CLD-524 Details
Other IDs this deficiency may be known by:
Basic Information:
Affected Package(s) |
xorg-libraries |
Deficiency Type |
SECURITY |
Date Created |
2018-08-21 16:52:39 |
Date Last Modified |
2018-08-25 12:46:45 |
Version Specific Information:
Cucumber 1.0 i686 | vulnerable |
Cucumber 1.0 x86_64 | vulnerable |
Cucumber 1.1 i686 |
vulnerable |
Cucumber 1.1 x86_64 |
vulnerable |
Details:
=================================== Overview ===================================
An issue was discovered in libX11 through 1.6.5. The function XListExtensions
in ListExt.c is vulnerable to an off-by-one error caused by malicious server
responses, leading to DoS or possibly unspecified other impact.
================================ Initial Report ================================
From http://www.openwall.com/lists/oss-security/2018/08/21/6:
Off-by-one writes (CVE-2018-14599).
-----------------------------------
The functions XGetFontPath, XListExtensions, and XListFonts are
vulnerable to an off-by-one override on malicious server responses.
The server replies consist of chunks consisting of a length byte
followed by actual string, which is not NUL-terminated.
While parsing the response, the length byte is overridden with '\0',
thus the memory area can be used as storage of C strings later on. To
be able to NUL-terminate the last string, the buffer is reserved with
an additional byte of space.
For a boundary check, the variable chend (end of ch) was introduced,
pointing at the end of the buffer which ch initially points to.
Unfortunately there is a difference in handling "the end of ch".
While chend points at the first byte that must not be written to,
the for-loop uses chend as the last byte that can be written to.
Therefore, an off-by-one can occur.
================================= Our Analysis =================================
----- Affected Products -----
libX11 in Xorg 7.7 is vulnerable, meaning that xorg-libraries as originally
packaged in Cucumber Linux 1.0 and 1.1 is vulnerable.
----- Scope and Impact of this Vulnerability -----
Allows for a denial of service or other possible unspecified impacts.
----- Fix for this Vulnerability -----
This vulnerability is fixed in commit
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=b469da1430cdcee06e31c6251b83aede072a1ff0.
Unfortunately, this commit is not easily backportable to Xorg 7.7.
================================= Our Solution =================================
We will wait to see if a backported patch becomes available.