[security-team] X.Org security advisory: CVE-2013-4396: Use after free in Xserver handling of ImageText requests

Marcus Meissner meissner at suse.de
Mon Nov 18 22:14:17 PST 2013


On Mon, Nov 18, 2013 at 11:32:09AM -0800, Alan Coopersmith wrote:
> On 11/18/13 10:48 AM, Jeremy C. Reed wrote:
>> On Tue, 8 Oct 2013, Alan Coopersmith wrote:
>>
>>> Pedro Ribeiro (pedrib at gmail.com) reported an issue to the X.Org
>>> security team in which an authenticated X client can cause an X server
>>> to use memory after it was freed, potentially leading to crash and/or
>>> memory corruption.
>>
>> Does this happen unknown to the authenticated user, where the X server
>> crashes?  Or does the authenticated user actually need some instrumented
>> malicious client to cause the crash? Does the memory corruption allow
>> running some code on the server with different privileges?
>
> I'm not sure how the authenticated user could not know when the X server
> crashes, so I don't understand the first question.
>
> As far as we know, any malicious client can cause the memory corruption,
> with a crash being the most likely result - no one attempted to do the
> deep analysis to determine if there's any way that the memory corruption
> could be exploited to execute code, we really don't have anyone who is
> both skilled in that and in the X server internals to do such analysis,
> so we felt better to issue an advisory that may be worrying to much than
> to ignore a problem someone more skilled than us could exploit.
>
>> Does X.org Security use CVSS or some other measurement to decide if a
>> bug is a security vulnerability? If so, where documented? Thanks.
>
> No, we use our best judgment.

CVE guidance here is usually if there is not intended behaviour
that allows to gain additional rights or privileges.

If the same behaviour can be done via regular APIs ... it is not a security
issue.

Like e.g. if a X Program can make the X Server exit while it could
also just kill -9 all the window manager and cause this. - no security issue

X program can execute code in the Xserver running as root... - security issue

Even "potential" issues already get a CVE unless it can be proven that no
code execution exists. So any segmentation fault that is non-NULL
dereference could be a potential code execution.

Information leaks that can not be got via regular API - security issue

Bypassing access restrictions to resources. (xauth, protected resources etc.) - yes

Denial of service: consuming all CPU resources ... blocking the Xserver, consuming
all resources ... well, if the program could itself do this via X API or fork bombs
then its not a security issue. If this is not possible - yes.

And so on :)

Ciao, Marcus


More information about the xorg mailing list