Matthieu Herrb
2007-Jan-09 06:15 UTC
[ANNOUNCE] X.Org Security Advisory: multiple integer overflows in dbe and render extensions
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 X.Org security advisory, January 9th, 2007 Multiple integer overflows in dbe and render extensions CVE IDs: CVE-2006-6101 CVE-2006-6102 CVE-2006-6103 Overview The ProcDbeGetVisualInfo(), ProcDbeSwapBuffer() and ProcRenderAddGlyphs() functions in the X server, implementing requests for the dbe and render extensions, may be used to overwrite data on the stack or in other parts of the X server memory. Vulnerability details iDefense Lab security researchers discovered that the expressions computing the parameters for ALLOCATE_LOCAL() in those functions are using client-provided value in an expression that is subject to integer overflows, which could lead to memory corruption. Moreover since ALLOCATE_LOCAL() is generally implemented using alloca(), these corruptions happen on the stack. And since there's no way for alloca() to return failure, a pointer outside the stack can be reported if the requested size is bigger than the current stack size, leading to potential corruption in other memory segments. The vulnerable requests are only available to an already authenticated client of the X server. Affected versions All X.Org X server version implementing the X render and dbe extensions are vulnerable. Other X server implementation based on the X11R6 sample implementation are probably vulnerable too. Fix Apply one of the following patches X.Org 6.8.2 http://xorg.freedesktop.org/archive/X11R6.8.2/patches/ MD5: 05f49f63cd2573a587d16e19bca7912e xorg-68x-dbe-render.patch SHA1: df289636e51151121ef2924b094cb53a88fe936b xorg-68x-dbe-render.patch X.Org 6.9.0 http://xorg.freedesktop.org/archive/X11R6.9.0/patches/ MD5: 992f91012c2e2f4c8abdbe8bcdf7b0c4 x11r6.9.0-dbe-render.diff SHA1: 4fdb8f910ac98288745a06a8670dd1faaf5fea38 x11r6.9.0-dbe-render.diff X.Org 7.0 http://xorg.freedesktop.org/archive/X11R7.0/patches/ MD5: 03abf171a5c9258bf6921109803f11ae xorg-xserver-1.0.1-dbe-render.diff SHA1: 9aff9da694e32006ea69a02c7d9da66243ef4f7d xorg-xserver-1.0.1-dbe-render.diff X.Org 7.1 http://xorg.freedesktop.org/archive/X11R7.1/patches/ MD5: f4325ae286e238e0fe8bc2d68b41735c xorg-xserver-1.1.0-dbe-render.diff SHA1: 2c01ee26bac79d71c9925d2b8bbfbc6b73de9396 xorg-xserver-1.1.0-dbe-render.diff A patch has also been commited to the xserver git repository for development versions of the X server. Thanks Sean Larsson of iDefense Labs discovered the vulnerabilities and provided sample code and advices in fixing them. - -- Matthieu Herrb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iQCVAwUBRaOjYHKGCS6JWssnAQI0NgP/WIQtUszwywToCZmFnHg+lUaWKd6Hoiia qKdKRnf4vrCf9uVbZaRGJ6uEUmSZmeFif4m9NtgnB3uqnAWh3MaUwCV0p4wcChZM zlPrRXjULcup0GFYXGHTCMtZy6teNBXxcFIexnh9jVvZCmJ3tHT87OU1cVefbR05 6c/XypkaOu0=P6vF -----END PGP SIGNATURE-----