SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#633257

X.Org server buffer overflow in Xrender extension

Overview

A vulnerability in the X.Org X server could allow an attacker to execute arbitrary code with the privileges of the server.

I. Description

The X Window System provides a number of components to support graphical user interfaces, primarily on Unix-like operating systems. It features a client-server design whereby client applications specify instructions to a server (the X server) which then interacts with the display hardware to render graphics on the display. The X Rendering Extension (Render) introduces digital image composition as the foundation of a rendering model within the X Window System. The X.Org Foundation provides a free and open source implementation of the X Window System, including the X render extension.

A flaw in the render extension, reportedly introduced through a typographical error, causes an incorrect computation for memory allocation size in XRenderCompositeTriStrip() and XRenderCompositeTriFan() requests. As a result, a buffer may be allocated that is too small to store the parameters of the request. For platforms where the ALLOCATE_LOCAL() macro is using alloca(), this situation can cause a stack overflow; on other platforms, it can cause a heap overflow.

II. Impact

A client of the X server using the X render extension is able to send requests that will cause a buffer overflow in the server side of the extension. This overflow can be exploited by an authorized client to execute malicious code inside the X server, which is generally running with root privileges.

III. Solution

Apply a patch


A number of redistributors have supplied patches for this issue. Please see the Systems Affected section of this document for more information.

Systems Affected

VendorStatusDate NotifiedDate Updated
Fedora ProjectVulnerable9-Jun-2006
Gentoo LinuxVulnerable8-Jun-2006
Mandriva, Inc.Vulnerable8-Jun-2006
OpenBSDVulnerable8-Jun-2006
Red Hat, Inc.Vulnerable8-Jun-2006
Slackware Linux Inc.Vulnerable9-Jun-2006
Sun Microsystems, Inc.Vulnerable9-Jun-2006
SUSE LinuxVulnerable9-Jun-2006
UbuntuVulnerable9-Jun-2006
X.org FoundationVulnerable9-Jun-2006

References


http://secunia.com/advisories/19900/
http://secunia.com/advisories/19915/
http://secunia.com/advisories/19916/
http://secunia.com/advisories/19921/
http://secunia.com/advisories/19943/
http://secunia.com/advisories/19951/
http://secunia.com/advisories/19956/
http://secunia.com/advisories/19983/
http://www.auscert.org.au/6259
http://www.auscert.org.au/6268
http://www.auscert.org.au/6271
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102339-1
http://www.ciac.org/ciac/bulletins/q-189.shtml

Credit

Thanks to the X.Org Foundation for reporting this vulnerability. They, in turn, credit Bart Massey with reporting this issue to them.

This document was written by Chad R Dougherty.

Other Information

Date Public:2006-05-02
Date First Published:2006-06-16
Date Last Updated:2006-07-05
CERT Advisory: 
CVE-ID(s):CVE-2006-1526
NVD-ID(s):CVE-2006-1526
US-CERT Technical Alerts: 
Metric:3.12
Document Revision:34

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2006 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader