search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

X.Org server buffer overflow in Xrender extension

Vulnerability Note VU#633257

Original Release Date: 2006-06-16 | Last Revised: 2006-07-05

Overview

A vulnerability in the X.Org X server could allow an attacker to execute arbitrary code with the privileges of the server.

Description

The X Window System provides a number of components to support graphical user interfaces, primarily on Unix-like operating systems. It features a client-server design whereby client applications specify instructions to a server (the X server) which then interacts with the display hardware to render graphics on the display. The X Rendering Extension (Render) introduces digital image composition as the foundation of a rendering model within the X Window System. The X.Org Foundation provides a free and open source implementation of the X Window System, including the X render extension.

A flaw in the render extension, reportedly introduced through a typographical error, causes an incorrect computation for memory allocation size in XRenderCompositeTriStrip() and XRenderCompositeTriFan() requests. As a result, a buffer may be allocated that is too small to store the parameters of the request. For platforms where the ALLOCATE_LOCAL() macro is using alloca(), this situation can cause a stack overflow; on other platforms, it can cause a heap overflow.

Impact

A client of the X server using the X render extension is able to send requests that will cause a buffer overflow in the server side of the extension. This overflow can be exploited by an authorized client to execute malicious code inside the X server, which is generally running with root privileges.

Solution

Apply a patch

A number of redistributors have supplied patches for this issue. Please see the Systems Affected section of this document for more information.

Vendor Information

633257
 
Expand all

Fedora Project Affected

Updated:  June 09, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Fedora Project security team has published Fedora Legacy Update Advisory FLSA:190777 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux Affected

Updated:  June 08, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Gentoo security team has published Gentoo Linux Security Advisory GLSA 200605-02 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva, Inc. Affected

Updated:  June 08, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Mandriva, Inc. has published Mandriva Linux Security Advisory MDKSA-2006:081-1 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD Affected

Updated:  June 08, 2006

Status

Affected

Vendor Statement

A security vulnerability has been found in the X.Org server --
CVE-2006-1526. Clients authorized to connect to the X server are able to
crash it and to execute malicious code within the X server.

Patches for the respective releases:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/002_xorg.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/007_xorg.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/013_xorg.patch

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

OpenBSD's fix for this issue was committed to the head of their CVS repository on 2006-05-03.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc. Affected

Updated:  June 08, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Red Hat, Inc. has published Red Hat Security Advisory RHSA-2006:0451 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SUSE Linux Affected

Updated:  June 09, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SUSE has published SUSE Security Announcement SUSE-SA:2006:023 in response to this issue. Users are encouraged to review this announcement and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Slackware Linux Inc. Affected

Updated:  June 09, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Slackware has published Slackware security advisory SSA:2006-123-01 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems, Inc. Affected

Updated:  June 09, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Sun has published Sun Alert ID 102339 in response to this issue. Users are encouraged to review this document and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ubuntu Affected

Updated:  June 09, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Ubuntu Linux security team has published Ubuntu Security Notice USN-280-1 in response to this issue. Users are encouraged to review this notice and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

X.org Foundation Affected

Updated:  June 09, 2006

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

X.Org security advisory, May 2nd 2006
Buffer overflow in the Xrender extension of the X.Org server
CVE-ID: CVE-2006-1526

Overview:

A client of the X server using the X render extension is able to
send requests that will cause a buffer overflow in the server side of
the extension.
This overflow can be exploited by an authorized client to execute
malicious code inside the X server, which is generally running with
root privileges.

Vulnerability details:

An unfortunate typo ('&' instead of '*' in an expression) causes the
code to mis-compute the size of memory allocations in the
XRenderCompositeTriStrip and XRenderCompositeTriFan requests.  Thus a
buffer that may be too small is used to store the parameters of the
request. On platforms where the ALLOCATE_LOCAL() macro is using
alloca(), this is a stack overflow, on other platforms this is a heap
overflow.

Affected versions:

X.Org 6.8.0 and later versions are vulnerable, as well as all individual
releases of the modular xorg-xserver package.

To check which version you have, run Xorg -version:
% Xorg -version
X Window System Version 7.0.0
Release Date: 21 December 2005
X Protocol Version 11, Revision 0, Release 7.0

Fix:

Apply the patch below to the source tree for the modular xorg-server
source package:

9a9356f86fe2c10985f1008d459fb272           xorg-server-1.0.x-mitri.diff
d6eba2bddac69f12f21785ea94397b206727ba93   xorg-server-1.0.x-mitri.diff
http://xorg.freedesktop.org/releases/X11R7.0/patches/

For X.Org 6.8.x or 6.9.0, apply one of the patches below:

d666925bfe3d76156c399091578579ae           x11r6.9.0-mitri.diff
3d9da8bb9b28957c464d28ea194d5df50e2a3e5c   x11r6.9.0-mitri.diff
http://xorg.freedesktop.org/releases/X11R6.9.0/patches/

d5b46469a65972786b57ed2b010c3eb2          xorg-68x-CVE-2006-1526.patch
f764a77a0da4e3af88561805c5c8e28d5c5b3058  xorg-68x-CVE-2006-1526.patch
http://xorg.freedesktop.org/releases/X11R6.8.2/patches/

Thanks:

We would like to thank Bart Massey who reported the issue.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iQCVAwUBRFdnIXKGCS6JWssnAQJe5gP/cP29g04rwqZil8tYD4bGpjb/cW1tAlyd
T47I9qBg8asATow0HROiq8SuoG2B4g07InAZfvbdCERebYpk6lEO2L4os/4bmRW2
qG2n29a8+WfRJ0hiLwVEiLxeMtNTnK/Rh3Qsb2dhTvSWhpnuiji2IzVqVjurwCyu
RKDGgq6q/k8=
=IA5Z
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to the X.Org Foundation for reporting this vulnerability. They, in turn, credit Bart Massey with reporting this issue to them.

This document was written by Chad R Dougherty.

Other Information

CVE IDs: CVE-2006-1526
Severity Metric: 3.12
Date Public: 2006-05-02
Date First Published: 2006-06-16
Date Last Updated: 2006-07-05 19:51 UTC
Document Revision: 34

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis