12298 – Integer overflows in build_range() [CVE-2007-4989]

Bug 12298 - Integer overflows in build_range() [CVE-2007-4989]

Summary: Integer overflows in build_range() [CVE-2007-4989]

Status:	RESOLVED FIXED

Alias:	None

Product:	xorg
Classification:	Unclassified
Component:	App/xfs (show other bugs)
Version:	7.2 (2007.02)
Hardware:	All All

Importance:	medium normal
Assignee:	X.Org Security
QA Contact:	X.Org Security

URL:
Whiteboard:
Keywords:	security

Depends on:
Blocks:

Reported:	2007-09-05 23:34 UTC by Matthieu Herrb
Modified:	2007-12-10 21:31 UTC (History)
CC List:	3 users (show)

See Also:
i915 platform:
i915 features:

Attachments
iDefense draft (3.43 KB, text/plain) 2007-09-05 23:35 UTC, Matthieu Herrb	no flags	Details
proposed patch (1.06 KB, patch) 2007-09-06 10:20 UTC, Matthieu Herrb	no flags	Details \| Splinter Review
reproducer (1.07 KB, text/plain) 2007-09-11 02:24 UTC, Matthieu Herrb	no flags	Details
updated patch (1.34 KB, patch) 2007-09-16 03:13 UTC, Matthieu Herrb	no flags	Details \| Splinter Review
updated again patch (1.34 KB, patch) 2007-09-16 23:11 UTC, Matthieu Herrb	no flags	Details \| Splinter Review
Show Obsolete (2) View All

Description Matthieu Herrb 2007-09-05 23:34:16 UTC

iDefense has sent us the attached draft advisory. 
A 1st look at the code confirms the problem.
Patch is pretty straightforward. I'll write it and attach it there shortly.
Probably not a blocker for the relase (but if other things are postponing it to after next week, it can probably make it).

Comment 1 Matthieu Herrb 2007-09-05 23:35:10 UTC

Created attachment 11443 [details]
iDefense draft

Comment 2 Matthieu Herrb 2007-09-06 10:20:44 UTC

Created attachment 11450 [details] [review]
proposed patch

Comment 3 Matthieu Herrb 2007-09-06 14:42:09 UTC

Both issues (this one and #12299) share CVE-2007-4568

Comment 4 Daniel Stone 2007-09-08 18:52:21 UTC

Adding Guillem Jover, the xfstt maintainer.

Comment 5 Matthieu Herrb 2007-09-11 02:24:22 UTC

Created attachment 11502 [details]
reproducer

Simple way to build a request that will cause the integer overflow

tfs localhost:7100 hello

Comment 6 Matthieu Herrb 2007-09-16 03:13:46 UTC

Created attachment 11585 [details] [review]
updated patch

Jeremy Uejio from Sun discovered that the patch was incomplete. Attached an updated patch.

Comment 7 Matthieu Herrb 2007-09-16 23:11:27 UTC

Created attachment 11596 [details] [review]
updated again patch

Hmm I realized at some point that the condition is not the same in the else clause, but I forgot to re-generate the patch before uploading it.

Comment 8 Matthieu Herrb 2007-09-21 00:50:58 UTC

(In reply to comment #3)
> Both issues (this one and #12299) share CVE-2007-4568
> 

iDefense as allocated a new ID for this one: CVE-2007-4989

Comment 9 Matthieu Herrb 2007-10-02 10:20:10 UTC

Fixed in commit 380fb68316f13012ff7cb2ac4addc2626fa2dad0
Public now

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.