CERT/CC Vulnerability Note VU#633257

Overview

A vulnerability in the X.Org X server could allow an attacker to execute arbitrary code with the privileges of the server.

Description

The X Window System provides a number of components to support graphical user interfaces, primarily on Unix-like operating systems. It features a client-server design whereby client applications specify instructions to a server (the X server) which then interacts with the display hardware to render graphics on the display. The X Rendering Extension (Render) introduces digital image composition as the foundation of a rendering model within the X Window System. The X.Org Foundation provides a free and open source implementation of the X Window System, including the X render extension.

A flaw in the render extension, reportedly introduced through a typographical error, causes an incorrect computation for memory allocation size in XRenderCompositeTriStrip() and XRenderCompositeTriFan() requests. As a result, a buffer may be allocated that is too small to store the parameters of the request. For platforms where the ALLOCATE_LOCAL() macro is using alloca(), this situation can cause a stack overflow; on other platforms, it can cause a heap overflow.

Impact

A client of the X server using the X render extension is able to send requests that will cause a buffer overflow in the server side of the extension. This overflow can be exploited by an authorized client to execute malicious code inside the X server, which is generally running with root privileges.

Solution

Apply a patch

A number of redistributors have supplied patches for this issue. Please see the Systems Affected section of this document for more information.

Vendor Information

633257

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Fedora Project Affected

Gentoo Linux Affected

Mandriva, Inc. Affected

OpenBSD Affected

Red Hat, Inc. Affected

SUSE Linux Affected

Slackware Linux Inc. Affected

Sun Microsystems, Inc. Affected

Ubuntu Affected

X.org Foundation Affected

Updated: June 09, 2006

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 X.Org security advisory, May 2nd 2006 Buffer overflow in the Xrender extension of the X.Org server CVE-ID: CVE-2006-1526 Overview: A client of the X server using the X render extension is able to send requests that will cause a buffer overflow in the server side of the extension. This overflow can be exploited by an authorized client to execute malicious code inside the X server, which is generally running with root privileges. Vulnerability details: An unfortunate typo ('&' instead of '*' in an expression) causes the code to mis-compute the size of memory allocations in the XRenderCompositeTriStrip and XRenderCompositeTriFan requests. Thus a buffer that may be too small is used to store the parameters of the request. On platforms where the ALLOCATE_LOCAL() macro is using alloca(), this is a stack overflow, on other platforms this is a heap overflow. Affected versions: X.Org 6.8.0 and later versions are vulnerable, as well as all individual releases of the modular xorg-xserver package. To check which version you have, run Xorg -version: % Xorg -version X Window System Version 7.0.0 Release Date: 21 December 2005 X Protocol Version 11, Revision 0, Release 7.0 Fix: Apply the patch below to the source tree for the modular xorg-server source package: 9a9356f86fe2c10985f1008d459fb272 xorg-server-1.0.x-mitri.diff d6eba2bddac69f12f21785ea94397b206727ba93 xorg-server-1.0.x-mitri.diffhttp://xorg.freedesktop.org/releases/X11R7.0/patches/For X.Org 6.8.x or 6.9.0, apply one of the patches below: d666925bfe3d76156c399091578579ae x11r6.9.0-mitri.diff 3d9da8bb9b28957c464d28ea194d5df50e2a3e5c x11r6.9.0-mitri.diffhttp://xorg.freedesktop.org/releases/X11R6.9.0/patches/d5b46469a65972786b57ed2b010c3eb2 xorg-68x-CVE-2006-1526.patch f764a77a0da4e3af88561805c5c8e28d5c5b3058 xorg-68x-CVE-2006-1526.patchhttp://xorg.freedesktop.org/releases/X11R6.8.2/patches/Thanks: We would like to thank Bart Massey who reported the issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Fedora -http://enigmail.mozdev.orgiQCVAwUBRFdnIXKGCS6JWssnAQJe5gP/cP29g04rwqZil8tYD4bGpjb/cW1tAlyd T47I9qBg8asATow0HROiq8SuoG2B4g07InAZfvbdCERebYpk6lEO2L4os/4bmRW2 qG2n29a8+WfRJ0hiLwVEiLxeMtNTnK/Rh3Qsb2dhTvSWhpnuiji2IzVqVjurwCyu RKDGgq6q/k8= =IA5Z -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to the X.Org Foundation for reporting this vulnerability. They, in turn, credit Bart Massey with reporting this issue to them.

This document was written by Chad R Dougherty.

Other Information

CVE IDs:	CVE-2006-1526
Severity Metric:	3.12
Date Public:	2006-05-02
Date First Published:	2006-06-16
Date Last Updated:	2006-07-05 19:51 UTC
Document Revision:	34

Software Engineering Institute

CERT Coordination Center

X.Org server buffer overflow in Xrender extension

Vulnerability Note VU#633257

Overview

Description

Impact

Solution

Vendor Information

Fedora Project Affected

Gentoo Linux Affected

Mandriva, Inc. Affected

OpenBSD Affected

Red Hat, Inc. Affected

SUSE Linux Affected

Slackware Linux Inc. Affected

Sun Microsystems, Inc. Affected

Ubuntu Affected

X.org Foundation Affected

CVSS Metrics

References

Acknowledgements

Other Information

Contact CERT/CC