Bug 220584

Summary: x11-servers/xorg-server: Security vulnerabilities (CVE-2017-10971, CVE-2017-10972)
Product: Ports & Packages Reporter: VK <vlad-fbsd>
Component: Individual Port(s)Assignee: freebsd-x11 (Nobody) <x11>
Status: Closed FIXED    
Severity: Affects Some People CC: ports-secteam, rezny, shawn.webb, swills, zeising
Priority: --- Keywords: security
Version: LatestFlags: rezny: maintainer-feedback+
Hardware: Any   
OS: Any   
URL: https://bugzilla.suse.com/show_bug.cgi?id=1035283

Description VK freebsd_triage 2017-07-09 21:53:08 UTC 
Two security vulnerabilities have been found in xorg-server:

* CVE-2017-10971

  Authenticated X users could overflow the stack in the X Server
  (usually running as root) due to mishandling of X Events endianess.

* CVE-2017-10972

  An information leak out of the X Server due to an uninitialized stack
  area when swapping event endianess.

* Originally reported by SuSE:

  https://bugzilla.suse.com/show_bug.cgi?id=1035283

* oss-seclist summary:

  http://www.openwall.com/lists/oss-security/2017/07/06/6
Comment 1 Matthew Rezny freebsd_committer freebsd_triage 2017-07-10 04:49:55 UTC 
Thank you for pointing out those posts. I'll add these into the upcoming 1.19.3 update.
Comment 2 VK freebsd_triage 2017-10-12 17:39:14 UTC 
Hello, any update? Also would it be a problem for you to write up the VuXML entry? Or please let me know version ranges this affects so I can submit one.
Comment 3 Steve Wills freebsd_committer freebsd_triage 2017-10-17 20:20:23 UTC 
I created the VuXML entry for these. VuXML entries for CVE-2017-13721 and CVE-2017-13723 still pending.
Comment 4 commit-hook freebsd_committer freebsd_triage 2018-05-20 13:19:16 UTC 
A commit references this bug:

Author: zeising
Date: Sun May 20 13:18:48 UTC 2018
New revision: 470454
URL: https://svnweb.freebsd.org/changeset/ports/470454

Log:
  x11-servers/xorg-server: Backport security fixes

  Backport security fixes for CVE-2017-10971 and CVE-2017-10972 (yes, 2017).
  For some reason this was not done when the vulnerabilities were documented
  in VuXML, and a typo in the version range in VuXML meant that the entries
  never matched.

  This fixes a memory disclosure and a couple of buffer overruns.

  PR:		220584
  Reported by:	Vladimir Krstulja
  MFH:		2018Q2
  Security:	ab881a74-c016-4e6d-9f7d-68c8e7cedafb

Changes:
  head/x11-servers/xorg-server/Makefile
  head/x11-servers/xorg-server/files/patch-CVE-2017-10971
  head/x11-servers/xorg-server/files/patch-CVE-2017-10972
Comment 5 Niclas Zeising freebsd_committer freebsd_triage 2018-05-20 13:21:27 UTC 
This is believed fixed now.
Thank you for the report!
Comment 6 commit-hook freebsd_committer freebsd_triage 2018-05-23 16:46:15 UTC 
A commit references this bug:

Author: zeising
Date: Wed May 23 16:45:37 UTC 2018
New revision: 470709
URL: https://svnweb.freebsd.org/changeset/ports/470709

Log:
  MFH: r470454

  x11-servers/xorg-server: Backport security fixes

  Backport security fixes for CVE-2017-10971 and CVE-2017-10972 (yes, 2017).
  For some reason this was not done when the vulnerabilities were documented
  in VuXML, and a typo in the version range in VuXML meant that the entries
  never matched.

  This fixes a memory disclosure and a couple of buffer overruns.

  PR:		220584
  Reported by:	Vladimir Krstulja
  Security:	ab881a74-c016-4e6d-9f7d-68c8e7cedafb

  Approved by:	ports-secteam (riggs)

Changes:
_U  branches/2018Q2/
  branches/2018Q2/x11-servers/xorg-server/Makefile
  branches/2018Q2/x11-servers/xorg-server/files/patch-CVE-2017-10971
  branches/2018Q2/x11-servers/xorg-server/files/patch-CVE-2017-10972