search

NixOS / security

MIT License
30 stars 12 forks source link

Roundup: [oss-security] Re: three issues in xorg (CVE-*2017*-2624, CVE-*2017*-2625, CVE-*2017*-2626) #119

Closed grahamc closed 7 years ago

grahamc commented 7 years ago

Here is a report from the oss-security mailing list for Vulnerability Roundup 27.

Skip to First Email

Instructions:

Identification

Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.

Example:

unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged

IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!

Patching

Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.

If you open a pull request, tag this issue and the master issue for the roundup.

If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:

fixed:

release-16.09: abc123

Skip to First Email

Upon Completion ...

Info

Triage Indicator:

-needs-triage +roundup27 thread:0000000000003f14

Should the search term be changed from xorg? Suggest a new package search by commenting:

-suggested:xorg +suggested:correctPackageName thread:0000000000003f14

Known CVEs: CVE-2016-2624, CVE-2016-2625, CVE-2016-2626, CVE-2017-2624, CVE-2017-2625, CVE-2017-2626

Skip to End

Wed, 1 Mar 2017 11:01:30 +1030 Doran Moppert , 20170301003129.GB4851@sin.redhat.com
Vulnerabilities in xorg (server, libXdmcp, libICE) were recently
reported by Eric Sesterhenn of X41, and assigned CVEs by Red Hat.

> CVE-2017-2624 xorg-x11-server: timing attack against MIT Cookie

mitauth.c uses memcmp() to check the validity of MIT cookies, exposing a
possible timing attack on some platforms.

https://bugzilla.redhat.com/show_bug.cgi?id=1424984
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856398
https://bugzilla.novell.com/show_bug.cgi?id=1025029

> CVE-2017-2625 libXdmcp: weak entropy usage for session keys

In the absence of arc4random(), xdmcp session keys are generated based
on getpid() and time(), which may allow a local attacker to brute-force
the key.

https://bugzilla.redhat.com/show_bug.cgi?id=1424987
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856399
https://bugzilla.novell.com/show_bug.cgi?id=1025046

> CVE-2017-2626 libICE: weak entropy usage in session keys

In the absence of arc4random(), the Inter-Client Exchange session keys
are generated based on gettimeofday(), which may allow a local attacker
to brute-force the key.

https://bugzilla.redhat.com/show_bug.cgi?id=1424992
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856400
https://bugzilla.novell.com/show_bug.cgi?id=1025068

The first issue is mitigated with recent glibc's memcmp, particularly
with -D_FORTIFY_SOURCE=2, and the other two by providing an
implementation of arc4random at compile time, such as libbsd.

I expect these to be announced shortly at
<https://www.x.org/wiki/Development/Security/>.

-- 
Doran Moppert
Red Hat Product Security

Skip to End

Wed, 1 Mar 2017 11:07:01 +1030 Doran Moppert , 20170301003700.GC4851@sin.redhat.com
Of course, the subject should have read 2017 where it read 2016 ..

-- 
Doran Moppert
Red Hat Product Security

Skip to End

fpletz commented 7 years ago

We have a recent enough version of Xorg packaged.