George sherwood
2006-05-06 20:31:00 UTC
Summary
============
A client of the X server using the X render extension is able to
send requests that will cause a buffer overflow in the server side of
the extension.
This overflow can be exploited by an authorized client to execute
malicious code inside the X server, which is generally running with
root privileges.
Impact
======
An unfortunate typo ('&' instead of '*' in an expression) causes the
code to mis-compute the size of memory allocations in the
XRenderCompositeTriStrip and XRenderCompositeTriFan requests. Thus a
buffer that may be too small is used to store the parameters of the
request. On platforms where the ALLOCATE_LOCAL() macro is using
alloca(), this is a stack overflow, on other platforms this is a heap
overflow.
Affected versions:
=========
X.Org 6.8.0 and later versions are vulnerable, as well as all individual
releases of the modular xorg-xserver package.
Solution:
=========
Update xorg as soon as possible.
Resolution
==========
All xorg users should upgrade to the latest available version:
# scribe update
# cast -c xorg
or
# scribe update
# sorcery queue-security
# cast --queue
References
============
http://lists.freedesktop.org/archives/xorg/2006-May/015136.html
============
A client of the X server using the X render extension is able to
send requests that will cause a buffer overflow in the server side of
the extension.
This overflow can be exploited by an authorized client to execute
malicious code inside the X server, which is generally running with
root privileges.
Impact
======
An unfortunate typo ('&' instead of '*' in an expression) causes the
code to mis-compute the size of memory allocations in the
XRenderCompositeTriStrip and XRenderCompositeTriFan requests. Thus a
buffer that may be too small is used to store the parameters of the
request. On platforms where the ALLOCATE_LOCAL() macro is using
alloca(), this is a stack overflow, on other platforms this is a heap
overflow.
Affected versions:
=========
X.Org 6.8.0 and later versions are vulnerable, as well as all individual
releases of the modular xorg-xserver package.
Solution:
=========
Update xorg as soon as possible.
Resolution
==========
All xorg users should upgrade to the latest available version:
# scribe update
# cast -c xorg
or
# scribe update
# sorcery queue-security
# cast --queue
References
============
http://lists.freedesktop.org/archives/xorg/2006-May/015136.html
--
George Sherwood
Source Mage GNU/Linux developer
http://www.sourcemage.org
George Sherwood
Source Mage GNU/Linux developer
http://www.sourcemage.org