CLD-156 Details
Other IDs this deficiency may be known by:
Basic Information:
| Affected Package(s) |
xorg-libraries |
| Deficiency Type |
SECURITY |
| Date Created |
2017-11-28 10:33:41 |
| Date Last Modified |
2017-11-28 11:53:50 |
Version Specific Information:
| Cucumber 1.0 i686 | fixed in xorg-libraries-7.7-i686-4 |
| Cucumber 1.0 x86_64 | fixed in xorg-libraries-7.7-x86_64-4 and xorg-libraries-lib_i686-7.7-lib_i686-4 |
| Cucumber 1.1 i686 |
fixed in xorg-libraries-7.7-i686-4 |
| Cucumber 1.1 x86_64 |
fixed in xorg-libraries-7.7-x86_64-4 and xorg-libraries-lib_i686-7.7-lib_i686-4 |
Details:
================================ Initial Report ================================
From Openwall (http://www.openwall.com/lists/oss-security/2017/11/28/6):
Date: Tue, 28 Nov 2017 15:52:26 +0100
From: Matthieu Herrb
To: oss-security@...ts.openwall.com
Subject: CVE-2017-16612 libXcursor: heap overflows when parsing malicious
files
Hi,
X.Org has just release libXcursor version 1.1.15 which contains the
following security fix:
Author: Tobias Stoeckmann
AuthorDate: Sat Oct 21 23:47:52 2017 +0200
Commit: Matthieu Herrb
CommitDate: Sat Nov 25 11:52:34 2017 +0100
Fix heap overflows when parsing malicious files. (CVE-2017-16612)
It is possible to trigger heap overflows due to an integer overflow
while parsing images and a signedness issue while parsing comments.
The integer overflow occurs because the chosen limit 0x10000 for
dimensions is too large for 32 bit systems, because each pixel takes
4 bytes. Properly chosen values allow an overflow which in turn will
lead to less allocated memory than needed for subsequent reads.
The signedness bug is triggered by reading the length of a comment
as unsigned int, but casting it to int when calling the function
XcursorCommentCreate. Turning length into a negative value allows the
check against XCURSOR_COMMENT_MAX_LEN to pass, and the following
addition of sizeof (XcursorComment) + 1 makes it possible to allocate
less memory than needed for subsequent reads.
https://marc.info/?l=freedesktop-xorg-announce&m=151188036018262&w=2
--
Matthieu Herrb
================================= Our Analysis =================================
----- Fix for this Vulnerability -----
This vulnerability has been fixed by the upstream Xorg developers in commit
4794b5dd34688158fb51a2943032569d3780c4b8
(https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8),
which has been applied in the 1.1.15 release of libXcursor.
----- Affected Products -----
Any systems using a version of libXcursor prior to 1.1.15 that have not applied
the aforementioned patch are vulnerable to this vulnerability. This includes
Cucumber Linux 1.0 and 1.1 (as of Tue Nov 28 11:35:36 EST 2017) since they both
use libXcursor 1.1.14.
----- Scope and Impact of this Vulnerability -----
This is a classic buffer overflow vulnerability, meaning it could theoretically
result in information disclosure, arbitrary code execution and/or privilege
escalation. However, as of Tue Nov 28 11:37:39 EST 2017, the effective scope
of this vulnerability is unknown.
================================= Our Solution =================================
We have patched this vulnerability by applying the upstream patch
(https://cgit.freedesktop.org/xorg/lib/libXcursor/patch/?id=4794b5dd34688158fb51a2943032569d3780c4b8_
to the xorg-libraries package (effective in xorg-libraries-7.7-i686-4). It
worked without modification.