Opened 4 years ago

Closed 4 years ago

#12260 closed enhancement (fixed)

libICE-1.0.10 (Xorg Library) - refix for CVE-2017-2626

Reported by: Douglas R. Reno Owned by: Bruce Dubbs
Priority: high Milestone: 9.0
Component: BOOK Version: SVN
Severity: normal Keywords:


New point version

Marking as Critical due to the fact that this is a fix for a fix due to arcrandom being removed in Linux 3.16+

libICE provides the API for the Inter-Client Exchange protocol.

This release provides a fix for CVE-2017-2626 for platforms which don't have
arc4random_buf() in their default libraries but do have getentropy(), such
as Linux platforms with a kernel version of 3.17 or newer and a glibc version
of 2.25 or newer.   (libICE 1.0.9 already ensured that arc4random_buf()
is used on platforms that have it to provide sufficient entropy in ICE
key generation, but left other platforms with the weaker methods.  Linux
platforms could also have linked against libbsd to use arc4random_buf()
with libICE 1.0.9 for stronger keys.)

Alan Coopersmith (7):
      spec: Convert troff \*Q..\*U to DocBook <quote>...</quote>
      Remove obsolete B16 & B32 tags in struct definitions
      Update README for gitlab migration
      Update bug URL for gitlab migration
      IceOpenConnection: check for malloc failure on connect_to_you too
      IceWritePad: always use zero values for pad bytes
      libICE 1.0.10

Allison Lortie (2):
      authutil: fix an out-of-bounds access
      authutil: support $XDG_RUNTIME_DIR/ICEauthority

Benjamin Tissoires (1):
      Use getentropy() if arc4random_buf() is not available

Emil Velikov (6): use quoted string variables
      Kill off Strstr macro
      Kill off Time_t macro
      Remove unneeded ^L symbols.
      Kill off local ICE_t definitions set TRANS_CLIENT/SERVER

Eric Engestrom (3):
      Make sure errorStr is a free-able string
      Make sure error_message is a free-able string
      Make sure string is never NULL

Jon TURNEY (1):
      Include unistd.h for getpid()

Mihail Konev (1):
      autogen: add default patch prefix

Olivier Fourdan (3):
      IceListenForWellKnownConnections: Fix memleak
      _IceRead: Avoid possible use-after-free
      cleanup: Separate variable assignment and test

Peter Hutterer (1): use exec instead of waiting for configure to finish

Remko van der Vossen (1):
      Bug 90616 - libICE build fails on array bounds check

Tobias Stoeckmann (2):
      Fix use after free on subsequent calls
      Always terminate strncpy results.

walter harms (3):
      Drop NULL check prior to free()
      make IceProtocolShutdown() more readable
      iceauth.c: FIX warning: unused variable 'ret' in 'arc4random_buf'
Weak Entropy Usage in Session Keys in libICE

Vulnerability Type: Other

Affected Products: libICE

Attack Type: Local

Impact: Escalation of Privileges

Severity Rating: medium

Confirmed Affected Version: 1.0.9 and lower

Confirmed Patched Version: -

Vector: local

CVE: CVE-2017-2626

CVSS Score: 7.1

Summary and Impact

libICE depends on arc4random() as well to generate the session cookies, thereby falling back to the same weak mechanism as libXdmcp:

IceGenerateMagicCookie (
    int len
    char    *auth;
    long    ldata[2];
    int     seed;
    int     value;
    int     i;

    if ((auth = malloc (len + 1)) == NULL)
    return (NULL);

    arc4random_buf(auth, len);
    struct timeval  now;
    X_GETTIMEOFDAY (&now);
    ldata[0] = now.tv_sec;
    ldata[1] = now.tv_usec;
    long    time ();
    ldata[0] = time ((long *) 0);
    ldata[1] = getpid ();
    seed = (ldata[0]) + (ldata[1] << 16);
    srand (seed);
    for (i = 0; i < len; i++)
    value = rand ();
    auth[i] = value & 0xff;
    auth[len] = '\0';
    return (auth);

For this issue a PoC is available which takes 2-3 seconds to retrieve the key: icetest.c

Compile against libbsd.

Change History (3)

comment:1 by Bruce Dubbs, 4 years ago

Priority: highesthigh

Escalation of Privileges is important, but not critical.

comment:2 by Bruce Dubbs, 4 years ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:3 by Bruce Dubbs, 4 years ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 21835.

Note: See TracTickets for help on using tickets.