X.Org Security Advisory: May 23, 2013

Protocol handling issues in X Window System client libraries

Description

Ilja van Sprundel, a security researcher with IOActive, has discovered a large number of issues in the way various X client libraries handle the responses they receive from servers, and has worked with X.Org's security team to analyze, confirm, and fix these issues.

Most of these issues stem from the client libraries trusting the server to send correct protocol data, and not verifying that the values will not overflow or cause other damage. Most of the time X clients & servers are run by the same user, with the server more privileged from the clients, so this is not a problem, but there are scenarios in which a privileged client can be connected to an unprivileged server, for instance, connecting a setuid X client (such as a screen lock program) to a virtual X server (such as Xvfb or Xephyr) which the user has modified to return invalid data, potentially allowing the user to escalate their privileges.

The X.Org security team would like to take this opportunity to remind X client authors that current best practices suggest separating code that requires privileges from the GUI, to reduce the attack surface of issues like this.

The vulnerabilities include:

  • integer overflows calculating memory needs for replies
    • These calls do not check that their calculations for how much memory is needed to handle the returned data have not overflowed, so can result in allocating too little memory and then writing the returned data past the end of the allocated buffer.
    • CVE-2013-1981: libX11 1.5.99.901 (1.6 RC1) and earlier
      • Affected functions: XQueryFont(), _XF86BigfontQueryFont(), XListFontsWithInfo(), XGetMotionEvents(), XListHosts(), XGetModifierMapping(), XGetPointerMapping(), XGetKeyboardMapping(), XGetWindowProperty(), XGetImage()
    • CVE-2013-1982: libXext 1.3.1 and earlier
      • Affected functions: XcupGetReservedColormapEntries(), XcupStoreColors(), XdbeGetVisualInfo(), XeviGetVisualInfo(), XShapeGetRectangles(), XSyncListSystemCounters()
    • CVE-2013-1983: libXfixes 5.0 and earlier
      • Affected functions: XFixesGetCursorImage()
    • CVE-2013-1984: libXi 1.7.1 and earlier
      • Affected functions: XGetDeviceControl(), XGetFeedbackControl(), XGetDeviceDontPropagateList(), XGetDeviceMotionEvents(), XIGetProperty(), XIGetSelectedEvents(), XGetDeviceProperties(), XListInputDevices()
    • CVE-2013-1985: libXinerama 1.1.2 and earlier
      • Affected functions: XineramaQueryScreens()
    • CVE-2013-2062: libXp 1.0.1 and earlier
      • Affected functions: XpGetAttributes(), XpGetOneAttribute(), XpGetPrinterList(), XpQueryScreens()
    • CVE-2013-1986: libXrandr 1.4.0 and earlier
      • Affected functions: XRRQueryOutputProperty(), XRRQueryProviderProperty() [XRRQueryProviderProperty() was introduced in libXrandr 1.4.0 and is not found in 1.3.2 and older releases.]
    • CVE-2013-1987: libXrender 0.9.7 and earlier
      • Affected functions: XRenderQueryFilters(), XRenderQueryFormats(), XRenderQueryPictIndexValues()
    • CVE-2013-1988: libXRes 1.0.6 and earlier
      • Affected functions: XResQueryClients(), XResQueryClientResources()
    • CVE-2013-2063: libXtst 1.2.1 and earlier
      • Affected functions: XRecordGetContext()
    • CVE-2013-1989: libXv 1.0.7 and earlier
      • Affected functions: XvQueryPortAttributes(), XvListImageFormats(), XvCreateImage()
    • CVE-2013-1990: libXvMC 1.0.7 and earlier
      • Affected functions: XvMCListSurfaceTypes(), XvMCListSubpictureTypes()
    • CVE-2013-1991: libXxf86dga 1.1.3 and earlier
      • Affected functions: XDGAQueryModes(), XDGASetMode()
    • CVE-2013-1992: libdmx 1.1.2 and earlier
      • Affected functions: DMXGetScreenAttributes(), DMXGetWindowAttributes(), * DMXGetInputAttributes()
    • CVE-2013-2064: libxcb 1.9 and earlier
      • Affected functions: read_packet()
    • CVE-2013-1993: libGLX in Mesa 9.1.1 and earlier
      • Affected functions: XF86DRIOpenConnection(), XF86DRIGetClientDriverName()
    • CVE-2013-1994: libchromeXvMC & libchromeXvMCPro in openChrome 0.3.2 and earlier
      • Affected functions: uniDRIOpenConnection(), uniDRIGetClientDriverName()
  • sign extension issues calculating memory needs for replies
    • These calls do not check that their calculations for how much memory is needed to handle the returned data have not had sign extension issues when converting smaller integer types to larger ones, leading to negative numbers being used in memory size calculations that can result in allocating too little memory and then writing the returned data past the end of the allocated buffer.
