falso
/
cdesktopenv
mirror of https://git.code.sf.net/p/cdesktopenv/code
1
0
Fork 0
Code Issues Releases Wiki Activity
cdesktopenv/cde
History
Jon Trulson 6b32246d06 dtsession, DtSvc: fix CVE-2020-2696/VU#308289 
Marco Ivaldi <marco.ivaldi@mediaservice.net> has identified 3
vulnerabilities in CDE.

Two of them could affect our CDE (open-source version), while the 3rd
(sdtcm_convert) is Solaris specific.

The two vulnerabilities, both of which affect dtsession could allow a
local privilege escalation to root.  A POC exists for Solaris.  The
POC will not function on our CDE for two main reasons:

- the POC is Solaris specific
- The overflowed variables in question are allocated on the heap,
  whereas in Solaris these variables are located on the stack.

The first vulnerability allows an extra long palette name to be used
to cause a crash via insufficient validation in
SrvPalette.c:CheckMonitor().

The second, which has not yet been assigned a CERT CVE resides in
SmCreateDirs.c:_DtCreateDtDirs() in libDtSvc.  Due to insufficient
bounds checking, a crash or corruption can be achieved by using a very
long DISPLAY name.

This one is considered difficult to exploit, and no POC code is
available at this time.  CDE 2.x code-bases are also listed as not
vulnerable, however some work has been done anyway to do some proper
bounds checking in this function.

The following text portions are copied from the relevant advisories,
which have not been released as of this writing.

NOTE: Oracle CDE does NOT use CDE 2.3.0a or earlier as mentioned
below.  They are completely different code-bases):

Regarding CVE-2020-2692:

  A buffer overflow in the CheckMonitor() function in the Common
  Desktop Environment 2.3.0a and earlier, as distributed with Oracle
  Solaris 10 1/13 (Update 11) and earlier, allows local users to gain
  root privileges via a long palette name passed to dtsession in a
  malicious .Xdefaults file.

  Note that Oracle Solaris CDE is based on the original CDE 1.x train,
  which is different from the CDE 2.x codebase that was later open
  sourced. Most notably, the vulnerable buffer in the Oracle Solaris
  CDE is stack-based, while in the open source version it is
  heap-based.

Regarding the DtSvc bug, which does not currently have a CERT CVE:

  A difficult to exploit stack-based buffer overflow in the
  _DtCreateDtDirs() function in the Common Desktop Environment version
  distributed with Oracle Solaris 10 1/13 (Update 11) and earlier may
  allow local users to corrupt memory and potentially execute
  arbitrary code in order to escalate privileges via a long X11
  display name. The vulnerable function is located in the libDtSvc
  library and can be reached by executing the setuid program
  dtsession.

  The open source version of CDE (based on the CDE 2.x codebase) is
  not affected.
 		2020-01-13 19:13:23 -07:00
..
admin installCDE: don't hardcode path to whoami 2019-11-20 19:08:22 -07:00
config linux.cf: always use bison 2019-12-01 19:18:00 -07:00
contrib
databases Merge branch 'master' into utf8-conversion 2019-09-16 13:24:18 -06:00
debian debian: misc cleanup 2018-09-30 17:26:10 -06:00
doc Set version to 2.3.1a (devel) for current master 2019-11-18 13:03:52 -07:00
examples
historical Clean up OPENBUGS 2018-10-06 17:01:45 -06:00
imports/motif UTF-8 conversion: convert imports/motif/localized 2018-11-04 18:33:31 -07:00
include Use iconv on linux 2019-01-14 10:48:28 -07:00
lib dtsession, DtSvc: fix CVE-2020-2696/VU#308289 2020-01-13 19:13:23 -07:00
programs dtsession, DtSvc: fix CVE-2020-2696/VU#308289 2020-01-13 19:13:23 -07:00
util
.gitignore gitignore: add infolib/etc UTF-8 locales 2019-11-18 12:52:17 -07:00
CONTRIBUTORS
COPYING
HISTORY HISTORY: update for 2.3.1 release 2019-11-15 19:06:11 -07:00
Imakefile Remove useless logs/ directory 2018-11-04 18:34:06 -07:00
Makefile Set version to 2.3.1a (devel) for current master 2019-11-18 13:03:52 -07:00
README
copyright Set version to 2.3.1a (devel) for current master 2019-11-18 13:03:52 -07:00

README 

*************************************

The Common Desktop Environment is released under the terms of the LGPL
V.2 license. You may reuse and redistribute this code under the terms
of this license. See the COPYING file for details.

*************************************
Purpose of this release:

This release of CDE under a new opensource license is numbered
starting at version 2.2.0.

************************************
Downloading this release:

CDE may be downloaded in source form from the Common Desktop
Environment website:

http://sourceforge.net/projects/cdesktopenv/

Or via git:

git clone git://git.code.sf.net/p/cdesktopenv/code cdesktopenv-code

The git repository will always be more up to date than the
downloadable tarballs we make available, so if you have problems,
please try the latest version from git master.

************************************
Installing this release:

Complete build and installation instructions can be found on the CDE
wiki:

http://sourceforge.net/p/cdesktopenv/wiki/Home/

Please go there and read the appropriate section(s) for your OS (Linux
or FreeBSD/OpenBSD/NetBSD currently).  There are a variety of
dependencies that must be met, as well as specific set up steps
required to build.

Do not expect to just type 'make' and have it actually work without
meeting the prerequisites and following the correct steps as spelled
out on the wiki. :)

There are also a lot of other documents and information there that you
might find useful.

************************************
Support: 

You can join the development mailing list here:

https://lists.sourceforge.net/lists/listinfo/cdesktopenv-devel

There is a CDE IRC channel on chat.freenode.net, channel #cde

Bug reports and patches encouraged.