGetRectangles(), XSyncListSystemCounters()

    * CVE-2013-1983: libXfixes 5.0 and earlier
      Affected functions:  XFixesGetCursorImage()

    * CVE-2013-1984: libXi 1.7.1 and earlier
      Affected functions:  XGetDeviceControl(), XGetFeedbackControl(),
          XGetDeviceDontPropagateList(), XGetDeviceMotionEvents(),
          XIGetProperty(), XIGetSelectedEvents(), XGetDeviceProperties(),
          XListInputDevices()

    * CVE-2013-1985: libXinerama 1.1.2 and earlier
      Affected functions:  XineramaQueryScreens()

    * CVE-2013-2062: libXp 1.0.1 and earlier
      Affected functions:  XpGetAttributes(), XpGetOneAttribute(),
          XpGetPrinterList(), XpQueryScreens()

    * CVE-2013-1986: libXrandr 1.4.0 and earlier
      Affected functions:  XRRQueryOutputProperty(), XRRQueryProviderProperty()
         [XRRQueryProviderProperty() was introduced in libXrandr 1.4.0 and is
          not found in 1.3.2 and older releases.]

    * CVE-2013-1987: libXrender 0.9.7 and earlier
      Affected functions:  XRenderQueryFilters(), XRenderQueryFormats(),
          XRenderQueryPictIndexValues()

    * CVE-2013-1988: libXRes 1.0.6 and earlier
      Affected functions:  XResQueryClients(), XResQueryClientResources()

    * CVE-2013-2063: libXtst 1.2.1 and earlier
      Affected functions:  XRecordGetContext()

    * CVE-2013-1989: libXv 1.0.7 and earlier
      Affected functions:  XvQueryPortAttributes(), XvListImageFormats(),
          XvCreateImage()

    * CVE-2013-1990: libXvMC 1.0.7 and earlier
      Affected functions:  XvMCListSurfaceTypes(), XvMCListSubpictureTypes()

    * CVE-2013-1991: libXxf86dga 1.1.3 and earlier
      Affected functions:  XDGAQueryModes(), XDGASetMode()

    * CVE-2013-1992: libdmx 1.1.2 and earlier
      Affected functions:  DMXGetScreenAttributes(), DMXGetWindowAttributes(),
          DMXGetInputAttributes()

    * CVE-2013-2064: libxcb 1.9 and earlier
      Affected functions:  read_packet()

    * CVE-2013-1993: libGLX in Mesa 9.1.1 and earlier
      Affected functions:  XF86DRIOpenConnection(), XF86DRIGetClientDriverName()

    * CVE-2013-1994: libchromeXvMC & libchromeXvMCPro in openChrome 0.3.2
      and earlier
      Affected functions:  uniDRIOpenConnection(), uniDRIGetClientDriverName()

- sign extension issues calculating memory needs for replies

    These calls do not check that their calculations for how much memory
    is needed to handle the returned data have not had sign extension
    issues when converting smaller integer types to larger ones, leading
    to negative numbers being used in memory size calculations that can
    result in allocating too little memory and then writing the returned
    data past the end of the allocated buffer.

    * CVE-2013-1995: libXi 1.7.1 and earlier
      Affected functions:  XListInputDevices()

    * CVE-2013-1996: libFS 1.0.4 and earlier
      Affected functions:  FSOpenServer()

- buffer overflows due to not validating length or offset values in replies

    These calls do not check that the lengths and/or indexes returned by the
    server are within the bounds specified by the caller or the bounds of the
    memory allocated by the function, so could write past the bounds of
    allocated memory when storing the returned data.

    * CVE-2013-1997: libX11 1.5.99.901 (1.6 RC1) and earlier
      Affected functions:  XAllocColorCells(), _XkbReadGetDeviceInfoReply(),
          _XkbReadGeomShapes(), _XkbReadGetGeometryReply(), _XkbReadKeySyms(),
          _XkbReadKeyActions(), _XkbReadKeyBehaviors(), _XkbReadModifierMap(),
          _XkbReadExplicitComponents(), _XkbReadVirtualModMap(),
          _XkbReadGetNamesReply(), _XkbReadGetMapReply(), _XimXGetReadData(), 
          XListFonts(), XListExtensions(), XGetFontPath()

