Ubuntu

input device names used in logging format strings

Reported by Kees Cook on 2012-05-07
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xorg-server (Ubuntu)
Low
Unassigned
Hardy
Undecided
Unassigned
Lucid
Low
Unassigned
Natty
Low
Steve Beattie
Oneiric
Low
Steve Beattie
Precise
Low
Steve Beattie
Quantal
Low
Unassigned

Bug Description

Attaching devices with "%n" in their names will crash Xorg.

CVE References

Kees Cook (kees) wrote :

Adding an input device with a malicious name can trigger a format
string flaw in Xorg's logging subsystem. For builds of Xorg lacking
-D_FORTIFY_SOURCE=2 (or 32-bit systems lacking the fix to fortify[1])
this can lead to arbitrary code execution as the Xorg user, usually
root. When built with fortify, this is a denial of service, since Xorg
will abort.

Proposed solution patch series can be found here:
    1/4 http://patchwork.freedesktop.org/patch/10000/
    2/4 http://patchwork.freedesktop.org/patch/9998/
    3/4 http://patchwork.freedesktop.org/patch/9999/
    4/4 http://patchwork.freedesktop.org/patch/10001/

-Kees

[1] http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=7c1f4834d398163d1ac8101e35e9c36fc3176e6e

Kees Cook (kees) wrote :

CVE-2012-2118

Kees Cook (kees) wrote :
visibility: private → public
tags: added: patch
Changed in xorg-server (Ubuntu Lucid):
status: New → Confirmed
importance: Undecided → Low
Changed in xorg-server (Ubuntu Natty):
status: New → Confirmed
importance: Undecided → Low
Changed in xorg-server (Ubuntu Oneiric):
status: New → Confirmed
importance: Undecided → Low
Changed in xorg-server (Ubuntu Precise):
status: New → Confirmed
importance: Undecided → Low
Changed in xorg-server (Ubuntu Quantal):
status: New → Confirmed
importance: Undecided → Low
Changed in xorg-server (Ubuntu Hardy):
status: New → Won't Fix
Robert Hooker (sarvatt) wrote :

Bug was introduced in xserver 1.10.

Changed in xorg-server (Ubuntu Lucid):
status: Confirmed → Invalid
Kees Cook (kees) on 2012-06-30
Changed in xorg-server (Ubuntu Quantal):
status: Confirmed → Fix Released
Kees Cook (kees) wrote :

Rebase onto latest precise xorg-server. Tested on amd64, evil HID no longer crashes xorg.

Steve Beattie (sbeattie) on 2012-07-06
Changed in xorg-server (Ubuntu Natty):
assignee: nobody → Steve Beattie (sbeattie)
Changed in xorg-server (Ubuntu Oneiric):
assignee: nobody → Steve Beattie (sbeattie)
Changed in xorg-server (Ubuntu Precise):
assignee: nobody → Steve Beattie (sbeattie)
Changed in xorg-server (Ubuntu Natty):
status: Confirmed → In Progress
Changed in xorg-server (Ubuntu Oneiric):
status: Confirmed → In Progress
Changed in xorg-server (Ubuntu Precise):
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xorg-server - 2:1.11.4-0ubuntu10.5

---------------
xorg-server (2:1.11.4-0ubuntu10.5) precise-security; urgency=low

  * SECURITY UPDATE: do not use input device names in logging format
    strings (LP: #996250):
    - debian/patches/509_log-format-fix.patch: backported upstream changes.
    - CVE-2012-2118
 -- Steve Beattie <email address hidden> Mon, 09 Jul 2012 15:24:55 -0700

Changed in xorg-server (Ubuntu Precise):
status: In Progress → Fix Released
Steve Beattie (sbeattie) wrote :

After experimenting with a reproducer from Kees Cook, I was unable to reproduce this issue with the X server in either oneiric or natty. I'm going to close the tasks for those releases. Thanks!

Changed in xorg-server (Ubuntu Natty):
status: In Progress → Won't Fix
Changed in xorg-server (Ubuntu Oneiric):
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers