Re: AW: AW: Preparing for libX11 1.7.0
I've posted an MR for version 1.7.0 that includes release notes added to the README.md. It might be useful to include links to bugs known to be addressed with this release as well? -- -keith signature.asc Description: PGP signature ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: https://lists.x.org/mailman/listinfo/xorg-devel
Re: AW: AW: Preparing for libX11 1.7.0
The original issue should be fixed by Keith's commit yesterday: https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/a3c0b5dbd6b I also put in a commit yesterday to prevent some potential use-after-free issues found by our static analyzer: https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/103e2e11519 If we wait until libX11 is completely bug free, we'll never ship a release. Shipping 1.7.0 doesn't mean we stop work - these could continue to be investigated for 1.7.1 while users get a significant set of bug fixes and improvements in 1.7.0. -alan- On 11/19/20 8:32 AM, Walter Harms wrote: I would ask to wait before releasing a new version. Actually i had no time the check that, maybe they are all fixed now. NTL we should investigate and fix. btw:gcc has some warnings for xts also Vittorio Zecca reportet that xts5 finds some more issues. SUMMARY: AddressSanitizer: heap-use-after-free /home/vitti/rpmbuil/SOURCES/libX11-1.6.12/src/DrPoint.c:47 in XDrawPoint SUMMARY: AddressSanitizer: heap-use-after-free /home/vitti/rpmbuild/SOURCES/libX11-1.6.12/src/SetClMask.c:40 in XSetClipMask SUMMARY: AddressSanitizer: heap-use-after-free /home/vitti/rpmbuild/SOURCES/libX11-1.6.12/src/CrGC.c:339 in XFlushGC SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/vitti/libasan.so+0x39dd2) in __interceptor_memcpy SUMMARY: AddressSanitizer: double-free (/home/vitti/libasan.so+0xab0c7) in __interceptor_free SUMMARY: AddressSanitizer: heap-use-after-free /home/vitti/rpmbuild/SOURCES/libX11-1.6.12/src/DrLine.c:50 in XDrawLine SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/vitti/libasan.so+0x589c2) in __interceptor_strncpy SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/vitti/libasan.so+0x39dd2) in __interceptor_memcpy SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/vitti/libasan.so+0x39dd2) in __interceptor_memcpy SUMMARY: AddressSanitizer: heap-use-after-free /home/vitti/rpmbuild/SOURCES/libX11-1.6.12/src/DrLine.c:50 in XDrawLine SUMMARY: AddressSanitizer: heap-use-after-free /home/vitti/rpmbuild/SOURCES/libX11-1.6.12/src/QuExt.c:43 in XQueryExtension Von: Keith Packard Gesendet: Dienstag, 17. November 2020 03:11 An: Alan Coopersmith; Walter Harms; Matthieu Herrb; xorg-de...@lists.freedesktop.org Cc: Vittorio Zecca Betreff: Re: AW: Preparing for libX11 1.7.0 Alan Coopersmith writes: https://lists.x.org/archives/xorg/2020-November/060510.html I've reviewed this message and believe that this issue has already been fixed on Xlib master -- Jacek Caban provided a set of fixes over three years ago which have been merged along with some small additional work I did as well: https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/56 This series gives up on ever freeing locale information due to Xlib API design issues, so it's likely to avoid accessing something after it has been freed. -- -keith -- -Alan Coopersmith- alan.coopersm...@oracle.com Oracle Solaris Engineering - https://blogs.oracle.com/alanc ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: https://lists.x.org/mailman/listinfo/xorg-devel
AW: AW: Preparing for libX11 1.7.0
I would ask to wait before releasing a new version. Actually i had no time the check that, maybe they are all fixed now. NTL we should investigate and fix. btw:gcc has some warnings for xts also Vittorio Zecca reportet that xts5 finds some more issues. SUMMARY: AddressSanitizer: heap-use-after-free /home/vitti/rpmbuil/SOURCES/libX11-1.6.12/src/DrPoint.c:47 in XDrawPoint SUMMARY: AddressSanitizer: heap-use-after-free /home/vitti/rpmbuild/SOURCES/libX11-1.6.12/src/SetClMask.c:40 in XSetClipMask SUMMARY: AddressSanitizer: heap-use-after-free /home/vitti/rpmbuild/SOURCES/libX11-1.6.12/src/CrGC.c:339 in XFlushGC SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/vitti/libasan.so+0x39dd2) in __interceptor_memcpy SUMMARY: AddressSanitizer: double-free (/home/vitti/libasan.so+0xab0c7) in __interceptor_free SUMMARY: AddressSanitizer: heap-use-after-free /home/vitti/rpmbuild/SOURCES/libX11-1.6.12/src/DrLine.c:50 in XDrawLine SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/vitti/libasan.so+0x589c2) in __interceptor_strncpy SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/vitti/libasan.so+0x39dd2) in __interceptor_memcpy SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/vitti/libasan.so+0x39dd2) in __interceptor_memcpy SUMMARY: AddressSanitizer: heap-use-after-free /home/vitti/rpmbuild/SOURCES/libX11-1.6.12/src/DrLine.c:50 in XDrawLine SUMMARY: AddressSanitizer: heap-use-after-free /home/vitti/rpmbuild/SOURCES/libX11-1.6.12/src/QuExt.c:43 in XQueryExtension Von: Keith Packard Gesendet: Dienstag, 17. November 2020 03:11 An: Alan Coopersmith; Walter Harms; Matthieu Herrb; xorg-de...@lists.freedesktop.org Cc: Vittorio Zecca Betreff: Re: AW: Preparing for libX11 1.7.0 Alan Coopersmith writes: > https://lists.x.org/archives/xorg/2020-November/060510.html I've reviewed this message and believe that this issue has already been fixed on Xlib master -- Jacek Caban provided a set of fixes over three years ago which have been merged along with some small additional work I did as well: https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/56 This series gives up on ever freeing locale information due to Xlib API design issues, so it's likely to avoid accessing something after it has been freed. -- -keith ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: https://lists.x.org/mailman/listinfo/xorg-devel
Re: Fwd: The importance of mutual authentication: Local Privilege Escalation in X11
On 11/16/20 1:30 AM, Keith Packard wrote: > Alan Coopersmith writes: > >> Since this is now public, we can open up the discussion of how to fix it in >> public as well, and hope we can make more progress than the security list >> did during the embargo phase. > > I've got a proposed fix for this issue in two merge requests, one for > xcb and the other for the X server: > > https://gitlab.freedesktop.org/xorg/lib/libxcb/-/merge_requests/10 > > https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/546 > > These two changes enables code used on Mac OS X for all other platforms. > This code allows the X listen socket to be placed anywhere in the file > system. Systems which currently place that in /tmp are vulnerable to the > bug reported above. Placing this listen socket in a protected location > should prevent un-privileged applications from spoofing the X server for > the user. > > Patches for ssh will be needed to close the security issue when > forwarding X connections through that. Do those MRs also prevent clients and servers from using abstract sockets? Those are inherently insecure, so support for them should probably just be removed. Additionally, will libX11 also be updated? Sincerely, Demi OpenPGP_0xB288B55FFF9C22C1.asc Description: application/pgp-keys OpenPGP_signature Description: OpenPGP digital signature ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: https://lists.x.org/mailman/listinfo/xorg-devel