|
|
Subscribe / Log in / New account

[CVE-2006-1526] X.Org security advisory: Buffer overflow in the Xrender extension

[Posted May 3, 2006 by corbet]

From:  Matthieu Herrb <matthieu.herrb-AT-laas.fr>
To:  xorg-AT-lists.freedesktop.org
Subject:  [CVE-2006-1525] X.Org security advisory: Buffer overflow in the Xrender extension
Date:  Tue, 02 May 2006 16:05:21 +0200
Cc:  xorg-annonce-AT-lists.freedesktop.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

X.Org security advisory, May 2nd 2006
Buffer overflow in the Xrender extension of the X.Org server
CVE-ID: CVE-2006-1526

Overview:

A client of the X server using the X render extension is able to
send requests that will cause a buffer overflow in the server side of
the extension.
This overflow can be exploited by an authorized client to execute
malicious code inside the X server, which is generally running with
root privileges.

Vulnerability details:

An unfortunate typo ('&' instead of '*' in an expression) causes the
code to mis-compute the size of memory allocations in the
XRenderCompositeTriStrip and XRenderCompositeTriFan requests.  Thus a
buffer that may be too small is used to store the parameters of the
request. On platforms where the ALLOCATE_LOCAL() macro is using
alloca(), this is a stack overflow, on other platforms this is a heap
overflow.

Affected versions:

X.Org 6.8.0 and later versions are vulnerable, as well as all individual
releases of the modular xorg-xserver package.

To check which version you have, run Xorg -version:
% Xorg -version
X Window System Version 7.0.0
Release Date: 21 December 2005
X Protocol Version 11, Revision 0, Release 7.0

Fix:

Apply the patch below to the source tree for the modular xorg-server
source package:

9a9356f86fe2c10985f1008d459fb272           xorg-server-1.0.x-mitri.diff
d6eba2bddac69f12f21785ea94397b206727ba93   xorg-server-1.0.x-mitri.diff
http://xorg.freedesktop.org/releases/X11R7.0/patches/

For X.Org 6.8.x or 6.9.0, apply one of the patches below:

d666925bfe3d76156c399091578579ae           x11r6.9.0-mitri.diff
3d9da8bb9b28957c464d28ea194d5df50e2a3e5c   x11r6.9.0-mitri.diff
http://xorg.freedesktop.org/releases/X11R6.9.0/patches/

d5b46469a65972786b57ed2b010c3eb2          xorg-68x-CVE-2006-1526.patch
f764a77a0da4e3af88561805c5c8e28d5c5b3058  xorg-68x-CVE-2006-1526.patch
http://xorg.freedesktop.org/releases/X11R6.8.2/patches/

Thanks:

We would like to thank Bart Massey who reported the issue.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iQCVAwUBRFdnIXKGCS6JWssnAQJe5gP/cP29g04rwqZil8tYD4bGpjb/cW1tAlyd
T47I9qBg8asATow0HROiq8SuoG2B4g07InAZfvbdCERebYpk6lEO2L4os/4bmRW2
qG2n29a8+WfRJ0hiLwVEiLxeMtNTnK/Rh3Qsb2dhTvSWhpnuiji2IzVqVjurwCyu
RKDGgq6q/k8=
=IA5Z
-----END PGP SIGNATURE-----

_______________________________________________
xorg mailing list
xorg@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/xorg

to post comments

CVE reference incorrect

Posted May 3, 2006 16:04 UTC (Wed) by cortana (subscriber, #24596) [Link]

Should be CVE-2006-1526.


Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds