X.Org security advisory june 2008 - Multiple vulnerabilities in X server extensions
matthieu.herrb at laas.fr
Wed Jun 11 07:10:26 PDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
X.Org security advisory, June 11th, 2008
Multiple vulnerabilities in X server extensions
CVE IDs: CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361,
Several vulnerabilities have been found in the server-side code
of some extensions in the X Window System. Improper validation of
client-provided data can cause data corruption.
Exploiting these overflows will crash the X server or,
under certain circumstances allow the execution of arbitray machine code.
When the X server is running with root privileges (which is the case
for the Xorg server and for most kdrive based servers), these
vulnerabilities can thus also be used to raise privileges.
All these vulnerabilities, to be exploited successfully, require either
an already established connection to a running X server (and normally
running X servers are only accepting authenticated connections), or a
shell access with a valid user on the machine where the vulnerable
server is installed.
All released X.Org versions are vulnerable to these problems. Other
implementations derived from the X11 sample implementation are likely
to be affected too.
~ * CVE-2008-2360 - RENDER Extension heap buffer overflow
An integer overflow may occur in the computation of the size of the
glyph to be allocated by the AllocateGlyph() function which will cause
less memory to be allocated than expected, leading to later heap
On systems where the X SIGSEGV handler includes a stack trace, more
malloc()-type functions are called, which may lead to other
~ * CVE-2008-2361 - RENDER Extension crash
Similarly, an integer overflow may occur in the computation of the
size of the glyph to be allocated by the ProcRenderCreateCursor()
function which will cause less memory to be allocated than expected,
leading later to dereferencing un-mapped memory, causing a crash of
the X server.
~ * CVE-2008-2362 - RENDER Extension memory corruption
Integer overflows can also occur in the code validating the parameters
for the SProcRenderCreateLinearGradient, SProcRenderCreateRadialGradient and
SProcRenderCreateConicalGradient functions, leading to memory
corruption by swapping bytes outside of the intended request
~ * CVE-2008-1379 - MIT-SHM arbitrary memory read
An integer overflow in the validation of the parameters of the
ShmPutImage() request makes it possible to trigger the copy of
arbitrary server memory to a pixmap that can subsequently be read by
the client, to read arbitrary parts of the X server memory space.
~ * CVE-2008-1377 - RECORD and Security extensions memory corruption
Lack of validation of the parameters of the
functions makes it possible for a specially crafted request to trigger
the swapping of bytes outside the parameter of these requests, causing
The vulnerabilies described here can be avoided by disabling the
corresponding extensions (at the cost of losing the functionalities
offered by these extensions) in the /etc/X11/xorg.conf configuration
~ Section "Extensions"
Option "MIT-SHM" "disable"
Option "RENDER" "disable"
Option "SECURITY" "disable"
~ Section "Module"
~ Disable "record"
Fixes for all these vulnerabilities will be included in the next
release of the Xorg xserver package. Patches for earlier versions are
MD5: 7462bea57623ad7ccdcad334ff5592b3 xorg-xserver-1.4-cve-2008-1377.diff
MD5: edb93f202b70eea8f6cb6be39b126e56 xorg-xserver-1.4-cve-2008-1379.diff
MD5: 7e45c657e587ddb85b36b0ac155ae20c xorg-xserver-1.4-cve-2008-2360.diff
MD5: 0841c68a30d458918bd11747cf28bae6 xorg-xserver-1.4-cve-2008-2361.diff
MD5: 7c86b4b6927f1ed6e0f58c04ed984ea5 xorg-xserver-1.4-cve-2008-2362.diff
These vulnerabilities were reported to iDefense by regenrecht.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (OpenBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the xorg-announce