    • CVE-2013-1995: libXi 1.7.1 and earlier
      • Affected functions: XListInputDevices()
    • CVE-2013-1996: libFS 1.0.4 and earlier
      • Affected functions: FSOpenServer()
  • buffer overflows due to not validating length or offset values in replies
    • These calls do not check that the lengths and/or indexes returned by the server are within the bounds specified by the caller or the bounds of the memory allocated by the function, so could write past the bounds of allocated memory when storing the returned data.
    • CVE-2013-1997: libX11 1.5.99.901 (1.6 RC1) and earlier
      • Affected functions: XAllocColorCells(), _XkbReadGetDeviceInfoReply(), _XkbReadGeomShapes(), _XkbReadGetGeometryReply(), _XkbReadKeySyms(), _XkbReadKeyActions(), _XkbReadKeyBehaviors(), _XkbReadModifierMap(), _XkbReadExplicitComponents(), _XkbReadVirtualModMap(), _XkbReadGetNamesReply(), _XkbReadGetMapReply(), _XimXGetReadData(), XListFonts(), XListExtensions(), XGetFontPath()
    • CVE-2013-1998: libXi 1.7.1 and earlier
      • Affected functions: XGetDeviceButtonMapping(), _XIPassiveGrabDevice(), XQueryDeviceState()
    • CVE-2013-2066: libXv 1.0.7 and earlier
      • Affected functions: XvQueryPortAttributes()
    • CVE-2013-1999: libXvMC 1.0.7 and earlier
      • Affected functions: XvMCGetDRInfo()
    • CVE-2013-2000: libXxf86dga 1.1.3 and earlier
      • Affected functions: XDGAQueryModes(), XDGASetMode()
    • CVE-2013-2001: libXxf86vm 1.1.2 and earlier
      • Affected functions: XF86VidModeGetGammaRamp()
    • CVE-2013-2002: libXt 1.1.3 and earlier
      • Affected functions: _XtResourceConfigurationEH()
  • integer overflows parsing user-specified files
    • These calls do not check that their calculations for how much memory is needed to handle the data being read have not overflowed, so can result in allocating too little memory and then writing the returned data past the end of the allocated buffer.
    • CVE-2013-1981: libX11 1.5.99.901 (1.6 RC1) and earlier
      • Affected functions: LoadColornameDB(), XrmGetFileDatabase(), _XimParseStringFile(), TransFileName()
    • CVE-2013-2003: libXcursor 1.1.13 and earlier
      • Affected functions: _XcursorFileHeaderCreate()
  • unbounded recursion parsing user-specified files
    • These calls read in files and handle C-style '#include' directives to include other files, and have no limit for how many levels deep they will go, including allowing files to #include themselves, until the stack overflows from the recursive function calling patterns.
    • CVE-2013-2004: libX11 1.5.99.901 (1.6 RC1) and earlier
      • Affected functions: GetDatabase(), _XimParseStringFile()
  • memory corruption due to unchecked return values
    • These calls assume that pointers are properly initialized by the XGetWindowProperty() function and don't check for failure of the function to return a valid window property, which can lead to use of uninitialized pointers for reading, writing, or passing to functions such as free(). XGetWindowProperty() in libX11 1.5.99.901 (1.6RC1) and earlier did not ensure returned pointers were initialized to NULL when returning a failure (this is fixed in libX11 1.5.99.902 and later).
    • CVE-2013-2005: libXt 1.1.3 and earlier
      • Affected functions: ReqCleanup(), HandleSelectionEvents(), ReqTimedOut(), HandleNormal(), HandleSelectionReplies()

Affected Versions

X.Org believes all prior versions of these libraries contain these flaws, dating back to their introduction.

Versions of the X libraries built on top of the Xlib bridge to the XCB framework are vulnerable to fewer issues than those without, due to the added safety and consistency assertions in the XCB calls to read data from the network, but most of these vulnerabilities are not caught by those checks.

Fixes

Fixes are available in these git commits:

Note that many of these patches depend on being applied in the same order as they are in git, or on other non-CVE patches in git, and won't necessarily apply in the order listed here to previous tarball releases.

Fixes are also included in these module releases from X.Org:

or releases from our sister projects:

Thanks

X.Org thanks Ilja van Sprundel of IOActive for reporting these issues to our security team and assisting them in understanding them and evaluating our fixes, and Alan Coopersmith of Oracle for coordinating the X.Org response and developing the fixes for these issues.