X.Org server buffer overflow in Xrender extension

Overview

A vulnerability in the X.Org X server could allow an attacker to execute arbitrary code with the privileges of the server.

Description

The X Window System provides a number of components to support graphical user interfaces, primarily on Unix-like operating systems. It features a client-server design whereby client applications specify instructions to a server (the X server) which then interacts with the display hardware to render graphics on the display. The X Rendering Extension (Render) introduces digital image composition as the foundation of a rendering model within the X Window System. The X.Org Foundation provides a free and open source implementation of the X Window System, including the X render extension.

A flaw in the render extension, reportedly introduced through a typographical error, causes an incorrect computation for memory allocation size in XRenderCompositeTriStrip() and XRenderCompositeTriFan() requests. As a result, a buffer may be allocated that is too small to store the parameters of the request. For platforms where the ALLOCATE_LOCAL() macro is using alloca(), this situation can cause a stack overflow; on other platforms, it can cause a heap overflow.

---

Impact

A client of the X server using the X render extension is able to send requests that will cause a buffer overflow in the server side of the extension. This overflow can be exploited by an authorized client to execute malicious code inside the X server, which is generally running with root privileges.

---

Solution

Apply a patch

A number of redistributors have supplied patches for this issue. Please see the Systems Affected section of this document for more information.

---

Vendor Information

633257

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Fedora Project __ Affected

Updated: June 09, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Fedora Project security team has published Fedora Legacy Update Advisory FLSA:190777 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23633257 Feedback>).

Gentoo Linux __ Affected

Updated: June 08, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Gentoo security team has published Gentoo Linux Security Advisory GLSA 200605-02 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23633257 Feedback>).

Mandriva, Inc. __ Affected

Updated: June 08, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Mandriva, Inc. has published Mandriva Linux Security Advisory MDKSA-2006:081-1 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23633257 Feedback>).

OpenBSD __ Affected

Updated: June 08, 2006

Status

Affected

Vendor Statement

`A security vulnerability has been found in the X.Org server –
CVE-2006-1526. Clients authorized to connect to the X server are able to
crash it and to execute malicious code within the X server.

Patches for the respective releases:
[ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/002_xorg.patch`](<ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/002_xorg.patch&gt;) ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/007_xorg.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/013_xorg.patch

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

OpenBSD’s fix for this issue was committed to the head of their CVS repository on 2006-05-03.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23633257 Feedback>).

Red Hat, Inc. __ Affected

Updated: June 08, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Red Hat, Inc. has published Red Hat Security Advisory RHSA-2006:0451 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23633257 Feedback>).

SUSE Linux __ Affected

Updated: June 09, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SUSE has published SUSE Security Announcement SUSE-SA:2006:023 in response to this issue. Users are encouraged to review this announcement and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23633257 Feedback>).

Slackware Linux Inc. __ Affected

Updated: June 09, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Slackware has published Slackware security advisory SSA:2006-123-01 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23633257 Feedback>).

Sun Microsystems, Inc. __ Affected

Updated: June 09, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Sun has published Sun Alert ID 102339 in response to this issue. Users are encouraged to review this document and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23633257 Feedback>).

Ubuntu __ Affected

Updated: June 09, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Ubuntu Linux security team has published Ubuntu Security Notice USN-280-1 in response to this issue. Users are encouraged to review this notice and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23633257 Feedback>).

X.org Foundation __ Affected

Updated: June 09, 2006

Status

Affected

Vendor Statement

`-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

X.Org security advisory, May 2nd 2006
Buffer overflow in the Xrender extension of the X.Org server
CVE-ID: CVE-2006-1526

Overview:

A client of the X server using the X render extension is able to
send requests that will cause a buffer overflow in the server side of
the extension.
This overflow can be exploited by an authorized client to execute
malicious code inside the X server, which is generally running with
root privileges.

Vulnerability details:

An unfortunate typo (‘&’ instead of ‘*’ in an expression) causes the
code to mis-compute the size of memory allocations in the
XRenderCompositeTriStrip and XRenderCompositeTriFan requests. Thus a
buffer that may be too small is used to store the parameters of the
request. On platforms where the ALLOCATE_LOCAL() macro is using
alloca(), this is a stack overflow, on other platforms this is a heap
overflow.

Affected versions:

X.Org 6.8.0 and later versions are vulnerable, as well as all individual
releases of the modular xorg-xserver package.

To check which version you have, run Xorg -version:
% Xorg -version
X Window System Version 7.0.0
Release Date: 21 December 2005
X Protocol Version 11, Revision 0, Release 7.0

Fix:

Apply the patch below to the source tree for the modular xorg-server
source package:

9a9356f86fe2c10985f1008d459fb272 xorg-server-1.0.x-mitri.diff
d6eba2bddac69f12f21785ea94397b206727ba93 xorg-server-1.0.x-mitri.diff
[_http://xorg.freedesktop.org/releases/X11R7.0/patches/_`](<http://xorg.freedesktop.org/releases/X11R7.0/patches/&gt;)`

For X.Org 6.8.x or 6.9.0, apply one of the patches below:

d666925bfe3d76156c399091578579ae x11r6.9.0-mitri.diff
3d9da8bb9b28957c464d28ea194d5df50e2a3e5c x11r6.9.0-mitri.diff
[_http://xorg.freedesktop.org/releases/X11R6.9.0/patches/_`](<http://xorg.freedesktop.org/releases/X11R6.9.0/patches/&gt;)`

d5b46469a65972786b57ed2b010c3eb2 xorg-68x-CVE-2006-1526.patch
f764a77a0da4e3af88561805c5c8e28d5c5b3058 xorg-68x-CVE-2006-1526.patch
[_http://xorg.freedesktop.org/releases/X11R6.8.2/patches/_`](<http://xorg.freedesktop.org/releases/X11R6.8.2/patches/&gt;)`

Thanks:

We would like to thank Bart Massey who reported the issue.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Fedora - [http://enigmail.mozdev.org](<http://enigmail.mozdev.org/>)

iQCVAwUBRFdnIXKGCS6JWssnAQJe5gP/cP29g04rwqZil8tYD4bGpjb/cW1tAlyd
T47I9qBg8asATow0HROiq8SuoG2B4g07InAZfvbdCERebYpk6lEO2L4os/4bmRW2
qG2n29a8+WfRJ0hiLwVEiLxeMtNTnK/Rh3Qsb2dhTvSWhpnuiji2IzVqVjurwCyu
RKDGgq6q/k8=
=IA5Z
-----END PGP SIGNATURE-----`

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://secunia.com/advisories/19900/&gt;
• <http://secunia.com/advisories/19915/&gt;
• <http://secunia.com/advisories/19916/&gt;
• <http://secunia.com/advisories/19921/&gt;
• <http://secunia.com/advisories/19943/&gt;
• <http://secunia.com/advisories/19951/&gt;
• <http://secunia.com/advisories/19956/&gt;
• <http://secunia.com/advisories/19983/&gt;
• <http://www.auscert.org.au/6259&gt;
• <http://www.auscert.org.au/6268&gt;
• <http://www.auscert.org.au/6271&gt;
• <http://sunsolve.sun.com/search/document.do?assetkey=1-26-102339-1&gt;
• <http://www.ciac.org/ciac/bulletins/q-189.shtml&gt;

Acknowledgements

Thanks to the X.Org Foundation for reporting this vulnerability. They, in turn, credit Bart Massey with reporting this issue to them.

This document was written by Chad R Dougherty.

Other Information

CVE IDs:	CVE-2006-1526
Severity Metric:	3.12 Date Public: