Bug 12298 - Integer overflows in build_range() [CVE-2007-4989]
Summary: Integer overflows in build_range() [CVE-2007-4989]
Alias: None
Product: xorg
Classification: Unclassified
Component: App/xfs (show other bugs)
Version: 7.2 (2007.02)
Hardware: All All
: medium normal
Assignee: X.Org Security
QA Contact: X.Org Security
Keywords: security
Depends on:
Reported: 2007-09-05 23:34 UTC by Matthieu Herrb
Modified: 2007-12-10 21:31 UTC (History)
3 users (show)

See Also:
i915 platform:
i915 features:

iDefense draft (3.43 KB, text/plain)
2007-09-05 23:35 UTC, Matthieu Herrb
no flags Details
proposed patch (1.06 KB, patch)
2007-09-06 10:20 UTC, Matthieu Herrb
no flags Details | Splinter Review
reproducer (1.07 KB, text/plain)
2007-09-11 02:24 UTC, Matthieu Herrb
no flags Details
updated patch (1.34 KB, patch)
2007-09-16 03:13 UTC, Matthieu Herrb
no flags Details | Splinter Review
updated again patch (1.34 KB, patch)
2007-09-16 23:11 UTC, Matthieu Herrb
no flags Details | Splinter Review

Description Matthieu Herrb 2007-09-05 23:34:16 UTC
iDefense has sent us the attached draft advisory. 
A 1st look at the code confirms the problem.
Patch is pretty straightforward. I'll write it and attach it there shortly.
Probably not a blocker for the relase (but if other things are postponing it to after next week, it can probably make it).
Comment 1 Matthieu Herrb 2007-09-05 23:35:10 UTC
Created attachment 11443 [details]
iDefense draft
Comment 2 Matthieu Herrb 2007-09-06 10:20:44 UTC
Created attachment 11450 [details] [review]
proposed patch
Comment 3 Matthieu Herrb 2007-09-06 14:42:09 UTC
Both issues (this one and #12299) share CVE-2007-4568
Comment 4 Daniel Stone 2007-09-08 18:52:21 UTC
Adding Guillem Jover, the xfstt maintainer.
Comment 5 Matthieu Herrb 2007-09-11 02:24:22 UTC
Created attachment 11502 [details]

Simple way to build a request that will cause the integer overflow

tfs localhost:7100 hello
Comment 6 Matthieu Herrb 2007-09-16 03:13:46 UTC
Created attachment 11585 [details] [review]
updated patch

Jeremy Uejio from Sun discovered that the patch was incomplete. Attached an updated patch.
Comment 7 Matthieu Herrb 2007-09-16 23:11:27 UTC
Created attachment 11596 [details] [review]
updated again patch

Hmm I realized at some point that the condition is not the same in the else clause, but I forgot to re-generate the patch before uploading it.
Comment 8 Matthieu Herrb 2007-09-21 00:50:58 UTC
(In reply to comment #3)
> Both issues (this one and #12299) share CVE-2007-4568

iDefense as allocated a new ID for this one: CVE-2007-4989
Comment 9 Matthieu Herrb 2007-10-02 10:20:10 UTC
Fixed in commit 380fb68316f13012ff7cb2ac4addc2626fa2dad0
Public now

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.