Bug 12298

Summary: Integer overflows in build_range() [CVE-2007-4989]
Product: xorg Reporter: Matthieu Herrb <matthieu.herrb>
Component: App/xfsAssignee: X.Org Security <xorg_security>
Status: RESOLVED FIXED QA Contact: X.Org Security <xorg_security>
Severity: normal    
Priority: medium CC: dberkholz, guillem, thomas
Version: 7.2 (2007.02)Keywords: security
Hardware: All   
OS: All   
i915 platform: i915 features:
Description Flags
iDefense draft
proposed patch
updated patch
updated again patch none

Description Matthieu Herrb 2007-09-05 23:34:16 UTC
iDefense has sent us the attached draft advisory. 
A 1st look at the code confirms the problem.
Patch is pretty straightforward. I'll write it and attach it there shortly.
Probably not a blocker for the relase (but if other things are postponing it to after next week, it can probably make it).
Comment 1 Matthieu Herrb 2007-09-05 23:35:10 UTC
Created attachment 11443 [details]
iDefense draft
Comment 2 Matthieu Herrb 2007-09-06 10:20:44 UTC
Created attachment 11450 [details] [review]
proposed patch
Comment 3 Matthieu Herrb 2007-09-06 14:42:09 UTC
Both issues (this one and #12299) share CVE-2007-4568
Comment 4 Daniel Stone 2007-09-08 18:52:21 UTC
Adding Guillem Jover, the xfstt maintainer.
Comment 5 Matthieu Herrb 2007-09-11 02:24:22 UTC
Created attachment 11502 [details]

Simple way to build a request that will cause the integer overflow

tfs localhost:7100 hello
Comment 6 Matthieu Herrb 2007-09-16 03:13:46 UTC
Created attachment 11585 [details] [review]
updated patch

Jeremy Uejio from Sun discovered that the patch was incomplete. Attached an updated patch.
Comment 7 Matthieu Herrb 2007-09-16 23:11:27 UTC
Created attachment 11596 [details] [review]
updated again patch

Hmm I realized at some point that the condition is not the same in the else clause, but I forgot to re-generate the patch before uploading it.
Comment 8 Matthieu Herrb 2007-09-21 00:50:58 UTC
(In reply to comment #3)
> Both issues (this one and #12299) share CVE-2007-4568

iDefense as allocated a new ID for this one: CVE-2007-4989
Comment 9 Matthieu Herrb 2007-10-02 10:20:10 UTC
Fixed in commit 380fb68316f13012ff7cb2ac4addc2626fa2dad0
Public now

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.