NetBSD Security Advisory 2015-001: Protocol handling issues in X Window System servers
8 January, 2015 by security-officer@NetBSD.org | netbsd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2015-001 ================================= Topic: Protocol handling issues in X Window System servers Version: NetBSD-current: affected prior to 2014-12-22 NetBSD 7_BETA*: affected NetBSD 6.1*: affected NetBSD 6.0*: affected NetBSD 5.2*: affected NetBSD 5.1*: affected pkgsrc: x11/xorg-server package prior 1.12.4nb7 Severity: Local Privilege Escalation, Arbitrary Code Execuation Fixed: NetBSD-current: December 22th, 2014 NetBSD-7 branch: December 22th, 2014 NetBSD-6 branch: December 22th, 2014 NetBSD-6-1 branch: December 22th, 2014 NetBSD-6-0 branch: December 22th, 2014 NetBSD-5 branch: December 22th, 2014 NetBSD-5-2 branch: December 22th, 2014 NetBSD-5-1 branch: December 22th, 2014 pkgsrc 2014Q4: xorg-server-1.12.4nb7 corrects this issue Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== A large number of issues in the way the Xorg server processes requests have been discovered by Ilja van Sprundel, a security researcher with IOActive. These issues could allow local users the ability to attack a setuid Xorg server. These problems are documented in CVE-2014-8091 to CVS-2014-8103. http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/ Additionally, CVE-2013-6424 is also fixed with these updates. Technical Details ================= The issues come in 3 main categories: - - Denial of service due to unchecked malloc in client authentication CVE-2014-8091: SUN-DES-1 - - Integer overflows calculating memory needs for requests CVE-2014-8092: X11 core protocol requests CVE-2014-8093: GLX extension CVE-2014-8094: DRI2 extension CVE-2013-6424: EXA and render extensions - - Out of bounds access due to not validating length or offset values in requests CVE-2014-8095: XInput extension CVE-2014-8096: XC-MISC extension CVE-2014-8097: DBE extension CVE-2014-8098: GLX extension CVE-2014-8099: XVideo extension CVE-2014-8100: Render extension CVE-2014-8101: RandR extension CVE-2014-8102: XFixes extension CVE-2014-8103: DRI3 & Present extensions Solutions and Workarounds ========================= To apply a fixed version from a releng build, fetch a fitting xserver.tgz from nyftp.netbsd.org and extract the fixed binaries: cd /var/tmp ftp http://nyftp.netbsd.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/xserver.tgz cd / tar xzpf /var/tmp/xserver.tgz ./usr/X11R?/bin/X\* tar xzpf /var/tmp/xserver.tgz ./usr/X11R?/lib/modules/extensions as well as architecture-specific X servers. with the following replacements: REL = the release version you are using BUILD = the source date of the build. 20141223* and later will fit ARCH = your system's architecture The following instructions describe how to upgrade your Xorg server binaries by updating your source tree and rebuilding and installing a new version of Xorg server. The following instructions describe how to upgrade your Xorg server binaries by updating your source tree and rebuilding and installing a new version of Xorg server. * NetBSD-current: Systems running NetBSD-current dated from before 2014-12-21 should be upgraded to NetBSD-current dated 2014-12-22 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): xsrc/external/mit/xorg-server/dist xsrc/xfree/xc/programs/Xserver To update from CVS, re-build, and re-install Xorg server: # cd xsrc # cvs update -d -P external/mit/xorg-server/dist # cd .. # cd src # cd external/mit/xorg/server/xorg-server # make USETOOLS=no cleandir dependall # make USETOOLS=no install For the acorn32, alpha, amiga, mac68k, pmax and sun3 ports, the following instructions should be used: # cd xsrc # cvs update -d -P xfree/xc/programs/Xserver # cd .. # cd src # cd x11/Xserver # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 6.*: Systems running NetBSD 6.* sources dated from before 2014-12-21 should be upgraded from NetBSD 6.* sources dated 2014-12-22 or later. The following files/directories need to be updated from the netbsd-6, netbsd-6-1 or netbsd-6-0 branches: xsrc/external/mit/xorg-server/dist xsrc/xfree/xc/programs/Xserver To update from CVS, re-build, and re-install Xorg server: # cd xsrc # cvs update -d -P external/mit/xorg-server/dist # cd .. # cd src # cd external/mit/xorg/server/xorg-server # make USETOOLS=no cleandir dependall # make USETOOLS=no install For the acorn32, alpha, amiga, ews4800mips, mac68k, newsmips, pmax, sun3 and x68k ports, the following instructions should be used: # cd xsrc # cvs update -d -P xfree/xc/programs/Xserver # cd .. # cd src # cd x11/Xserver # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 5.*: Systems running NetBSD 5.* sources dated from before 2014-12-21 should be upgraded from NetBSD 5.* sources dated 2014-12-22 or later. The following files/directories need to be updated from the netbsd-5, netbsd-5-2 or netbsd-5-1 branches: xsrc/external/mit/xorg-server/dist xsrc/xfree/xc/programs/Xserver To update from CVS, re-build, and re-install Xorg server: # cd xsrc # cvs update -d -P external/mit/xorg-server/dist # cd .. # cd src # cd external/mit/xorg/server/xorg-server # make USETOOLS=no cleandir dependall # make USETOOLS=no install For all but the amd64, i386, macppc, sgimips, shark and sparc64 ports, the following instructions should be used: # cd xsrc # cvs update -d -P xfree/xc/programs/Xserver # cd .. # cd src # cd x11/Xserver # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= Thanks to Ilja van Sprundel, IOActive and the Xorg security team for finding and patching these issues. Thanks to Matthew Green for backporting the fixes to all active NetBSD branches and server sources. Revision History ================ 2015-01-08 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2015-001.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2015, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2015-001.txt,v 1.1 2015/01/08 21:02:23 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUrvCCAAoJEAZJc6xMSnBu/aoP+wUI2nUTJDo+OfjPIzyZtXE0 w3yO5v1xHeGRoX/i8mLaa9mcEoynL7ak75EjdASzTEW4g6Z+ufUbEcTRX1zTIDYp uR+71zS3a0g2X5+d59HzU3kVYCkw/3R3SpMzHvprivIzEmMUyLFRwYCsE6Vwc/Ww Z++NB5XPiLr4KOpw9gfvzZnvvznUY73hTr/7TSNdmvIhskzZAx/Mpza8lS5Gii7Q qXPOfdct0UNjE99a90V6inBm7HgoAvsayX38NriKYHboy3v89lUNzh/HBi3q+VOZ DB1jx6CCbCqWh1tXWlugcE6TbOWHE7S5CS0DhdgZgG7XrpD1goBiLizztFIa9Sep gUTsRPHTT7Cq+SgsUquY+PV09Pu1DABcZHOW62h3OYIKg7S6MrD4YOrf9HUKnwop hWaxtwg6Px3BtKGoltYkNNOt/lyQgWXfXMHMLZGmlpGD6l7IvQssHnYYvhDL3rv/ 38o6WJCKJG8BXwSaBVBFamINs7g98wEkYKfTNX7nCVb/Ci8lebrVZCNlzp/Whemi gpvWTOv84ge+7TxI5c3FKwdJcagAKoq/ALvXtQTWlgJbfTQlOXMehmt5S3FhCxi7 z8m2mngOMuJzOnoVOyyNYzPdsC8PRYBbJjI/FcYAB1ejXhNRqWVE8VjWs42wWkdx QBjFOlNiXtHb+Er9HjRc =HV5g -----END PGP SIGNATURE-----