X.Org security advisory: CVE-2013-4396: Use after free in Xserver handling of ImageText requests

Alan Coopersmith alan.coopersmith at oracle.com
Mon Nov 18 11:32:09 PST 2013

On 11/18/13 10:48 AM, Jeremy C. Reed wrote:
> On Tue, 8 Oct 2013, Alan Coopersmith wrote:
>> Pedro Ribeiro (pedrib at gmail.com) reported an issue to the X.Org
>> security team in which an authenticated X client can cause an X server
>> to use memory after it was freed, potentially leading to crash and/or
>> memory corruption.
> Does this happen unknown to the authenticated user, where the X server
> crashes?  Or does the authenticated user actually need some instrumented
> malicious client to cause the crash? Does the memory corruption allow
> running some code on the server with different privileges?

I'm not sure how the authenticated user could not know when the X server
crashes, so I don't understand the first question.

As far as we know, any malicious client can cause the memory corruption,
with a crash being the most likely result - no one attempted to do the
deep analysis to determine if there's any way that the memory corruption
could be exploited to execute code, we really don't have anyone who is
both skilled in that and in the X server internals to do such analysis,
so we felt better to issue an advisory that may be worrying to much than
to ignore a problem someone more skilled than us could exploit.

> Does X.org Security use CVSS or some other measurement to decide if a
> bug is a security vulnerability? If so, where documented? Thanks.

No, we use our best judgment.

	-Alan Coopersmith-              alan.coopersmith at oracle.com
	 Oracle Solaris Engineering - http://blogs.oracle.com/alanc

More information about the xorg mailing list