three issues in xorg (CVE-2016-2624, CVE-2016-2625, CVE-2016-2626)

[Doran Moppert <dmoppert () redhat com>]

Vulnerabilities in xorg (server, libXdmcp, libICE) were recently
reported by Eric Sesterhenn of X41, and assigned CVEs by Red Hat.


> CVE-2017-2624 xorg-x11-server: timing attack against MIT Cookie

mitauth.c uses memcmp() to check the validity of MIT cookies, exposing a
possible timing attack on some platforms.

https://bugzilla.redhat.com/show_bug.cgi?id=1424984
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856398
https://bugzilla.novell.com/show_bug.cgi?id=1025029


> CVE-2017-2625 libXdmcp: weak entropy usage for session keys

In the absence of arc4random(), xdmcp session keys are generated based
on getpid() and time(), which may allow a local attacker to brute-force
the key.

https://bugzilla.redhat.com/show_bug.cgi?id=1424987
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856399
https://bugzilla.novell.com/show_bug.cgi?id=1025046


> CVE-2017-2626 libICE: weak entropy usage in session keys

In the absence of arc4random(), the Inter-Client Exchange session keys
are generated based on gettimeofday(), which may allow a local attacker
to brute-force the key.

https://bugzilla.redhat.com/show_bug.cgi?id=1424992
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856400
https://bugzilla.novell.com/show_bug.cgi?id=1025068


The first issue is mitigated with recent glibc's memcmp, particularly
with -D_FORTIFY_SOURCE=2, and the other two by providing an
implementation of arc4random at compile time, such as libbsd.

I expect these to be announced shortly at
<https://www.x.org/wiki/Development/Security/>.



-- 
Doran Moppert
Red Hat Product Security