NetBSD-Announce archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2013-010: Use after free in Xserver handling of ImageText requests



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                NetBSD Security Advisory 2013-010
                =================================

Topic:          Use after free in Xserver handling of ImageText requests


Version:        NetBSD-current:         source prior to Oct 8th, 2013
                NetBSD 6.1 - 6.1.2:     affected
                NetBSD 6.0 - 6.0.3:     affected
                NetBSD 5.1 - 5.1.2:     affected
                NetBSD 5.2:             affected

Severity:       DoS, potential Code Execution

Fixed:          NetBSD-current:         Oct 8th, 2013
                NetBSD-6-0 branch:      Oct 12th, 2013
                NetBSD-6-1 branch:      Oct 12th, 2013
                NetBSD-6 branch:        Oct 12th, 2013
                NetBSD-5-2 branch:      Oct 13th, 2013
                NetBSD-5-1 branch:      Oct 13th, 2013
                NetBSD-5 branch:        Oct 13th, 2013

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

An authenticated X11 client can cause an X11 server to use memory after
it was freed, potentially leading to a crash and/or memory corruption.

This vulnerability has been assigned CVE-2013-4396.


Technical Details
=================

A use-after-free vulnerability in the doImageText function in
dix/dixfonts.c in the X server allows remote authenticated users
to cause a denial of service or to conceivably execute arbitrary
code via a crafted ImageText request that triggers memory-allocation
failure.

The error was present in X11R6, and thus is in both XFree and Xorg.


Solutions and Workarounds
=========================

Workaround: don't let untrustworthy clients (i.e. both other networked
servers and clients as well as graphical programs) attach to your X11
server.

Solutions:

- - Update the Xserver from a daily build later than the fix date:
  fetch from
  http://nyftp.NetBSD.org/pub/NetBSD-daily/<branch>/<date>/<arch>/
  the file binary/sets/xserver.tgz

  cd / && tar xzpf <path/to/xserver.tgz>

- - rebuild your system with the fix applied:

  Files to fix are:
  XFree:        xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c
  XOrg:         xsrc/external/mit/xorg-server/dist/dix/dixfonts.c
  
  Xorg fixed versions are:
  HEAD          1.2
  netbsd-6      1.1.1.5.2.1
  netbsd-6-1    1.1.1.5.6.1
  netbsd-6-0    1.1.1.5.4.1
  netbsd-5      1.1.1.1.2.2
  netbsd-5-2    1.1.1.1.2.1.4.1
  netbsd-5-1    1.1.1.1.2.1.2.1
  
  Xfree fixed versions are:
  HEAD          1.4
  netbsd-6      1.3.2.1
  netbsd-6-1    1.3.6.1
  netbsd-6-0    1.3.4.1
  netbsd-5      1.2.8.1
  netbsd-5-2    1.2.14.1
  netbsd-5-1    1.2.12.1

  Don't forget the -x argument for build.sh.


Thanks To
=========

Thanks to X.Org for their advisory, which this one liberally derives
from.


Revision History
================

        2013-11-13      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2013-010.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2013, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2013-010.txt,v 1.2 2013/11/13 00:44:05 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (NetBSD)

iQIcBAEBAgAGBQJSgstiAAoJEAZJc6xMSnBu9IcP/AhWZhOeFqW+InE8k3AmM9Lk
ZagmXSi7WUt9TQq5Z8/MFGCFpT/rbfsXJmo0t2b6yJZXc7u5zAn689QMU7Dapqnl
SwXDLwYnGwjfQW7D+0XwBqBZ/u5Qeg4q0jAgydMYaKOt0R6nULJR+y4I3wgsUpcT
mHogImFBd2Czhg3aIzmyYa/81oK6MRsNw3hHM+rYGldH5ulb3h3qbl/7nCCZMqLW
PojD9jMpzj/qfneNSDSYPA2pb1UbkPAXzdynw8pvdd2kKFspj/Li/fcXE4Pilj0M
5S+e69kK/dPl6JPjcH4FGzVVILZzJYL7JWoMJbi0xP5O9zLBJm0uk0VV1CyN5Awz
7mimttl3Ee+S5YcRi6Dp1yDI/0va9QTj4PBLMpJUmPSweMdftwZzzIwifMdyqwCZ
KiGVHR2MtKyuHiBy2dN6FYvle1hOVOrSWb5fQ8Grahi7/2anITCC5g+q0Br82Ujl
YkitMbSAyB7v4KXGBjUJ99hEAFFHWvansZKT2wZxzCKeY/rx+kGhwbzUmlT/y5U0
b3XmwhpXllTeaOVlY75TROtrJUcOLo7FfoP1lcMyBsr/1BtCOtL3lQAhAzI43l0D
HAx8DwBf79/tBgBNBc7w8JLZO5ZViycyWoTqcRE1b4TN7ODZMCrKvhAnlONUTDU7
9w9CJUE8bWxllg8Cfuhf
=WHDD
-----END PGP SIGNATURE-----


Home | Main Index | Thread Index | Old Index