xorg announce - Apr 2015 - [ANNOUNCE] X.Org Security Advisory: Buffer overflow in MakeBigReq macro

X.Org Security Advisory:  April 14, 2015
Buffer overflow in MakeBigReq macro in libX11 prior to 1.6 [CVE-2013-7439]
=========================================================================
Description:
===========
It's been brought to X.Org's attention that this commit:

http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=39547d600a13713e15429f49768e54c3173c828d

which was included in libX11 1.5.99.901 (1.6 RC1) and later releases fixed 
an issue which may be exploitable when X clients are rendering untrusted 
content, such as in web browsers.

Mitre has thus issued CVE-2013-7439 for tracking this vulnerability.
Further discussion is available in the oss-security thread starting at 
http://seclists.org/oss-sec/2015/q2/73 .

Note that as this affects a macro in a header file, all software using this
macro will need to be recompiled for the fix to take effect.  Since the
Xlibint.h header provides access to the internals of libX11, it should
not be directly accessed by most clients, but nearly all of the Xlib-based
extension libraries are affected, as are some third-party client libraries
and programs who have ill-advisedly relied on libX11 internals.

X.Org software known to use these macros includes:

        libXext
        libXfixes
        libXi
        libXp
        libXrandr
        libXrender
        libXv
        libXxf86misc
        xf86-video-vmware

Some uses of the macros in other software may be found at:
        http://codesearch.debian.net/results/SetReqLen
        http://codesearch.debian.net/results/MakeBigReq
but of course, only a search of your own code base will be exhaustive.

Affected Versions
================
The off-by-one-word error in the amount of memory to copy was introduced
in the original integration of the BigRequests extension for X11R6.0:
http://cgit.freedesktop.org/~alanc/xc-historical/commit/?id=57ae039acec35ee7df4bc3f3c02abd957780b026
thus X.Org believes all versions of X11R6.x are affected, as are all versions
of the standalone libX11 prior to the libX11 1.6.0 release in June 2013.

Fixes
====
As noted above, the fix is already available in this libX11 git commit:
        39547d600a13713e15429f49768e54c3173c828d
which is also included in libX11 1.6.0 and later module releases from X.Org,
however, for the fix to be effective, all software which references the
MakeBigReq() or SetReqLen() macros from Xlibint.h must be recompiled with
the new header.

--
        -Alan Coopersmith-              alan.coopersmith at oracle.com
          X.Org Security Response Team - xorg-security at lists.x.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL:
<http://lists.x.org/archives/xorg-announce/attachments/20150414/f98665fc/attachment.sig>