Bug 220584 - x11-servers/xorg-server: Security vulnerabilities (CVE-2017-10971, CVE-2017-10972)
Summary: x11-servers/xorg-server: Security vulnerabilities (CVE-2017-10971, CVE-2017-1...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-x11 (Nobody)
URL: https://bugzilla.suse.com/show_bug.cg...
Keywords: security
Depends on:
Blocks:
 
Reported: 2017-07-09 21:53 UTC by VK
Modified: 2018-05-23 16:46 UTC (History)
5 users (show)

See Also:
rezny: maintainer-feedback+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description VK freebsd_triage 2017-07-09 21:53:08 UTC
Two security vulnerabilities have been found in xorg-server:

* CVE-2017-10971

  Authenticated X users could overflow the stack in the X Server
  (usually running as root) due to mishandling of X Events endianess.

* CVE-2017-10972

  An information leak out of the X Server due to an uninitialized stack
  area when swapping event endianess.

* Originally reported by SuSE:

  https://bugzilla.suse.com/show_bug.cgi?id=1035283

* oss-seclist summary:

  http://www.openwall.com/lists/oss-security/2017/07/06/6
Comment 1 Matthew Rezny freebsd_committer 2017-07-10 04:49:55 UTC
Thank you for pointing out those posts. I'll add these into the upcoming 1.19.3 update.
Comment 2 VK freebsd_triage 2017-10-12 17:39:14 UTC
Hello, any update? Also would it be a problem for you to write up the VuXML entry? Or please let me know version ranges this affects so I can submit one.
Comment 3 Steve Wills freebsd_committer 2017-10-17 20:20:23 UTC
I created the VuXML entry for these. VuXML entries for CVE-2017-13721 and CVE-2017-13723 still pending.
Comment 4 commit-hook freebsd_committer 2018-05-20 13:19:16 UTC
A commit references this bug:

Author: zeising
Date: Sun May 20 13:18:48 UTC 2018
New revision: 470454
URL: https://svnweb.freebsd.org/changeset/ports/470454

Log:
  x11-servers/xorg-server: Backport security fixes

  Backport security fixes for CVE-2017-10971 and CVE-2017-10972 (yes, 2017).
  For some reason this was not done when the vulnerabilities were documented
  in VuXML, and a typo in the version range in VuXML meant that the entries
  never matched.

  This fixes a memory disclosure and a couple of buffer overruns.

  PR:		220584
  Reported by:	Vladimir Krstulja
  MFH:		2018Q2
  Security:	ab881a74-c016-4e6d-9f7d-68c8e7cedafb

Changes:
  head/x11-servers/xorg-server/Makefile
  head/x11-servers/xorg-server/files/patch-CVE-2017-10971
  head/x11-servers/xorg-server/files/patch-CVE-2017-10972
Comment 5 Niclas Zeising freebsd_committer 2018-05-20 13:21:27 UTC
This is believed fixed now.
Thank you for the report!
Comment 6 commit-hook freebsd_committer 2018-05-23 16:46:15 UTC
A commit references this bug:

Author: zeising
Date: Wed May 23 16:45:37 UTC 2018
New revision: 470709
URL: https://svnweb.freebsd.org/changeset/ports/470709

Log:
  MFH: r470454

  x11-servers/xorg-server: Backport security fixes

  Backport security fixes for CVE-2017-10971 and CVE-2017-10972 (yes, 2017).
  For some reason this was not done when the vulnerabilities were documented
  in VuXML, and a typo in the version range in VuXML meant that the entries
  never matched.

  This fixes a memory disclosure and a couple of buffer overruns.

  PR:		220584
  Reported by:	Vladimir Krstulja
  Security:	ab881a74-c016-4e6d-9f7d-68c8e7cedafb

  Approved by:	ports-secteam (riggs)

Changes:
_U  branches/2018Q2/
  branches/2018Q2/x11-servers/xorg-server/Makefile
  branches/2018Q2/x11-servers/xorg-server/files/patch-CVE-2017-10971
  branches/2018Q2/x11-servers/xorg-server/files/patch-CVE-2017-10972