[ANNOUNCE] X.Org Security Advisory: multiple integer overflows in dbe and render extensions

Matthieu Herrb matthieu.herrb at laas.fr
Tue Jan 9 06:14:56 PST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

X.Org security advisory, January 9th, 2007
Multiple integer overflows in dbe and render extensions
CVE IDs: CVE-2006-6101 CVE-2006-6102 CVE-2006-6103

Overview

The ProcDbeGetVisualInfo(), ProcDbeSwapBuffer() and
ProcRenderAddGlyphs() functions in the X server, implementing requests
for the dbe and render extensions, may be used to overwrite data on
the stack or in other parts of the X server memory.

Vulnerability details

iDefense Lab security researchers discovered that the expressions
computing the parameters for ALLOCATE_LOCAL() in those functions are
using client-provided value in an expression that is subject to
integer overflows, which could lead to memory corruption.

Moreover since ALLOCATE_LOCAL() is generally implemented using
alloca(), these corruptions happen on the stack. And since
there's no way for alloca() to return failure, a pointer outside the
stack can be reported if the requested size is bigger than the current
stack size, leading to potential corruption in other memory segments.

The vulnerable requests are only available to an already authenticated
client of the X server.

Affected versions

All X.Org X server version implementing the X render and dbe
extensions are vulnerable. Other X server implementation based on the
X11R6 sample implementation are probably vulnerable too.

Fix

Apply one of the following patches

X.Org 6.8.2
http://xorg.freedesktop.org/archive/X11R6.8.2/patches/
MD5:  05f49f63cd2573a587d16e19bca7912e         xorg-68x-dbe-render.patch
SHA1: df289636e51151121ef2924b094cb53a88fe936b xorg-68x-dbe-render.patch

X.Org 6.9.0
http://xorg.freedesktop.org/archive/X11R6.9.0/patches/
MD5:  992f91012c2e2f4c8abdbe8bcdf7b0c4         x11r6.9.0-dbe-render.diff
SHA1: 4fdb8f910ac98288745a06a8670dd1faaf5fea38 x11r6.9.0-dbe-render.diff

X.Org 7.0
http://xorg.freedesktop.org/archive/X11R7.0/patches/
MD5:  03abf171a5c9258bf6921109803f11ae
xorg-xserver-1.0.1-dbe-render.diff
SHA1: 9aff9da694e32006ea69a02c7d9da66243ef4f7d
xorg-xserver-1.0.1-dbe-render.diff

X.Org 7.1
http://xorg.freedesktop.org/archive/X11R7.1/patches/
MD5:  f4325ae286e238e0fe8bc2d68b41735c
xorg-xserver-1.1.0-dbe-render.diff
SHA1: 2c01ee26bac79d71c9925d2b8bbfbc6b73de9396
xorg-xserver-1.1.0-dbe-render.diff

A patch has also been commited to the xserver git repository for
development versions of the X server.

Thanks

Sean Larsson of iDefense Labs discovered the vulnerabilities and
provided sample code and advices in fixing them.

- --
Matthieu Herrb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iQCVAwUBRaOjYHKGCS6JWssnAQI0NgP/WIQtUszwywToCZmFnHg+lUaWKd6Hoiia
qKdKRnf4vrCf9uVbZaRGJ6uEUmSZmeFif4m9NtgnB3uqnAWh3MaUwCV0p4wcChZM
zlPrRXjULcup0GFYXGHTCMtZy6teNBXxcFIexnh9jVvZCmJ3tHT87OU1cVefbR05
6c/XypkaOu0=
=P6vF
-----END PGP SIGNATURE-----

More information about the xorg mailing list