oss-sec mailing list archives
three issues in xorg (CVE-2016-2624, CVE-2016-2625, CVE-2016-2626)
From: Doran Moppert <dmoppert () redhat com>
Date: Wed, 1 Mar 2017 11:01:30 +1030
Vulnerabilities in xorg (server, libXdmcp, libICE) were recently reported by Eric Sesterhenn of X41, and assigned CVEs by Red Hat.
CVE-2017-2624 xorg-x11-server: timing attack against MIT Cookie
mitauth.c uses memcmp() to check the validity of MIT cookies, exposing a possible timing attack on some platforms. https://bugzilla.redhat.com/show_bug.cgi?id=1424984 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856398 https://bugzilla.novell.com/show_bug.cgi?id=1025029
CVE-2017-2625 libXdmcp: weak entropy usage for session keys
In the absence of arc4random(), xdmcp session keys are generated based on getpid() and time(), which may allow a local attacker to brute-force the key. https://bugzilla.redhat.com/show_bug.cgi?id=1424987 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856399 https://bugzilla.novell.com/show_bug.cgi?id=1025046
CVE-2017-2626 libICE: weak entropy usage in session keys
In the absence of arc4random(), the Inter-Client Exchange session keys are generated based on gettimeofday(), which may allow a local attacker to brute-force the key. https://bugzilla.redhat.com/show_bug.cgi?id=1424992 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856400 https://bugzilla.novell.com/show_bug.cgi?id=1025068 The first issue is mitigated with recent glibc's memcmp, particularly with -D_FORTIFY_SOURCE=2, and the other two by providing an implementation of arc4random at compile time, such as libbsd. I expect these to be announced shortly at <https://www.x.org/wiki/Development/Security/>. -- Doran Moppert Red Hat Product Security
Current thread:
- three issues in xorg (CVE-2016-2624, CVE-2016-2625, CVE-2016-2626) Doran Moppert (Feb 28)
- Re: three issues in xorg (CVE-*2017*-2624, CVE-*2017*-2625, CVE-*2017*-2626) Doran Moppert (Feb 28)