Bug 12298 - Integer overflows in build_range() [CVE-2007-4989]
Summary: Integer overflows in build_range() [CVE-2007-4989]
Alias: None
Product: xorg
Classification: Unclassified
Component: App/xfs (show other bugs)
Version: 7.2 (2007.02)
Hardware: All All
: medium normal
Assignee: X.Org Security
QA Contact: X.Org Security
Keywords: security
Depends on:
Reported: 2007-09-05 23:34 UTC by Matthieu Herrb
Modified: 2007-12-10 21:31 UTC (History)
3 users (show)

See Also:
i915 platform:
i915 features:

iDefense draft (3.43 KB, text/plain)
2007-09-05 23:35 UTC, Matthieu Herrb
no flags Details
proposed patch (1.06 KB, patch)
2007-09-06 10:20 UTC, Matthieu Herrb
no flags Details | Splinter Review
reproducer (1.07 KB, text/plain)
2007-09-11 02:24 UTC, Matthieu Herrb
no flags Details
updated patch (1.34 KB, patch)
2007-09-16 03:13 UTC, Matthieu Herrb
no flags Details | Splinter Review
updated again patch (1.34 KB, patch)
2007-09-16 23:11 UTC, Matthieu Herrb
no flags Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Herrb 2007-09-05 23:34:16 UTC
iDefense has sent us the attached draft advisory. 
A 1st look at the code confirms the problem.
Patch is pretty straightforward. I'll write it and attach it there shortly.
Probably not a blocker for the relase (but if other things are postponing it to after next week, it can probably make it).
Comment 1 Matthieu Herrb 2007-09-05 23:35:10 UTC
Created attachment 11443 [details]
iDefense draft
Comment 2 Matthieu Herrb 2007-09-06 10:20:44 UTC
Created attachment 11450 [details] [review]
proposed patch
Comment 3 Matthieu Herrb 2007-09-06 14:42:09 UTC
Both issues (this one and #12299) share CVE-2007-4568
Comment 4 Daniel Stone 2007-09-08 18:52:21 UTC
Adding Guillem Jover, the xfstt maintainer.
Comment 5 Matthieu Herrb 2007-09-11 02:24:22 UTC
Created attachment 11502 [details]

Simple way to build a request that will cause the integer overflow

tfs localhost:7100 hello
Comment 6 Matthieu Herrb 2007-09-16 03:13:46 UTC
Created attachment 11585 [details] [review]
updated patch

Jeremy Uejio from Sun discovered that the patch was incomplete. Attached an updated patch.
Comment 7 Matthieu Herrb 2007-09-16 23:11:27 UTC
Created attachment 11596 [details] [review]
updated again patch

Hmm I realized at some point that the condition is not the same in the else clause, but I forgot to re-generate the patch before uploading it.
Comment 8 Matthieu Herrb 2007-09-21 00:50:58 UTC
(In reply to comment #3)
> Both issues (this one and #12299) share CVE-2007-4568

iDefense as allocated a new ID for this one: CVE-2007-4989
Comment 9 Matthieu Herrb 2007-10-02 10:20:10 UTC
Fixed in commit 380fb68316f13012ff7cb2ac4addc2626fa2dad0
Public now

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct.