NetBSD Security Advisory 2015-001: Protocol handling issues in X Window System servers

[NetBSD Security Officer <security-officer%NetBSD.org@localhost>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		 NetBSD Security Advisory 2015-001
		 =================================

Topic:		Protocol handling issues in X Window System servers

Version:	NetBSD-current:		affected prior to 2014-12-22
		NetBSD 7_BETA*:		affected
		NetBSD 6.1*:		affected 
		NetBSD 6.0*:		affected
		NetBSD 5.2*:		affected
		NetBSD 5.1*:		affected
		pkgsrc:			x11/xorg-server package prior 1.12.4nb7

Severity:	Local Privilege Escalation, Arbitrary Code Execuation

Fixed:		NetBSD-current:		December 22th, 2014
		NetBSD-7 branch:	December 22th, 2014
		NetBSD-6 branch:	December 22th, 2014
		NetBSD-6-1 branch:	December 22th, 2014
		NetBSD-6-0 branch:	December 22th, 2014
		NetBSD-5 branch:	December 22th, 2014
		NetBSD-5-2 branch:	December 22th, 2014
		NetBSD-5-1 branch:	December 22th, 2014
		pkgsrc 2014Q4:		xorg-server-1.12.4nb7 corrects this issue

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

A large number of issues in the way the Xorg server processes requests
have been discovered by Ilja van Sprundel, a security researcher with
IOActive.  These issues could allow local users the ability to attack
a setuid Xorg server.

These problems are documented in CVE-2014-8091 to CVS-2014-8103.

http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/

Additionally, CVE-2013-6424 is also fixed with these updates.


Technical Details
=================

The issues come in 3 main categories:

- - Denial of service due to unchecked malloc in client authentication

	CVE-2014-8091: SUN-DES-1

- - Integer overflows calculating memory needs for requests

	CVE-2014-8092: X11 core protocol requests
	CVE-2014-8093: GLX extension
	CVE-2014-8094: DRI2 extension
	CVE-2013-6424: EXA and render extensions

- - Out of bounds access due to not validating length or offset values in requests

	CVE-2014-8095: XInput extension
	CVE-2014-8096: XC-MISC extension
	CVE-2014-8097: DBE extension
	CVE-2014-8098: GLX extension
	CVE-2014-8099: XVideo extension
	CVE-2014-8100: Render extension
	CVE-2014-8101: RandR extension
	CVE-2014-8102: XFixes extension
	CVE-2014-8103: DRI3 & Present extensions


Solutions and Workarounds
=========================

To apply a fixed version from a releng build, fetch a fitting xserver.tgz
from nyftp.netbsd.org and extract the fixed binaries:

cd /var/tmp
ftp http://nyftp.netbsd.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/xserver.tgz
cd /
tar xzpf /var/tmp/xserver.tgz ./usr/X11R?/bin/X\*
tar xzpf /var/tmp/xserver.tgz ./usr/X11R?/lib/modules/extensions

as well as architecture-specific X servers.

with the following replacements:
REL   = the release version you are using
BUILD = the source date of the build. 20141223* and later will fit
ARCH  = your system's architecture


The following instructions describe how to upgrade your Xorg server
binaries by updating your source tree and rebuilding and
installing a new version of Xorg server.

The following instructions describe how to upgrade your Xorg server
binaries by updating your source tree and rebuilding and installing
a new version of Xorg server.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2014-12-21
	should be upgraded to NetBSD-current dated 2014-12-22 or later.

	The following files/directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		xsrc/external/mit/xorg-server/dist
		xsrc/xfree/xc/programs/Xserver

	To update from CVS, re-build, and re-install Xorg server:
		# cd xsrc
		# cvs update -d -P external/mit/xorg-server/dist
		# cd ..
		# cd src
		# cd external/mit/xorg/server/xorg-server
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

	For the acorn32, alpha, amiga, mac68k, pmax and sun3 ports,
	the following instructions should be used:
		# cd xsrc
		# cvs update -d -P xfree/xc/programs/Xserver
		# cd ..
		# cd src
		# cd x11/Xserver
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 6.*:

	Systems running NetBSD 6.* sources dated from before
	2014-12-21 should be upgraded from NetBSD 6.* sources dated
	2014-12-22 or later.

