[Bug 274842] New: Security Upgrade in X11 Library Crashes IDL
https://bugzilla.novell.com/show_bug.cgi?id=274842 Summary: Security Upgrade in X11 Library Crashes IDL Product: openSUSE 10.2 Version: Final Platform: i586 OS/Version: openSUSE 10.2 Status: NEW Severity: Normal Priority: P5 - None Component: X.Org AssignedTo: sndirsch@novell.com ReportedBy: schuh@astro.physik.uni-goettingen.de QAContact: sndirsch@novell.com Since the X11 Library security update issued on 04/20/2007, IDL (Interactice data language, by RSI Inc.) crashes with a segmenation fault when executing the tv or related commands. To reproduce (this will work both with a licensed or demo version):
idl IDL> tv,findgen(10,10)
This causes o brief pop-up of a graphics window that should have been displayed followed by immediate termination of IDL with a segmenation fault. A competent, more comprehensive description is at http://www.ittvis.com/services/techtip.asp?ttid=4177 which focuses on the appearance of the problem on Debian etch and derived systems. Note that I here refer to their "SEG FAULT CAUSE 1", _not_ the "SEG FAULT CAUSE 2: The Mesa3D Library Introduction Of New Clashing Symbols" which is already treated at https://bugzilla.novell.com/show_bug.cgi?id=230432 The libx11 related seg fault obviously affects a large number of hardware+OS combinations (including e.g. 10.0) beyond those in the classification given above. The "remedy" described at the ITTVIS site (downgrading to the previous libx11 version) works but is obviously rather unsatisfactory. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=274842 sndirsch@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mhopf@novell.com, mkoenig@novell.com, | |eich@novell.com Status|NEW |ASSIGNED Priority|P5 - None |P2 - High -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=274842 ------- Comment #1 from mkoenig@novell.com 2007-05-16 02:28 MST ------- See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=418016 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=274842 ------- Comment #2 from mkoenig@novell.com 2007-05-16 06:26 MST ------- This is the same as in the analysis of the debian bug 418016. IDL does not check the return value of XCreateImage: Breakpoint 1, XCreateImage (dpy=0x75e1a0, visual=0x7639e0, depth=24, format=2, offset=0, data=0x0, width=10, height=10, xpad=8, image_bytes_per_line=10) at ImUtil.c:327 327 { (gdb) finish Run till exit from #0 XCreateImage (dpy=0x75e1a0, visual=0x7639e0, depth=24, format=2, offset=0, data=0x0, width=10, height=10, xpad=8, image_bytes_per_line=10) at ImUtil.c:327 0x00002ae74b343dbe in rw_drawable () from ./libidl.so.6.2 Value returned is $1 = (XImage *) 0x0 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x00002ae74b343de0 in rw_drawable () from ./libidl.so.6.2 This is due to the following check, that has been introduced in the bug-252958_libX11.diff (Bug #252958): Breakpoint 1, XCreateImage (dpy=0x75f870, visual=0x764590, depth=24, format=2, offset=0, data=0x0, width=10, height=10, xpad=8, image_bytes_per_line=10) at ImUtil.c:327 327 { (gdb) n .. 375 if (image_bytes_per_line == 0) { (gdb) 377 } else if (image_bytes_per_line < min_bytes_per_line) { (gdb) 387 return image; (gdb) 388 } (gdb) p image_bytes_per_line $8 = 10 (gdb) p min_bytes_per_line $9 = 40 (gdb) p image $10 = (XImage *) 0x0 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=274842 ------- Comment #3 from sndirsch@novell.com 2007-05-16 06:40 MST ------- Created an attachment (id=140417) --> (https://bugzilla.novell.com/attachment.cgi?id=140417&action=view) bug-252958_libX11.diff libX11 security fix used for openSUSE 10.2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=274842 ------- Comment #4 from sndirsch@novell.com 2007-05-16 06:48 MST ------- Just to get an idea of the complete context. /* * CreateImage * * Allocates the memory necessary for an XImage data structure. * Initializes the structure with "default" values and returns XImage. * */ XImage *XCreateImage ( register Display *dpy, register Visual *visual, unsigned int depth, int format, int offset, /*How many pixels from the start of the data does the picture to be transmitted start?*/ char *data, unsigned int width, unsigned int height, int xpad, int image_bytes_per_line) /*How many bytes between a pixel on one line and the pixel with the same X coordinate on the next line? 0 means XCreateImage can calculate it.*/ { register XImage *image; int bits_per_pixel = 1; int min_bytes_per_line; if (depth == 0 || depth > 32 || (format != XYBitmap && format != XYPixmap && format != ZPixmap) || (format == XYBitmap && depth != 1) || (xpad != 8 && xpad != 16 && xpad != 32) || offset < 0) return (XImage *) NULL; if ((image = (XImage *) Xcalloc(1, (unsigned) sizeof(XImage))) == NULL) return (XImage *) NULL; image->width = width; image->height = height; image->format = format; image->byte_order = dpy->byte_order; image->bitmap_unit = dpy->bitmap_unit; image->bitmap_bit_order = dpy->bitmap_bit_order; if (visual != NULL) { image->red_mask = visual->red_mask; image->green_mask = visual->green_mask; image->blue_mask = visual->blue_mask; } else { image->red_mask = image->green_mask = image->blue_mask = 0; } if (format == ZPixmap) { bits_per_pixel = _XGetBitsPerPixel(dpy, (int) depth); } image->xoffset = offset; image->bitmap_pad = xpad; image->depth = depth; image->data = data; /* * compute per line accelerator. */ { if (format == ZPixmap) min_bytes_per_line = ROUNDUP((bits_per_pixel * width), image->bitmap_pad); else min_bytes_per_line = ROUNDUP((width + offset), image->bitmap_pad); } if (image_bytes_per_line == 0) { image->bytes_per_line = min_bytes_per_line; } else if (image_bytes_per_line < min_bytes_per_line) { return 0; } else { image->bytes_per_line = image_bytes_per_line; } image->bits_per_pixel = bits_per_pixel; image->obdata = NULL; _XInitImageFuncPtrs (image); return image; } -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=274842 ------- Comment #5 from sndirsch@novell.com 2007-05-16 06:51 MST -------
(gdb) p image_bytes_per_line $8 = 10 (gdb) p min_bytes_per_line $9 = 40
} else if (image_bytes_per_line < min_bytes_per_line) { return 0; ==> Value returned is $1 = (XImage *) 0x0 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=274842 sndirsch@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |schuh@astro.physik.uni-goettingen.de ------- Comment #6 from sndirsch@novell.com 2007-05-16 07:01 MST ------- http://www.ittvis.com/services/techtip.asp?ttid=4177 "[...] Around April 19th the IDL Graphics Interface development team found both temporary workarounds for immediate disclosure, and the path to a more permanent workaround that will be incorporated in the May 2007 release of IDL 6.4 . There will also be an IDL 6.3/ENVI 4.3 For Linux patch. [...]" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Unfortunately we can't fix other vendor's proprietary software. And going back to an unsecure libX11 version is not option either. Sonja, I would like to ask you to follow the development on ITT's website for this issue and let us know, once a new fixed version or patch for an existing verison is available. I'll set this one to NEEDINFO therefore. Thanks a lot for reporting this issue. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=274842 ------- Comment #7 from eich@novell.com 2007-05-17 01:47 MST ------- The return 0; in the security patch should read: return (XImage *) NULL; But XCreateImage() has been implemented to return NULL under certain circumstances which isn't documented in the man page. On the other hand the security patch changed the sematincs of XCreateImage(): it now does stricter checking on the validity of the parameters passed to it. I don't quite see the reason for this fix in #252958: if image_bytes_per_line is too small to accomodate width at depth XGetPixels() would read in the wrong place (but not further to the end of the image date). XCreateImage() is not responsible for allocating the image data area. The caller (ie. the application) is. IHMO the segfault can only happen if the caller allocated the data area based on this bogus value. However this is solely in the responsibility of the caller and not Xlib. Even with a sane value the caller could always allocate too little memory. So returning 0 is just a hint for the caller that it may have passed a nonsensical value. I don't know why IDL does this as this broken pixmap is of not much use, but it may just be that IDL is wired in a way that this doesn't matter. I'm more concerned about released ISV applications that are deployed today which may be affected by this behavoir as the IDL example shows that an application can live happily with broken values for a very long time. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=274842 ------- Comment #8 from mkoenig@novell.com 2007-05-21 04:38 MST ------- The issue is fixed upstream in the recently released version 6.4. A temporary workaround for old IDL versions will be available at http://beta.suse.com/private/mkoenig/idl-workaround/ (might take some time until server is synced) I think we can close this issue now. Sonja, can you please confirm that the workaround fixes the problem in Göttingen? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=274842 ------- Comment #9 from schuh@astro.physik.uni-goettingen.de 2007-05-21 07:46 MST ------- The temporary workaround (http://beta.suse.com/private/mkoenig/idl-workaround/) has proven to work for IDL 6.2 installations on 10.0 and 10.2 systems (Goettingen) and for IDL 6.1 installations on 9.3 systems (Tuebingen). ITT should probably be made aware of this (Matthias?) so they can better advise other affected users. When the patches for older versions that make the workaround obsolete become available I'll report this asap. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=274842#c10
Sonja Schuh
participants (1)
-
bugzilla_noreply@novell.com