Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <aa1585dd-d109-463e-9639-9b6f576a3f1e@oracle.com>
Date: Fri, 26 Jan 2024 13:53:41 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list

Over on the full-disclosure mailing list today, a number of messages were
delivered (though dated last week, presumably due to moderation delays)
from Meng Ruijie at the National University of Singapore, disclosing CVE
assignments in a range of FOSS programs, including:

Null pointer deference in freedesktop mesa
Null pointer dereference in Xedit
NULL pointer dereference in tgetstr() of ncurses
Buffer Overflow in glXQueryServerString() of mesa
Null pointer deference in XGetWMHints() of Xfig
NULL pointer dereference in the function handle_viminfo_register() of vim
NULL pointer dereference in __glXGetDrawableAttribute() of Mesa
NULL pointer dereference in XIQueryDevice() of gnome gtk
NULL pointer dereference in glXGetDrawableScreen() of OpenGL libglvnd
null pointer deference in GNU Midnight at /tty/x11conn.c
null pointer deference in gnome gdk-pixbuf
arithmetic exception in S-lang via the function tt_sprintf()
null pointer deference in gnome gtk via init_randr15() at gdkscreen-x11.c
SEGV in S-Lang via fixup_tgetstr()
null pointer deference in gnome gtk via parse_settings() at xsettings-client.c
NULL pointer dereference in freedesktop Mesa via check_xshm()
null pointer deference in nano via read_the_list()
NULL pointer dereference in QT via the function QXcbConnection::initializeAllAtoms()
Buffer Overflow in graphviz via via a crafted config6a file
null pointer deference in MiniZinc via a crafted .mzn file
null pointer deference in Sane via a crafted config file
null pointer deference in tex-live via a crafted cmr10.pfb
null pointer deference in LLVM
null pointer deference in MiniZinc via a crafted Preferences.json file
null pointer deference in tex-live
Buffer overflow in Sane

as you can see on https://seclists.org/fulldisclosure/2024/Jan/

Unfortunately, many of the email titles are misleading as they represent
bugs other than NULL pointer dereferences.  For instance,
"NULL pointer dereference in __glXGetDrawableAttribute() of Mesa" from
https://seclists.org/fulldisclosure/2024/Jan/50 points to
https://gitlab.freedesktop.org/mesa/mesa/-/issues/9857 which is an
out-of-bounds read that would segfault long before it could cause the
pointer to wrap around to a NULL value.

While I can't speak for all the projects involved, I can speak for the
X.Org maintainers & security team, and I can say that we were not
consulted or informed about this CVE filing - if I wasn't on the FD
mailing list, I wouldn't even know it had happened.  The CNA responsible
has not yet published the CVE to the CVE database yet, so we can't yet
file a dispute, but once they do, I plan to request that they withdraw
CVE-2023-45916 for xedit, as there is no security boundary crossed here
and the bug doesn't allow someone to do anything they otherwise couldn't.

The claim in https://seclists.org/fulldisclosure/2024/Jan/45 is that if
you can edit /usr/local/lib/X11/xedit/lisp/lisp.lsp you can make xedit
crash - but if you can edit that file you can just change the lisp code
to do whatever you want already, so while I see a low-priority bug there
I don't see any security exposure worthy of a CVE.  (The bug report also
doesn't explain how an attacker would have permissions to modify that
file in the first place, without already having privileges to do far
worse to the system.)

The Mesa developers I spoke to on IRC today were similarly surprised by
these CVE assignments for their project, so please be kind to the
maintainers of the above projects if they similarly are unaware of these
CVE's and surprised that someone would claim a security vulnerability
exists given the circumstances.

-- 
      -Alan Coopersmith-              alan.coopersmith@...cle.com
        X.Org Security Response Team - xorg-security@...ts.x.org

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.