[CVE-2006-1525] X.Org security advisory: Buffer overflow in the Xrender extension
Matthieu Herrb
matthieu.herrb at laas.fr
Tue May 2 07:05:21 PDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
X.Org security advisory, May 2nd 2006
Buffer overflow in the Xrender extension of the X.Org server
CVE-ID: CVE-2006-1526
Overview:
A client of the X server using the X render extension is able to
send requests that will cause a buffer overflow in the server side of
the extension.
This overflow can be exploited by an authorized client to execute
malicious code inside the X server, which is generally running with
root privileges.
Vulnerability details:
An unfortunate typo ('&' instead of '*' in an expression) causes the
code to mis-compute the size of memory allocations in the
XRenderCompositeTriStrip and XRenderCompositeTriFan requests. Thus a
buffer that may be too small is used to store the parameters of the
request. On platforms where the ALLOCATE_LOCAL() macro is using
alloca(), this is a stack overflow, on other platforms this is a heap
overflow.
Affected versions:
X.Org 6.8.0 and later versions are vulnerable, as well as all individual
releases of the modular xorg-xserver package.
To check which version you have, run Xorg -version:
% Xorg -version
X Window System Version 7.0.0
Release Date: 21 December 2005
X Protocol Version 11, Revision 0, Release 7.0
Fix:
Apply the patch below to the source tree for the modular xorg-server
source package:
9a9356f86fe2c10985f1008d459fb272 xorg-server-1.0.x-mitri.diff
d6eba2bddac69f12f21785ea94397b206727ba93 xorg-server-1.0.x-mitri.diff
http://xorg.freedesktop.org/releases/X11R7.0/patches/
For X.Org 6.8.x or 6.9.0, apply one of the patches below:
d666925bfe3d76156c399091578579ae x11r6.9.0-mitri.diff
3d9da8bb9b28957c464d28ea194d5df50e2a3e5c x11r6.9.0-mitri.diff
http://xorg.freedesktop.org/releases/X11R6.9.0/patches/
d5b46469a65972786b57ed2b010c3eb2 xorg-68x-CVE-2006-1526.patch
f764a77a0da4e3af88561805c5c8e28d5c5b3058 xorg-68x-CVE-2006-1526.patch
http://xorg.freedesktop.org/releases/X11R6.8.2/patches/
Thanks:
We would like to thank Bart Massey who reported the issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iQCVAwUBRFdnIXKGCS6JWssnAQJe5gP/cP29g04rwqZil8tYD4bGpjb/cW1tAlyd
T47I9qBg8asATow0HROiq8SuoG2B4g07InAZfvbdCERebYpk6lEO2L4os/4bmRW2
qG2n29a8+WfRJ0hiLwVEiLxeMtNTnK/Rh3Qsb2dhTvSWhpnuiji2IzVqVjurwCyu
RKDGgq6q/k8=
=IA5Z
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4033 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.x.org/archives/xorg/attachments/20060502/edfe07bd/attachment.bin>
More information about the xorg
mailing list