|Summary:||Integer overflows in build_range() [CVE-2007-4989]|
|Product:||xorg||Reporter:||Matthieu Herrb <matthieu.herrb>|
|Component:||App/xfs||Assignee:||X.Org Security <xorg_security>|
|Status:||RESOLVED FIXED||QA Contact:||X.Org Security <xorg_security>|
|Priority:||medium||CC:||dberkholz, guillem, thomas|
|i915 platform:||i915 features:|
Description Matthieu Herrb 2007-09-05 23:34:16 UTC
iDefense has sent us the attached draft advisory. A 1st look at the code confirms the problem. Patch is pretty straightforward. I'll write it and attach it there shortly. Probably not a blocker for the relase (but if other things are postponing it to after next week, it can probably make it).
Comment 2 Matthieu Herrb 2007-09-06 10:20:44 UTC
Created attachment 11450 [details] [review] proposed patch
Comment 3 Matthieu Herrb 2007-09-06 14:42:09 UTC
Both issues (this one and #12299) share CVE-2007-4568
Comment 4 Daniel Stone 2007-09-08 18:52:21 UTC
Adding Guillem Jover, the xfstt maintainer.
Comment 5 Matthieu Herrb 2007-09-11 02:24:22 UTC
Created attachment 11502 [details] reproducer Simple way to build a request that will cause the integer overflow tfs localhost:7100 hello
Comment 6 Matthieu Herrb 2007-09-16 03:13:46 UTC
Created attachment 11585 [details] [review] updated patch Jeremy Uejio from Sun discovered that the patch was incomplete. Attached an updated patch.
Comment 7 Matthieu Herrb 2007-09-16 23:11:27 UTC
Created attachment 11596 [details] [review] updated again patch Hmm I realized at some point that the condition is not the same in the else clause, but I forgot to re-generate the patch before uploading it.
Comment 8 Matthieu Herrb 2007-09-21 00:50:58 UTC
(In reply to comment #3) > Both issues (this one and #12299) share CVE-2007-4568 > iDefense as allocated a new ID for this one: CVE-2007-4989
Comment 9 Matthieu Herrb 2007-10-02 10:20:10 UTC
Fixed in commit 380fb68316f13012ff7cb2ac4addc2626fa2dad0 Public now