Ubuntu
xorg-server package

input device names used in logging format strings

Bug #996250 reported by Kees Cook
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xorg-server (Ubuntu)
Fix Released
Low
Unassigned
Hardy
Won't Fix
Undecided
Unassigned
Lucid
Invalid
Low
Unassigned
Natty
Won't Fix
Low
Steve Beattie
Oneiric
Won't Fix
Low
Steve Beattie
Precise
Fix Released
Low
Steve Beattie
Quantal
Fix Released
Low
Unassigned

Bug Description

Attaching devices with "%n" in their names will crash Xorg.

Tags: patch

CVE References

Revision history for this message
Kees Cook (kees) wrote :

Adding an input device with a malicious name can trigger a format
string flaw in Xorg's logging subsystem. For builds of Xorg lacking
-D_FORTIFY_SOURCE=2 (or 32-bit systems lacking the fix to fortify[1])
this can lead to arbitrary code execution as the Xorg user, usually
root. When built with fortify, this is a denial of service, since Xorg
will abort.

Proposed solution patch series can be found here:
    1/4 http://patchwork.freedesktop.org/patch/10000/
    2/4 http://patchwork.freedesktop.org/patch/9998/
    3/4 http://patchwork.freedesktop.org/patch/9999/
    4/4 http://patchwork.freedesktop.org/patch/10001/

-Kees

[1] http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=7c1f4834d398163d1ac8101e35e9c36fc3176e6e

Revision history for this message
Kees Cook (kees) wrote :

CVE-2012-2118

Revision history for this message
Kees Cook (kees) wrote :
visibility: private → public
Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Jamie Strandboge (jdstrand)
Changed in xorg-server (Ubuntu Lucid):
status: New → Confirmed
importance: Undecided → Low
Changed in xorg-server (Ubuntu Natty):
status: New → Confirmed
importance: Undecided → Low
Changed in xorg-server (Ubuntu Oneiric):
status: New → Confirmed
importance: Undecided → Low
Changed in xorg-server (Ubuntu Precise):
status: New → Confirmed
importance: Undecided → Low
Changed in xorg-server (Ubuntu Quantal):
status: New → Confirmed
importance: Undecided → Low
Changed in xorg-server (Ubuntu Hardy):
status: New → Won't Fix
Revision history for this message
Robert Hooker (sarvatt) wrote :

Bug was introduced in xserver 1.10.

Changed in xorg-server (Ubuntu Lucid):
status: Confirmed → Invalid
Kees Cook (kees)
Changed in xorg-server (Ubuntu Quantal):
status: Confirmed → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

Rebase onto latest precise xorg-server. Tested on amd64, evil HID no longer crashes xorg.

Steve Beattie (sbeattie)
Changed in xorg-server (Ubuntu Natty):
assignee: nobody → Steve Beattie (sbeattie)
Changed in xorg-server (Ubuntu Oneiric):
assignee: nobody → Steve Beattie (sbeattie)
Changed in xorg-server (Ubuntu Precise):
assignee: nobody → Steve Beattie (sbeattie)
Changed in xorg-server (Ubuntu Natty):
status: Confirmed → In Progress
Changed in xorg-server (Ubuntu Oneiric):
status: Confirmed → In Progress
Changed in xorg-server (Ubuntu Precise):
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xorg-server - 2:1.11.4-0ubuntu10.5

---------------
xorg-server (2:1.11.4-0ubuntu10.5) precise-security; urgency=low

  * SECURITY UPDATE: do not use input device names in logging format
    strings (LP: #996250):
    - debian/patches/509_log-format-fix.patch: backported upstream changes.
    - CVE-2012-2118
 -- Steve Beattie <email address hidden> Mon, 09 Jul 2012 15:24:55 -0700

Changed in xorg-server (Ubuntu Precise):
status: In Progress → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

After experimenting with a reproducer from Kees Cook, I was unable to reproduce this issue with the X server in either oneiric or natty. I'm going to close the tasks for those releases. Thanks!

Changed in xorg-server (Ubuntu Natty):
status: In Progress → Won't Fix
Changed in xorg-server (Ubuntu Oneiric):
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.