	The following files/directories need to be updated from the
	netbsd-6, netbsd-6-1 or netbsd-6-0 branches:
		xsrc/external/mit/xorg-server/dist
		xsrc/xfree/xc/programs/Xserver

	To update from CVS, re-build, and re-install Xorg server:
		# cd xsrc
		# cvs update -d -P external/mit/xorg-server/dist
		# cd ..
		# cd src
		# cd external/mit/xorg/server/xorg-server
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

	For the acorn32, alpha, amiga, ews4800mips, mac68k, newsmips,
	pmax, sun3 and x68k ports, the following instructions should
	be used:
		# cd xsrc
		# cvs update -d -P xfree/xc/programs/Xserver
		# cd ..
		# cd src
		# cd x11/Xserver
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 5.*:

	Systems running NetBSD 5.* sources dated from before
	2014-12-21 should be upgraded from NetBSD 5.* sources dated
	2014-12-22 or later.

	The following files/directories need to be updated from the
	netbsd-5, netbsd-5-2 or netbsd-5-1 branches:
		xsrc/external/mit/xorg-server/dist
		xsrc/xfree/xc/programs/Xserver

	To update from CVS, re-build, and re-install Xorg server:
		# cd xsrc
		# cvs update -d -P external/mit/xorg-server/dist
		# cd ..
		# cd src
		# cd external/mit/xorg/server/xorg-server
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

	For all but the amd64, i386, macppc, sgimips, shark and sparc64
	ports, the following instructions should be used:
		# cd xsrc
		# cvs update -d -P xfree/xc/programs/Xserver
		# cd ..
		# cd src
		# cd x11/Xserver
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


Thanks To
=========

Thanks to Ilja van Sprundel, IOActive and the Xorg security team for finding
and patching these issues.  Thanks to Matthew Green for backporting the fixes
to all active NetBSD branches and server sources.


Revision History
================

	2015-01-08	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2015-001.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .

Copyright 2015, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2015-001.txt,v 1.1 2015/01/08 21:02:23 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUrvCCAAoJEAZJc6xMSnBu/aoP+wUI2nUTJDo+OfjPIzyZtXE0
w3yO5v1xHeGRoX/i8mLaa9mcEoynL7ak75EjdASzTEW4g6Z+ufUbEcTRX1zTIDYp
uR+71zS3a0g2X5+d59HzU3kVYCkw/3R3SpMzHvprivIzEmMUyLFRwYCsE6Vwc/Ww
Z++NB5XPiLr4KOpw9gfvzZnvvznUY73hTr/7TSNdmvIhskzZAx/Mpza8lS5Gii7Q
qXPOfdct0UNjE99a90V6inBm7HgoAvsayX38NriKYHboy3v89lUNzh/HBi3q+VOZ
DB1jx6CCbCqWh1tXWlugcE6TbOWHE7S5CS0DhdgZgG7XrpD1goBiLizztFIa9Sep
gUTsRPHTT7Cq+SgsUquY+PV09Pu1DABcZHOW62h3OYIKg7S6MrD4YOrf9HUKnwop
hWaxtwg6Px3BtKGoltYkNNOt/lyQgWXfXMHMLZGmlpGD6l7IvQssHnYYvhDL3rv/
38o6WJCKJG8BXwSaBVBFamINs7g98wEkYKfTNX7nCVb/Ci8lebrVZCNlzp/Whemi
gpvWTOv84ge+7TxI5c3FKwdJcagAKoq/ALvXtQTWlgJbfTQlOXMehmt5S3FhCxi7
z8m2mngOMuJzOnoVOyyNYzPdsC8PRYBbJjI/FcYAB1ejXhNRqWVE8VjWs42wWkdx
QBjFOlNiXtHb+Er9HjRc
=HV5g
-----END PGP SIGNATURE-----