X.Org Security Advisory: May 23, 2013
Protocol handling issues in X Window System client libraries
Description
Ilja van Sprundel, a security researcher with IOActive, has discovered a large number of issues in the way various X client libraries handle the responses they receive from servers, and has worked with X.Org's security team to analyze, confirm, and fix these issues.
Most of these issues stem from the client libraries trusting the server to send correct protocol data, and not verifying that the values will not overflow or cause other damage. Most of the time X clients & servers are run by the same user, with the server more privileged from the clients, so this is not a problem, but there are scenarios in which a privileged client can be connected to an unprivileged server, for instance, connecting a setuid X client (such as a screen lock program) to a virtual X server (such as Xvfb or Xephyr) which the user has modified to return invalid data, potentially allowing the user to escalate their privileges.
The X.Org security team would like to take this opportunity to remind X client authors that current best practices suggest separating code that requires privileges from the GUI, to reduce the attack surface of issues like this.
The vulnerabilities include:
- integer overflows calculating memory needs for replies
- These calls do not check that their calculations for how much memory is needed to handle the returned data have not overflowed, so can result in allocating too little memory and then writing the returned data past the end of the allocated buffer.
- CVE-2013-1981: libX11 1.5.99.901 (1.6 RC1) and earlier
- Affected functions: XQueryFont(), _XF86BigfontQueryFont(), XListFontsWithInfo(), XGetMotionEvents(), XListHosts(), XGetModifierMapping(), XGetPointerMapping(), XGetKeyboardMapping(), XGetWindowProperty(), XGetImage()
- CVE-2013-1982: libXext 1.3.1 and earlier
- Affected functions: XcupGetReservedColormapEntries(), XcupStoreColors(), XdbeGetVisualInfo(), XeviGetVisualInfo(), XShapeGetRectangles(), XSyncListSystemCounters()
- CVE-2013-1983: libXfixes 5.0 and earlier
- Affected functions: XFixesGetCursorImage()
- CVE-2013-1984: libXi 1.7.1 and earlier
- Affected functions: XGetDeviceControl(), XGetFeedbackControl(), XGetDeviceDontPropagateList(), XGetDeviceMotionEvents(), XIGetProperty(), XIGetSelectedEvents(), XGetDeviceProperties(), XListInputDevices()
- CVE-2013-1985: libXinerama 1.1.2 and earlier
- Affected functions: XineramaQueryScreens()
- CVE-2013-2062: libXp 1.0.1 and earlier
- Affected functions: XpGetAttributes(), XpGetOneAttribute(), XpGetPrinterList(), XpQueryScreens()
- CVE-2013-1986: libXrandr 1.4.0 and earlier
- Affected functions: XRRQueryOutputProperty(), XRRQueryProviderProperty() [XRRQueryProviderProperty() was introduced in libXrandr 1.4.0 and is not found in 1.3.2 and older releases.]
- CVE-2013-1987: libXrender 0.9.7 and earlier
- Affected functions: XRenderQueryFilters(), XRenderQueryFormats(), XRenderQueryPictIndexValues()
- CVE-2013-1988: libXRes 1.0.6 and earlier
- Affected functions: XResQueryClients(), XResQueryClientResources()
- CVE-2013-2063: libXtst 1.2.1 and earlier
- Affected functions: XRecordGetContext()
- CVE-2013-1989: libXv 1.0.7 and earlier
- Affected functions: XvQueryPortAttributes(), XvListImageFormats(), XvCreateImage()
- CVE-2013-1990: libXvMC 1.0.7 and earlier
- Affected functions: XvMCListSurfaceTypes(), XvMCListSubpictureTypes()
- CVE-2013-1991: libXxf86dga 1.1.3 and earlier
- Affected functions: XDGAQueryModes(), XDGASetMode()
- CVE-2013-1992: libdmx 1.1.2 and earlier
- Affected functions: DMXGetScreenAttributes(), DMXGetWindowAttributes(), * DMXGetInputAttributes()
- CVE-2013-2064: libxcb 1.9 and earlier
- Affected functions: read_packet()
- CVE-2013-1993: libGLX in Mesa 9.1.1 and earlier
- Affected functions: XF86DRIOpenConnection(), XF86DRIGetClientDriverName()
- CVE-2013-1994: libchromeXvMC & libchromeXvMCPro in openChrome 0.3.2 and earlier
- Affected functions: uniDRIOpenConnection(), uniDRIGetClientDriverName()
- sign extension issues calculating memory needs for replies
- These calls do not check that their calculations for how much memory is needed to handle the returned data have not had sign extension issues when converting smaller integer types to larger ones, leading to negative numbers being used in memory size calculations that can result in allocating too little memory and then writing the returned data past the end of the allocated buffer.
