CLD-524 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-14599 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) xorg-libraries
Deficiency Type SECURITY
Date Created 2018-08-21 16:52:39
Date Last Modified 2018-08-25 12:46:45

Version Specific Information:

Cucumber 1.0 i686vulnerable
Cucumber 1.0 x86_64vulnerable

Cucumber 1.1 i686 vulnerable
Cucumber 1.1 x86_64 vulnerable

Details:

=================================== Overview ===================================

An issue was discovered in libX11 through 1.6.5. The function XListExtensions
in ListExt.c is vulnerable to an off-by-one error caused by malicious server
responses, leading to DoS or possibly unspecified other impact. 

================================ Initial Report ================================

From http://www.openwall.com/lists/oss-security/2018/08/21/6:

Off-by-one writes (CVE-2018-14599).
-----------------------------------

The functions XGetFontPath, XListExtensions, and XListFonts are
vulnerable to an off-by-one override on malicious server responses.

The server replies consist of chunks consisting of a length byte
followed by actual string, which is not NUL-terminated.

While parsing the response, the length byte is overridden with '\0',
thus the memory area can be used as storage of C strings later on. To
be able to NUL-terminate the last string, the buffer is reserved with
an additional byte of space.

For a boundary check, the variable chend (end of ch) was introduced,
pointing at the end of the buffer which ch initially points to.
Unfortunately there is a difference in handling "the end of ch".

While chend points at the first byte that must not be written to,
the for-loop uses chend as the last byte that can be written to.

Therefore, an off-by-one can occur.

================================= Our Analysis =================================

----- Affected Products -----
libX11 in Xorg 7.7 is vulnerable, meaning that xorg-libraries as originally
packaged in Cucumber Linux 1.0 and 1.1 is vulnerable.

----- Scope and Impact of this Vulnerability -----
Allows for a denial of service or other possible unspecified impacts.

----- Fix for this Vulnerability -----
This vulnerability is fixed in commit
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=b469da1430cdcee06e31c6251b83aede072a1ff0.
Unfortunately, this commit is not easily backportable to Xorg 7.7.

================================= Our Solution =================================

We will wait to see if a backported patch becomes available.