Bug 11428

Summary: xorg-x11-server - use-after-free flaw when handling ImageText requests (CVE-2013-4396)
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: fundawang, lewyssmith, sysadmin-bugs, thierry.vignaud, tmb, wilcal.int
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/570465/
Whiteboard: MGA2TOO mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
Source RPM: x11-server CVE:
Status comment:

Description Oden Eriksson 2013-10-10 12:22:23 CEST 
======================================================
Name: CVE-2013-4396
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4396
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130612
Category: 
Reference: MLIST:[oss-security] 20131008 Fwd: X.Org security advisory: CVE-2013-4396: Use after free in Xserver handling of ImageText requests
Reference: URL:http://openwall.com/lists/oss-security/2013/10/08/6
Reference: MLIST:[xorg-announce] 20131008 X.Org security advisory: CVE-2013-4396: Use after free in Xserver handling of ImageText requests
Reference: URL:http://lists.x.org/archives/xorg-announce/2013-October/002332.html
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=1014561

Use-after-free vulnerability in the doImageText function in
dix/dixfonts.c in the xorg-server module before 1.14.4 in X.Org X11
allows remote authenticated users to cause a denial of service (daemon
crash) or possibly execute arbitrary code via a crafted ImageText
request that triggers memory-allocation failure.
Description of problem:




Reproducible: 

Steps to Reproduce:
David Walser 2013-10-10 19:28:41 CEST

Version: 2 => Cauldron
Assignee: bugsquad => thierry.vignaud
Summary: CVE-2013-4396: xorg-x11-server - use-after-free flaw when handling ImageText requests => xorg-x11-server - use-after-free flaw when handling ImageText requests (CVE-2013-4396)
Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 David Walser 2013-10-11 00:31:38 CEST 
FYI the upstream patch applies in our Mageia 3 and Cauldron packages, but not in the Mageia 2 one.  It'll need rewritten for that version.

Severity: normal => major

Comment 2 David Walser 2013-10-11 10:27:35 CEST 
Updated by Funda.

Advisory:
========================

Updated x11-server packages fix security vulnerability:

Use-after-free vulnerability in the doImageText function in dix/dixfonts.c in
the xorg-server module before 1.14.4 in X.Org X11 allows remote authenticated
users to cause a denial of service (daemon crash) or possibly execute arbitrary
code via a crafted ImageText request that triggers memory-allocation failure
(CVE-2013-4396).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4396
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4396
http://lists.x.org/archives/xorg-announce/2013-October/002332.html
https://bugzilla.redhat.com/show_bug.cgi?id=1014561
========================

Updated packages in core/updates_testing:
========================
x11-server-1.11.4-2.4.mga2
x11-server-devel-1.11.4-2.4.mga2
x11-server-common-1.11.4-2.4.mga2
x11-server-xorg-1.11.4-2.4.mga2
x11-server-xdmx-1.11.4-2.4.mga2
x11-server-xnest-1.11.4-2.4.mga2
x11-server-xvfb-1.11.4-2.4.mga2
x11-server-xephyr-1.11.4-2.4.mga2
x11-server-xfake-1.11.4-2.4.mga2
x11-server-xfbdev-1.11.4-2.4.mga2
x11-server-source-1.11.4-2.4.mga2
x11-server-1.13.4-2.2.mga3
x11-server-devel-1.13.4-2.2.mga3
x11-server-common-1.13.4-2.2.mga3
x11-server-xorg-1.13.4-2.2.mga3
x11-server-xdmx-1.13.4-2.2.mga3
x11-server-xnest-1.13.4-2.2.mga3
x11-server-xvfb-1.13.4-2.2.mga3
x11-server-xephyr-1.13.4-2.2.mga3
x11-server-xfake-1.13.4-2.2.mga3
x11-server-xfbdev-1.13.4-2.2.mga3
x11-server-source-1.13.4-2.2.mga3

from SRPMS:
x11-server-1.11.4-2.4.mga2.src.rpm
x11-server-1.13.4-2.2.mga3.src.rpm

CC: (none) => fundawang, thierry.vignaud
Version: Cauldron => 3
Assignee: thierry.vignaud => qa-bugs
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 3 David Walser 2013-10-11 10:27:52 CEST 
*** Bug 11440 has been marked as a duplicate of this bug. ***
David Walser 2013-10-15 19:24:43 CEST

URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4396 => http://lwn.net/Vulnerabilities/570465/

Comment 4 Lewis Smith 2013-10-15 20:15:17 CEST 
MGA£ 32-bit

Updated x11-server-1.13.4-2.2.mga3 & x11-server-common-1.13.4-2.2.mga3
No new problems noted.

CC: (none) => lewyssmith

Comment 5 David Walser 2013-10-16 18:19:04 CEST 
RedHat has issued an advisory for this on October 15:
https://rhn.redhat.com/errata/RHSA-2013-1426.html

Updating the reference in the advisory.

Advisory:
========================

Updated x11-server packages fix security vulnerability:

Use-after-free vulnerability in the doImageText function in dix/dixfonts.c in
the xorg-server module before 1.14.4 in X.Org X11 allows remote authenticated
users to cause a denial of service (daemon crash) or possibly execute arbitrary
code via a crafted ImageText request that triggers memory-allocation failure
(CVE-2013-4396).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4396
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4396
http://lists.x.org/archives/xorg-announce/2013-October/002332.html
https://rhn.redhat.com/errata/RHSA-2013-1426.html
========================

Updated packages in core/updates_testing:
========================
x11-server-1.11.4-2.4.mga2
x11-server-devel-1.11.4-2.4.mga2
x11-server-common-1.11.4-2.4.mga2
x11-server-xorg-1.11.4-2.4.mga2
x11-server-xdmx-1.11.4-2.4.mga2
x11-server-xnest-1.11.4-2.4.mga2
x11-server-xvfb-1.11.4-2.4.mga2
x11-server-xephyr-1.11.4-2.4.mga2
x11-server-xfake-1.11.4-2.4.mga2
x11-server-xfbdev-1.11.4-2.4.mga2
x11-server-source-1.11.4-2.4.mga2
x11-server-1.13.4-2.2.mga3
x11-server-devel-1.13.4-2.2.mga3
x11-server-common-1.13.4-2.2.mga3
x11-server-xorg-1.13.4-2.2.mga3
x11-server-xdmx-1.13.4-2.2.mga3
x11-server-xnest-1.13.4-2.2.mga3
x11-server-xvfb-1.13.4-2.2.mga3
x11-server-xephyr-1.13.4-2.2.mga3
x11-server-xfake-1.13.4-2.2.mga3
x11-server-xfbdev-1.13.4-2.2.mga3
x11-server-source-1.13.4-2.2.mga3

from SRPMS:
x11-server-1.11.4-2.4.mga2.src.rpm
x11-server-1.13.4-2.2.mga3.src.rpm
Comment 6 William Kenney 2013-10-16 18:35:38 CEST 
In VirtualBox, M2, KDE, 32-bit

Package(s) under test:
x11-server-common x11-server-xorg


[root@localhost wilcal]# urpmi x11-server-common
Package x11-server-common-1.11.4-2.2.mga2.i586 is already installed
[root@localhost wilcal]# urpmi x11-server-xorg
Package x11-server-xorg-1.11.4-2.2.mga2.i586 is already installed
KDE operating normally

Install x11-server-common & x11-server-xorg updates from core updates_testing

reboot

[root@localhost wilcal]# urpmi x11-server-common
Package x11-server-common-1.11.4-2.4.mga2.i586 is already installed
[root@localhost wilcal]# urpmi x11-server-xorg
Package x11-server-xorg-1.11.4-2.4.mga2.i586 is already installed
KDE operating normally


Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm

CC: (none) => wilcal.int

Comment 7 William Kenney 2013-10-16 18:36:10 CEST 
In VirtualBox, M2, KDE, 64-bit

Package(s) under test:
x11-server-common x11-server-xorg


[root@localhost wilcal]# urpmi x11-server-common
Package x11-server-common-1.11.4-2.2.mga2.x86_64 is already installed
[root@localhost wilcal]# urpmi x11-server-xorg
Package x11-server-xorg-1.11.4-2.2.mga2.x86_64 is already installed
KDE operating normally

Install x11-server-common & x11-server-xorg updates from core updates_testing

reboot

[root@localhost wilcal]# urpmi x11-server-common
Package x11-server-common-1.11.4-2.4.mga2.x86_64 is already installed
[root@localhost wilcal]# urpmi x11-server-xorg
Package x11-server-xorg-1.11.4-2.4.mga2.x86_64 is already installed
KDE operating normally


Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm
Comment 8 William Kenney 2013-10-16 18:36:37 CEST 
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
x11-server-common x11-server-xorg


Default package installed:
[root@localhost wilcal]# urpmi x11-server-common
Package x11-server-common-1.13.4-2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi x11-server-xorg
Package x11-server-xorg-1.13.4-2.mga3.i586 is already installed
KDE operating normally

Install x11-server-common & x11-server-xorg updates from core updates_testing

reboot

[root@localhost wilcal]# urpmi x11-server-common
Package x11-server-common-1.13.4-2.2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi x11-server-xorg
Package x11-server-xorg-1.13.4-2.2.mga3.i586 is already installed
KDE operating normally


Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm
Comment 9 William Kenney 2013-10-16 18:37:02 CEST 
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
x11-server-common x11-server-xorg


[root@localhost wilcal]# urpmi x11-server-common
Package x11-server-common-1.13.4-2.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi x11-server-xorg
Package x11-server-xorg-1.13.4-2.mga3.x86_64 is already installed
KDE operating normally

Install x11-server-common & x11-server-xorg updates from core updates_testing

reboot

[root@localhost wilcal]# urpmi x11-server-common
Package x11-server-common-1.13.4-2.2.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi x11-server-xorg
Package x11-server-xorg-1.13.4-2.2.mga3.x86_64 is already installed
KDE operating normally


Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm
Comment 10 claire robinson 2013-10-24 10:09:21 CEST 
Adding missing whiteboard tags from previous testing

Whiteboard: MGA2TOO => MGA2TOO mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok

Comment 11 claire robinson 2013-10-24 10:15:36 CEST 
Advisory uploaded. Validating.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 Thomas Backlund 2013-10-25 23:23:28 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0317.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED