X.Org security advisory june 2008 - Multiple vulnerabilities in X server extensions

Matthieu Herrb matthieu.herrb at laas.fr
Wed Jun 11 07:10:26 PDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

X.Org security advisory, June 11th, 2008
Multiple vulnerabilities in X server extensions
CVE IDs: CVE-2008-1377, CVE-2008-1379,  CVE-2008-2360, CVE-2008-2361,
~         CVE-2008-2362


Overview

Several vulnerabilities have been found in the server-side code
of some extensions in the X Window System. Improper validation of
client-provided data can cause data corruption.


Impact

Exploiting these overflows will crash the X server or,
under certain circumstances allow the execution of arbitray machine code.

When the X server is running with root privileges (which is the case
for the Xorg server and for most kdrive based servers), these
vulnerabilities can thus also be used to raise privileges.

All these vulnerabilities, to be exploited successfully, require either
an already established connection to a running X server (and normally
running X servers are only accepting authenticated connections), or a
shell access with a valid user on the machine where the vulnerable
server is installed.


Affected versions

All released X.Org versions are vulnerable to these problems. Other
implementations derived from the X11 sample implementation are likely
to be affected too.


Vulnerabilities details

~ * CVE-2008-2360 - RENDER Extension heap buffer overflow

An integer overflow may occur in the computation of the size of the
glyph to be allocated by the AllocateGlyph() function which will cause
less memory to be allocated than expected, leading to later heap
overflow.

On systems where the X  SIGSEGV handler includes a stack trace, more
malloc()-type functions are called, which may lead to other
exploitable issues.

~ * CVE-2008-2361 - RENDER Extension crash

Similarly, an integer overflow may occur in the computation of the
size of the  glyph to be allocated by the ProcRenderCreateCursor()
function  which will cause less memory to be allocated than expected,
leading later to dereferencing  un-mapped memory, causing a crash of
the X server.

~ * CVE-2008-2362 - RENDER Extension memory corruption

Integer overflows can also occur in the code validating the parameters
for the SProcRenderCreateLinearGradient, SProcRenderCreateRadialGradient and
SProcRenderCreateConicalGradient functions, leading to memory
corruption by swapping bytes outside of the intended request
parameters.

~ * CVE-2008-1379 - MIT-SHM arbitrary memory read

An integer overflow in the validation of the parameters of the
ShmPutImage() request makes it possible to trigger the copy of
arbitrary server memory to a pixmap that can subsequently be read by
the client, to read arbitrary parts of the X server memory space.

~ * CVE-2008-1377 - RECORD and Security extensions memory corruption

Lack of validation of the parameters of the
SProcSecurityGenerateAuthorization SProcRecordCreateContext
functions makes it possible for a specially crafted request to trigger
the swapping of bytes outside the parameter of these requests, causing
memory corruption.


Workarounds

The vulnerabilies described here can be avoided by disabling the
corresponding extensions (at the cost of losing the functionalities
offered by these extensions) in the /etc/X11/xorg.conf configuration
file:


~  Section "Extensions"
	Option "MIT-SHM" "disable"
	Option "RENDER" "disable"
	Option "SECURITY" "disable"
~  EndSection

~  Section "Module"
~       Disable "record"
~  EndSection


Fixes

Fixes for all these vulnerabilities will be included in the next
release of the Xorg xserver package. Patches for earlier versions are
also provided:

ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-1377.diff
MD5: 7462bea57623ad7ccdcad334ff5592b3  xorg-xserver-1.4-cve-2008-1377.diff
SHA1: 2b75985081665b8d646b5810d411047c6c150576
xorg-xserver-1.4-cve-2008-1377.diff

ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-1379.diff
MD5: edb93f202b70eea8f6cb6be39b126e56  xorg-xserver-1.4-cve-2008-1379.diff
SHA1: 1ca8b8417d805e0c233bda4b980cb168ec444abd
xorg-xserver-1.4-cve-2008-1379.diff

ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-2360.diff
MD5: 7e45c657e587ddb85b36b0ac155ae20c  xorg-xserver-1.4-cve-2008-2360.diff
SHA1: 2e8532fe737e702cb18160705cd75daed4141a4c
xorg-xserver-1.4-cve-2008-2360.diff

ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-2361.diff
MD5: 0841c68a30d458918bd11747cf28bae6  xorg-xserver-1.4-cve-2008-2361.diff
SHA1: 950af2461d0bc5ff5b2b3cc40d517344a77e19f9
xorg-xserver-1.4-cve-2008-2361.diff

ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-2362.diff
MD5: 7c86b4b6927f1ed6e0f58c04ed984ea5  xorg-xserver-1.4-cve-2008-2362.diff
SHA1: e773f720057785062958d0fa9f29a4cb441883c8
xorg-xserver-1.4-cve-2008-2362.diff


Credits

These vulnerabilities were reported to iDefense by regenrecht.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (OpenBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQCVAwUBSE/c0nKGCS6JWssnAQI7kwP9GxbFef3WsfL/audl9W8lI8+2BVc0yV0h
IXrwgZ/kK0RsJPCxIjWpwwD+CyhvU6P/iw8k/ETJxQpwO1MnPapBW2YROqPqG/Dc
Tt7zuC4tn0wYL0sovnANqj4hOhiiB/0K8lviN/qWJidXt6qF6+wp5hqAx4ffcpmZ
6Etk7Ss/6iM=
=a7tZ
-----END PGP SIGNATURE-----

More information about the xorg mailing list