- CVE-2013-1995: libXi 1.7.1 and earlier
- Affected functions: XListInputDevices()
- CVE-2013-1996: libFS 1.0.4 and earlier
- Affected functions: FSOpenServer()
- buffer overflows due to not validating length or offset values in replies
- These calls do not check that the lengths and/or indexes returned by the server are within the bounds specified by the caller or the bounds of the memory allocated by the function, so could write past the bounds of allocated memory when storing the returned data.
- CVE-2013-1997: libX11 1.5.99.901 (1.6 RC1) and earlier
- Affected functions: XAllocColorCells(), _XkbReadGetDeviceInfoReply(), _XkbReadGeomShapes(), _XkbReadGetGeometryReply(), _XkbReadKeySyms(), _XkbReadKeyActions(), _XkbReadKeyBehaviors(), _XkbReadModifierMap(), _XkbReadExplicitComponents(), _XkbReadVirtualModMap(), _XkbReadGetNamesReply(), _XkbReadGetMapReply(), _XimXGetReadData(), XListFonts(), XListExtensions(), XGetFontPath()
- CVE-2013-1998: libXi 1.7.1 and earlier
- Affected functions: XGetDeviceButtonMapping(), _XIPassiveGrabDevice(), XQueryDeviceState()
- CVE-2013-2066: libXv 1.0.7 and earlier
- Affected functions: XvQueryPortAttributes()
- CVE-2013-1999: libXvMC 1.0.7 and earlier
- Affected functions: XvMCGetDRInfo()
- CVE-2013-2000: libXxf86dga 1.1.3 and earlier
- Affected functions: XDGAQueryModes(), XDGASetMode()
- CVE-2013-2001: libXxf86vm 1.1.2 and earlier
- Affected functions: XF86VidModeGetGammaRamp()
- CVE-2013-2002: libXt 1.1.3 and earlier
- Affected functions: _XtResourceConfigurationEH()
- integer overflows parsing user-specified files
- These calls do not check that their calculations for how much memory is needed to handle the data being read have not overflowed, so can result in allocating too little memory and then writing the returned data past the end of the allocated buffer.
- CVE-2013-1981: libX11 1.5.99.901 (1.6 RC1) and earlier
- Affected functions: LoadColornameDB(), XrmGetFileDatabase(), _XimParseStringFile(), TransFileName()
- CVE-2013-2003: libXcursor 1.1.13 and earlier
- Affected functions: _XcursorFileHeaderCreate()
- unbounded recursion parsing user-specified files
- These calls read in files and handle C-style '#include' directives to include other files, and have no limit for how many levels deep they will go, including allowing files to #include themselves, until the stack overflows from the recursive function calling patterns.
- CVE-2013-2004: libX11 1.5.99.901 (1.6 RC1) and earlier
- Affected functions: GetDatabase(), _XimParseStringFile()
- memory corruption due to unchecked return values
- These calls assume that pointers are properly initialized by the XGetWindowProperty() function and don't check for failure of the function to return a valid window property, which can lead to use of uninitialized pointers for reading, writing, or passing to functions such as free(). XGetWindowProperty() in libX11 1.5.99.901 (1.6RC1) and earlier did not ensure returned pointers were initialized to NULL when returning a failure (this is fixed in libX11 1.5.99.902 and later).
- CVE-2013-2005: libXt 1.1.3 and earlier
- Affected functions: ReqCleanup(), HandleSelectionEvents(), ReqTimedOut(), HandleNormal(), HandleSelectionReplies()
Affected Versions
X.Org believes all prior versions of these libraries contain these flaws, dating back to their introduction.
Versions of the X libraries built on top of the Xlib bridge to the XCB framework are vulnerable to fewer issues than those without, due to the added safety and consistency assertions in the XCB calls to read data from the network, but most of these vulnerabilities are not caught by those checks.
