All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] libxfont: CVE-2017-13720, CVE-2017-13722
@ 2017-11-01 16:28 Catalin Enache
  2017-11-01 17:07 ` Alexander Kanavin
  0 siblings, 1 reply; 3+ messages in thread
From: Catalin Enache @ 2017-11-01 16:28 UTC (permalink / raw)
  To: openembedded-core

In the PatternMatch function in fontfile/fontdir.c in libXfont through 1.5.2
and 2.x before 2.0.2, an attacker with access to an X connection can cause
a buffer over-read during pattern matching of fonts, leading to information
disclosure or a crash (denial of service). This occurs because '\0'
characters are incorrectly skipped in situations involving ? characters.

In the pcfGetProperties function in bitmap/pcfread.c in libXfont through 1.5.2
and 2.x before 2.0.2, a missing boundary check (for PCF files) could be used
by local attackers authenticated to an Xserver for a buffer over-read, for
information disclosure or a crash of the X server.

References:
https://nvd.nist.gov/vuln/detail/CVE-2017-13720
https://nvd.nist.gov/vuln/detail/CVE-2017-13722

Upstream patches:
https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d1e670a4a8704b8708e493ab6155589bcd570608
https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=672bb944311392e2415b39c0d63b1e1902905bcd

Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
---
 .../xorg-lib/libxfont/CVE-2017-13720.patch         | 37 +++++++++++++++
 .../xorg-lib/libxfont/CVE-2017-13722.patch         | 55 ++++++++++++++++++++++
 meta/recipes-graphics/xorg-lib/libxfont_1.5.2.bb   |  4 ++
 3 files changed, 96 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-lib/libxfont/CVE-2017-13720.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libxfont/CVE-2017-13722.patch

diff --git a/meta/recipes-graphics/xorg-lib/libxfont/CVE-2017-13720.patch b/meta/recipes-graphics/xorg-lib/libxfont/CVE-2017-13720.patch
new file mode 100644
index 0000000..79d2cac
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libxfont/CVE-2017-13720.patch
@@ -0,0 +1,37 @@
+From d1e670a4a8704b8708e493ab6155589bcd570608 Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Thu, 20 Jul 2017 13:38:53 +0200
+Subject: [PATCH] Check for end of string in PatternMatch (CVE-2017-13720)
+
+If a pattern contains '?' character, any character in the string is skipped,
+even if it is '\0'. The rest of the matching then reads invalid memory.
+
+Upstream-Status: Backport
+CVE: CVE-2017-13720
+
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ src/fontfile/fontdir.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c
+index 4ce2473..996b7d1 100644
+--- a/src/fontfile/fontdir.c
++++ b/src/fontfile/fontdir.c
+@@ -400,8 +400,10 @@ PatternMatch(char *pat, int patdashes, char *string, int stringdashes)
+ 		}
+ 	    }
+ 	case '?':
+-	    if (*string++ == XK_minus)
++	    if ((t = *string++) == XK_minus)
+ 		stringdashes--;
++	    if (!t)
++		return 0;
+ 	    break;
+ 	case '\0':
+ 	    return (*string == '\0');
+-- 
+2.10.2
+
diff --git a/meta/recipes-graphics/xorg-lib/libxfont/CVE-2017-13722.patch b/meta/recipes-graphics/xorg-lib/libxfont/CVE-2017-13722.patch
new file mode 100644
index 0000000..92d149b
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libxfont/CVE-2017-13722.patch
@@ -0,0 +1,55 @@
+From 672bb944311392e2415b39c0d63b1e1902905bcd Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Thu, 20 Jul 2017 17:05:23 +0200
+Subject: [PATCH] pcfGetProperties: Check string boundaries (CVE-2017-13722)
+
+Without the checks a malformed PCF file can cause the library to make
+atom from random heap memory that was behind the `strings` buffer.
+This may crash the process or leak information.
+
+Upstream-Status: Backport
+CVE: CVE-2017-13722
+
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ src/bitmap/pcfread.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/src/bitmap/pcfread.c b/src/bitmap/pcfread.c
+index dab1c44..ae34c28 100644
+--- a/src/bitmap/pcfread.c
++++ b/src/bitmap/pcfread.c
+@@ -45,6 +45,7 @@ from The Open Group.
+ 
+ #include <stdarg.h>
+ #include <stdint.h>
++#include <string.h>
+ 
+ void
+ pcfError(const char* message, ...)
+@@ -311,11 +312,19 @@ pcfGetProperties(FontInfoPtr pFontInfo, FontFilePtr file,
+     if (IS_EOF(file)) goto Bail;
+     position += string_size;
+     for (i = 0; i < nprops; i++) {
++	if (props[i].name >= string_size) {
++	    pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].name, string_size);
++	    goto Bail;
++	}
+ 	props[i].name = MakeAtom(strings + props[i].name,
+-				 strlen(strings + props[i].name), TRUE);
++				 strnlen(strings + props[i].name, string_size - props[i].name), TRUE);
+ 	if (isStringProp[i]) {
++	    if (props[i].value >= string_size) {
++		pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].value, string_size);
++		goto Bail;
++	    }
+ 	    props[i].value = MakeAtom(strings + props[i].value,
+-				      strlen(strings + props[i].value), TRUE);
++				      strnlen(strings + props[i].value, string_size - props[i].value), TRUE);
+ 	}
+     }
+     free(strings);
+-- 
+2.10.2
+
diff --git a/meta/recipes-graphics/xorg-lib/libxfont_1.5.2.bb b/meta/recipes-graphics/xorg-lib/libxfont_1.5.2.bb
index b11dda5..c2f5fcf 100644
--- a/meta/recipes-graphics/xorg-lib/libxfont_1.5.2.bb
+++ b/meta/recipes-graphics/xorg-lib/libxfont_1.5.2.bb
@@ -16,6 +16,10 @@ PE = "1"
 
 XORG_PN = "libXfont"
 
+SRC_URI +=  "file://CVE-2017-13720.patch \
+             file://CVE-2017-13722.patch \
+            "
+
 BBCLASSEXTEND = "native"
 
 SRC_URI[md5sum] = "254ee42bd178d18ebc7a73aacfde7f79"
-- 
2.10.2



^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] libxfont: CVE-2017-13720, CVE-2017-13722
  2017-11-01 16:28 [PATCH] libxfont: CVE-2017-13720, CVE-2017-13722 Catalin Enache
@ 2017-11-01 17:07 ` Alexander Kanavin
  2017-11-03 17:50   ` Randy MacLeod
  0 siblings, 1 reply; 3+ messages in thread
From: Alexander Kanavin @ 2017-11-01 17:07 UTC (permalink / raw)
  To: Catalin Enache, openembedded-core

On 11/01/2017 06:28 PM, Catalin Enache wrote:
> In the PatternMatch function in fontfile/fontdir.c in libXfont through 1.5.2
> and 2.x before 2.0.2, an attacker with access to an X connection can cause
> a buffer over-read during pattern matching of fonts, leading to information
> disclosure or a crash (denial of service). This occurs because '\0'
> characters are incorrectly skipped in situations involving ? characters.
> 
> In the pcfGetProperties function in bitmap/pcfread.c in libXfont through 1.5.2
> and 2.x before 2.0.2, a missing boundary check (for PCF files) could be used
> by local attackers authenticated to an Xserver for a buffer over-read, for
> information disclosure or a crash of the X server.

If both 1.x and 2.x are vulnerable, you should update them both (not 
just 1.x). Also, it's better to update to a version that is not 
vulnerable, rather than backport patches.

Alex


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] libxfont: CVE-2017-13720, CVE-2017-13722
  2017-11-01 17:07 ` Alexander Kanavin
@ 2017-11-03 17:50   ` Randy MacLeod
  0 siblings, 0 replies; 3+ messages in thread
From: Randy MacLeod @ 2017-11-03 17:50 UTC (permalink / raw)
  To: Alexander Kanavin, Catalin Enache, openembedded-core

On 2017-11-01 01:07 PM, Alexander Kanavin wrote:
> On 11/01/2017 06:28 PM, Catalin Enache wrote:
>> In the PatternMatch function in fontfile/fontdir.c in libXfont through 
>> 1.5.2
>> and 2.x before 2.0.2, an attacker with access to an X connection can 
>> cause
>> a buffer over-read during pattern matching of fonts, leading to 
>> information
>> disclosure or a crash (denial of service). This occurs because '\0'
>> characters are incorrectly skipped in situations involving ? characters.
>>
>> In the pcfGetProperties function in bitmap/pcfread.c in libXfont 
>> through 1.5.2
>> and 2.x before 2.0.2, a missing boundary check (for PCF files) could 
>> be used
>> by local attackers authenticated to an Xserver for a buffer over-read, 
>> for
>> information disclosure or a crash of the X server.
> 
> If both 1.x and 2.x are vulnerable, you should update them both (not 
> just 1.x). 

Sure but 2.x isn't in morty, see below.

> Also, it's better to update to a version that is not 
> vulnerable, rather than backport patches.
> 
> Alex

Alex,

Catalin works on the WR sustaining team so his mandate is to take care
of released products where updating isn't typically permitted.
Now that oe-core-2.2 is out, we'll be sending patches for rocko as
well but we're in a transition time for a while so bear with us please.
If master and rocko have the same code, then of course we Catalin would
target master and arrange to have the commit backported.

Catalin,

Please tag your commits if they are strictly for the morty
branch using something like:
    [OE-core][morty][PATCH] foo: the bar should be zinged
    [OE-core][PATCH][morty] foo: the bar should be zinged

as per:
    https://wiki.yoctoproject.org/wiki/Stable_branch_maintenance

Thanks,
-- 
# Randy MacLeod.  WR Linux
# Wind River an Intel Company


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-11-03 17:50 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-01 16:28 [PATCH] libxfont: CVE-2017-13720, CVE-2017-13722 Catalin Enache
2017-11-01 17:07 ` Alexander Kanavin
2017-11-03 17:50   ` Randy MacLeod

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.