    * CVE-2013-1998: libXi 1.7.1 and earlier
      Affected functions:  XGetDeviceButtonMapping(), _XIPassiveGrabDevice(),
          XQueryDeviceState()

    * CVE-2013-2066: libXv 1.0.7 and earlier
      Affected functions:  XvQueryPortAttributes()

    * CVE-2013-1999: libXvMC 1.0.7 and earlier
      Affected functions:  XvMCGetDRInfo()

    * CVE-2013-2000: libXxf86dga 1.1.3 and earlier
      Affected functions:  XDGAQueryModes(), XDGASetMode()

    * CVE-2013-2001: libXxf86vm 1.1.2 and earlier
      Affected functions:  XF86VidModeGetGammaRamp()

    * CVE-2013-2002: libXt 1.1.3 and earlier
      Affected functions:  _XtResourceConfigurationEH()

- integer overflows parsing user-specified files

    These calls do not check that their calculations for how much memory
    is needed to handle the data being read have not overflowed, so can
    result in allocating too little memory and then writing the returned
    data past the end of the allocated buffer.

    * CVE-2013-1981: libX11 1.5.99.901 (1.6 RC1) and earlier
      Affected functions:  LoadColornameDB(), XrmGetFileDatabase(),
          _XimParseStringFile(), TransFileName()

    * CVE-2013-2003: libXcursor 1.1.13 and earlier
      Affected functions:  _XcursorFileHeaderCreate()

- unbounded recursion parsing user-specified files

    These calls read in files and handle C-style '#include' directives
    to include other files, and have no limit for how many levels deep
    they will go, including allowing files to #include themselves, until
    the stack overflows from the recursive function calling patterns.

    * CVE-2013-2004: libX11 1.5.99.901 (1.6 RC1) and earlier
      Affected functions:  GetDatabase(), _XimParseStringFile()

- memory corruption due to unchecked return values

    These calls assume that pointers are properly initialized by the
    XGetWindowProperty() function and don't check for failure of the
    function to return a valid window property, which can lead to
    use of uninitialized pointers for reading, writing, or passing to
    functions such as free().   XGetWindowProperty() in libX11 1.5.99.901
    (1.6RC1) and earlier did not ensure returned pointers were initialized
    to NULL when returning a failure (this is fixed in libX11 1.5.99.902
    and later).

    * CVE-2013-2005: libXt 1.1.3 and earlier
      Affected functions:  ReqCleanup(), HandleSelectionEvents(),
          ReqTimedOut(), HandleNormal(), HandleSelectionReplies()

Affected Versions
=================

X.Org believes all prior versions of these libraries contain these
flaws, dating back to their introduction.

Versions of the X libraries built on top of the Xlib bridge to the XCB 
framework are vulnerable to fewer issues than those without, due to the
added safety and consistency assertions in the XCB calls to read data
from the network, but most of these vulnerabilities are not caught by
those checks.

Fixes
=====

Fixes are available in git commits and patches which will be listed
on http://www.x.org/wiki/Development/Security/Advisory-2013-05-23
when this advisory is released.

Fixes will also be included in these module releases from X.Org:

    libX11 1.5.99.902 (1.6 RC2)
    libXcursor 1.1.14
    libXext 1.3.2
    libXfixes 5.0.1
    libXi 1.7.2
    libXinerama 1.1.3
    libXp 1.0.2
    libXrandr 1.4.1
    libXrender 0.9.8
    libXRes 1.0.7
    libXv 1.0.8
    libXvMC 1.0.8
    libXxf86dga 1.1.4
    libXxf86vm 1.1.3
    libdmx 1.1.3
    libxcb 1.9.1
    libFS 1.0.5
    libXt 1.1.4

or releases to be determined from our sister projects:
    xf86-video-openchrome    OpenChrome project - http://www.openchrome.org/
    Mesa                     Mesa3D project - http://www.mesa3d.org/

Thanks
======

X.Org thanks Ilja van Sprundel of IOActive for reporting these issues to our
security team and assisting them in understanding them and evaluating our
fixes, and Alan Coopersmith of Oracle for coordinating the X.Org response and
developing the fixes for these issues.

-- 
	-Alan Coopersmith-              alan.coopersmith at oracle.com
	  X.Org Security Response Team - xorg-security at lists.x.org

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC