A vulnerability in the X.Org X server could allow an attacker to execute arbitrary code with the privileges of the server.
The X Window System provides a number of components to support graphical user interfaces, primarily on Unix-like operating systems. It features a client-server design whereby client applications specify instructions to a server (the X server) which then interacts with the display hardware to render graphics on the display. The X Rendering Extension (Render) introduces digital image composition as the foundation of a rendering model within the X Window System. The X.Org Foundation provides a free and open source implementation of the X Window System, including the X render extension.
A flaw in the render extension, reportedly introduced through a typographical error, causes an incorrect computation for memory allocation size in XRenderCompositeTriStrip() and XRenderCompositeTriFan() requests. As a result, a buffer may be allocated that is too small to store the parameters of the request. For platforms where the ALLOCATE_LOCAL() macro is using alloca(), this situation can cause a stack overflow; on other platforms, it can cause a heap overflow.
A client of the X server using the X render extension is able to send requests that will cause a buffer overflow in the server side of the extension. This overflow can be exploited by an authorized client to execute malicious code inside the X server, which is generally running with root privileges.
Apply a patch
Thanks to the X.Org Foundation for reporting this vulnerability. They, in turn, credit Bart Massey with reporting this issue to them.
This document was written by Chad R Dougherty.
|Date First Published:||2006-06-16|
|Date Last Updated:||2006-07-05 19:51 UTC|