Fixes
Fixes are available in these git commits:
Note that many of these patches depend on being applied in the same order as they are in git, or on other non-CVE patches in git, and won't necessarily apply in the order listed here to previous tarball releases.
- CVE-2013-1981: libX11 1.5.99.901 (1.6 RC1) and earlier
- 6df8a63d34b7514077188e2062a13774f920c085 integer overflow in _XQueryFont() on 32-bit platforms (CVE-2013-1981 1/13)
- 5669a220816b7d58fcaf0c302ead16fbe5c87817 integer overflow in _XF86BigfontQueryFont() (CVE-2013-1981 2/13)
- 39515b7c3ba8cae9021bf6695e378ae19487082f integer overflow in XListFontsWithInfo() (CVE-2013-1981 3/13)
- 1f6a3dbf699b85c0ea715ef21de7e7095a714e12 integer overflow in XGetMotionEvents() (CVE-2013-1981 4/13)
- 2cd62b5eb99ffbb2fce99f3c459455e630b35bf7 integer overflow in XListHosts() (CVE-2013-1981 5/13)
- 90fd5abac2faca86f9f100353a3c9c7b89f31484 Integer overflows in stringSectionSize() cause buffer overflow in ReadColornameDB() (CVE-2013-1981 6/13)
- 076428918e6c35f66b9b55c3fa097ff06496d155 integer overflow in ReadInFile() in Xrm.c (CVE-2013-1981 7/13)
- 460e8a223b87d4fa0ea1e97823e998a770e0f2a2 integer truncation in _XimParseStringFile() (CVE-2013-1981 8/13)
- 164bf4dfe839b1cc75cdeee378a243d04a8200e4 integer overflows in TransFileName() (CVE-2013-1981 9/13)
- 79d8dc08eb98842173ce239b9dd60df0e9e9ae72 integer overflow in XGetWindowProperty() (CVE-2013-1981 10/13)
- 833f6b70bc789d33607f6dbfee9e0a4178ec4b59 integer overflow in XGetImage() (CVE-2013-1981 11/13)
- a351b8103b2ba78882e1c309e85893ca3abe2073 integer overflow in XGetPointerMapping() & XGetKeyboardMapping() (CVE-2013-1981 12/13)
- 0b0f5d4358c3de7563d6af03f0d2ce454702a06a integer overflow in XGetModifierMapping() (CVE-2013-1981 13/13)
- CVE-2013-1982: libXext 1.3.1 and earlier
- d05f27a6f74cb419ad5a437f2e4690b17e7faee5 integer overflow in XcupGetReservedColormapEntries() (CVE-2013-1982 1/6)
- 082d70b19848059ba78c9d1c315114fb07e8c0ef integer overflow in XcupStoreColors() (CVE-2013-1982 2/6)
- 96d1da55a08c4cd52b763cb07bdce5cdcbec4da8 several integer overflows in XdbeGetVisualInfo() (CVE-2013-1982 3/6)
- 67ecdcf7e29de9fa78b421122620525ed2c7db88 integer overflow in XeviGetVisualInfo() (CVE-2013-1982 4/6)
- 6ecd96e8be3c33e2ffad6631cea4aa0a030d93c2 integer overflow in XShapeGetRectangles() (CVE-2013-1982 5/6)
- dfe6e1f3b8ede3d0bab7a5fa57f73513a09ec649 integer overflow in XSyncListSystemCounters() (CVE-2013-1982 6/6)
- CVE-2013-1983: libXfixes 5.0 and earlier
- CVE-2013-1984: libXi 1.7.1 and earlier
- b0b13c12a8079a5a0e7f43b2b8983699057b2cec integer overflow in XGetDeviceControl() (CVE-2013-1984 1/8)
- 322ee3576789380222d4403366e4fd12fb24cb6a integer overflow in XGetFeedbackControl() (CVE-2013-1984 2/8)
- 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff integer overflow in XGetDeviceDontPropagateList() (CVE-2013-1984 3/8)
- bb922ed4253b35590f0369f32a917ff89ade0830 integer overflow in XGetDeviceMotionEvents() (CVE-2013-1984 4/8)
- 242f92b490a695fbab244af5bad11b71f897c732 integer overflow in XIGetProperty() (CVE-2013-1984 5/8)
- 528419b9ef437e7eeafb41bf45e8ff7d818bd845 integer overflow in XIGetSelectedEvents() (CVE-2013-1984 6/8)
- 17071c1c608247800b2ca03a35b1fcc9c4cabe6c Avoid integer overflow in XGetDeviceProperties() (CVE-2013-1984 7/8)
- ef82512288d8ca36ac0beeb289f158195b0a8cae Avoid integer overflow in XListInputDevices() (CVE-2013-1984 8/8)
- CVE-2013-1985: libXinerama 1.1.2 and earlier
- CVE-2013-2062: libXp 1.0.1 and earlier
- babb1fc823ab3be192c48fe115feeb0d57f74d05 integer overflow in XpGetAttributes & XpGetOneAttribute (CVE-2013-2062 1/3)
- cc90f6be64bfd6973ae270b9bff494f577e1bda7 integer overflows in XpGetPrinterList() (CVE-2013-2062 2/3)
- e111065f6dd790c820fa67ea31055b18c68481e3 integer overflows in XpQueryScreens() (CVE-2013-2062 3/3)
- CVE-2013-1986: libXrandr 1.4.0 and earlier
- 0e79d96c36aef5889ae2e2a3fc2e96e93f30dc21 integer overflow in XRRQueryOutputProperty() (CVE-2013-1986 1/4)
- 1da5b838c2a8565d4d95a4e948f951ce6b466345 integer overflow in XRRQueryProviderProperty() (CVE-2013-1986 2/4)
- 289a1927949e6f278c18d115772e454837702e35 integer overflow in XRRGetOutputProperty() (CVE-2013-1986 3/4)
- 4254bf0ee4c7a8f9d03841cf0d8e16cbb201dfbd integer overflow in XRRGetProviderProperty() (CVE-2013-1986 4/4)
- CVE-2013-1987: libXrender 0.9.7 and earlier
- e52853974664289fe42a92909667ed77cfa1cec5 integer overflow in XRenderQueryFilters() (CVE-2013-1987 1/3)
- 9e577d40322b9e3d8bdefec0eefa44d8ead451a4 integer overflow in XRenderQueryFormats() (CVE-2013-1987 2/3)
- 786f78fd8df6d165ccbc81f306fd9f22b5c1551c integer overflow in XRenderQueryPictIndexValues() (CVE-2013-1987 3/3)
- CVE-2013-1988: libXRes 1.0.6 and earlier
- CVE-2013-2063: libXtst 1.2.1 and earlier
- CVE-2013-1989: libXv 1.0.7 and earlier
- 6e1b743a276651195be3cd68dff41e38426bf3ab integer overflow in XvQueryPortAttributes() (CVE-2013-1989 1/3)
- 59301c1b5095f7dc6359d5b396dbbcdee7038270 integer overflow in XvListImageFormats() (CVE-2013-1989 2/3)
- 50fc4cb18069cb9450a02c13f80223ef23511409 integer overflow in XvCreateImage() (CVE-2013-1989 3/3)
- CVE-2013-1990: libXvMC 1.0.7 and earlier
- CVE-2013-1991: libXxf86dga 1.1.3 and earlier
- CVE-2013-1992: libdmx 1.1.2 and earlier
- 78e11efe70d00063c830475eaaaa42f19380755d integer overflow in DMXGetScreenAttributes() (CVE-2013-1992 1/3)
- b6fe1a7af34ea620e002fc453f9c5eacf7db3969 integer overflow in DMXGetWindowAttributes() (CVE-2013-1992 2/3)
- 5074d9d64192bd04519a438062b7d5bf216d06ee integer overflow in DMXGetInputAttributes() (CVE-2013-1992 3/3)
- CVE-2013-2064: libxcb 1.9 and earlier
- CVE-2013-1993: libGLX in Mesa 9.1.1 and earlier
- CVE-2013-1994: libchromeXvMC & libchromeXvMCPro in openChrome 0.3.2 and earlier
- CVE-2013-1995: libXi 1.7.1 and earlier
- CVE-2013-1996: libFS 1.0.4 and earlier
- CVE-2013-1997: libX11 1.5.99.901 (1.6 RC1) and earlier
- cddc4e7e3cb4b9b7ad25f8591971a86901c249f2 unvalidated lengths in XAllocColorCells() (CVE-2013-1997 1/15)
- f293659d5a4024bda386305bb7ebeb4647c40934 unvalidated index in _XkbReadGetDeviceInfoReply() (CVE-2013-1997 2/15)
- bff938b9fe1629cbacb726509edfa2a3840b7207 unvalidated indexes in _XkbReadGeomShapes() (CVE-2013-1997 3/15)
- 59ae16a00d18588e98af57d26e442af8ea42b7aa unvalidated indexes in _XkbReadGetGeometryReply() (CVE-2013-1997 4/15)
- fd7d4956bc7a1c4b5c38661b12777ebee4d685d9 unvalidated index in _XkbReadKeySyms() (CVE-2013-1997 5/15)
- 00626c3830b869259098985afa38933d77ccec72 unvalidated index in _XkbReadKeyActions() (CVE-2013-1997 6/15)
- 06c086e8a1d8374ea9a95ff989f053c96bb1bdca unvalidated index in _XkbReadKeyBehaviors() (CVE-2013-1997 7/15)
- e56a2ada719c5cfac5ed61a52a80ade86c0f5957 unvalidated index in _XkbReadModifierMap() (CVE-2013-1997 8/15)
- 4d7c422a37eb9617fb22f8e37527c2b34b105665 unvalidated index in _XkbReadExplicitComponents() (CVE-2013-1997 9/15)
- 2df882eeb3a70256170127a746a9ba26376599a1 unvalidated index in _XkbReadVirtualModMap() (CVE-2013-1997 10/15)
- de2e6c322c4aca22856b380f67f8e488e7510015 unvalidated index/length in _XkbReadGetNamesReply() (CVE-2013-1997 11/15)
- b9ba832401734e1cbd30a930c0d11d850293f3f9 unvalidated length in _XimXGetReadData() (CVE-2013-1997 12/15)
- 0c404db6a92dc2c198328bf586c02d8abbe02013 Avoid overflows in XListFonts() (CVE-2013-1997 13/15)
- 8d5936594993921acdfec778dd8f41b555e2543a Avoid overflows in XGetFontPath() (CVE-2013-1997 14/15)
- db1b1c871da29aa0545182bf888df81627f165a5 Avoid overflows in XListExtensions() (CVE-2013-1997 15/15)
- CVE-2013-1998: libXi 1.7.1 and earlier
- f3e08e4fbe40016484ba795feecf1a742170ffc1 Stack buffer overflow in XGetDeviceButtonMapping() (CVE-2013-1998 1/3)
- 91434737f592e8f5cc1762383882a582b55fc03a memory corruption in _XIPassiveGrabDevice() (CVE-2013-1998 2/3)
- 5398ac0797f7516f2c9b8f2869a6c6d071437352 unvalidated lengths in XQueryDeviceState() (CVE-2013-1998 3/3)
- CVE-2013-2066: libXv 1.0.7 and earlier
- CVE-2013-1999: libXvMC 1.0.7 and earlier
- CVE-2013-2000: libXxf86dga 1.1.3 and earlier
- CVE-2013-2001: libXxf86vm 1.1.2 and earlier
- CVE-2013-2002: libXt 1.1.3 and earlier
- CVE-2013-2003: libXcursor 1.1.13 and earlier
- CVE-2013-2004: libX11 1.5.99.901 (1.6 RC1) and earlier
- CVE-2013-2005: libXt 1.1.3 and earlier
Fixes are also included in these module releases from X.Org:
- libX11 1.5.99.902 (1.6 RC2)
- libXcursor 1.1.14
- libXext 1.3.2
- libXfixes 5.0.1
- libXi 1.6.2.901 (1.6.3 RC1)
- libXinerama 1.1.3
- libXp 1.0.2
- libXrandr 1.4.1
- libXrender 0.9.8
- libXRes 1.0.7
- libXtst 1.2.2
- libXv 1.0.8
- libXvMC 1.0.8
- libXxf86dga 1.1.4
- libXxf86vm 1.1.3
- libdmx 1.1.3
- libxcb 1.9.1
- libFS 1.0.5
- libXt 1.1.4
or releases from our sister projects:
Thanks
X.Org thanks Ilja van Sprundel of IOActive for reporting these issues to our security team and assisting them in understanding them and evaluating our fixes, and Alan Coopersmith of Oracle for coordinating the X.Org response and developing the fixes for these issues.