161163 – xorg-server: multiple integer overflows in dbe and render extensions

Bug 161163 - xorg-server: multiple integer overflows in dbe and render extensions

Summary: xorg-server: multiple integer overflows in dbe and render extensions

Status:	RESOLVED DUPLICATE of bug 157421

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://lists.freedesktop.org/archives...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2007-01-09 18:02 UTC by Donnie Berkholz (RETIRED)
Modified:	2007-01-09 18:23 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Donnie Berkholz (RETIRED) gentoo-dev

2007-01-09 18:02:35 UTC

X.Org security advisory, January 9th, 2007
Multiple integer overflows in dbe and render extensions
CVE IDs: CVE-2006-6101 CVE-2006-6102 CVE-2006-6103

Overview

The ProcDbeGetVisualInfo(), ProcDbeSwapBuffer() and
ProcRenderAddGlyphs() functions in the X server, implementing requests
for the dbe and render extensions, may be used to overwrite data on
the stack or in other parts of the X server memory.

Vulnerability details

iDefense Lab security researchers discovered that the expressions
computing the parameters for ALLOCATE_LOCAL() in those functions are
using client-provided value in an expression that is subject to
integer overflows, which could lead to memory corruption.

Moreover since ALLOCATE_LOCAL() is generally implemented using
alloca(), these corruptions happen on the stack. And since
there's no way for alloca() to return failure, a pointer outside the
stack can be reported if the requested size is bigger than the current
stack size, leading to potential corruption in other memory segments.

The vulnerable requests are only available to an already authenticated
client of the X server.

Affected versions

All X.Org X server version implementing the X render and dbe
extensions are vulnerable. Other X server implementation based on the
X11R6 sample implementation are probably vulnerable too.

Fix

Apply one of the following patches

X.Org 6.8.2
http://xorg.freedesktop.org/archive/X11R6.8.2/patches/
MD5:  05f49f63cd2573a587d16e19bca7912e         xorg-68x-dbe-render.patch
SHA1: df289636e51151121ef2924b094cb53a88fe936b xorg-68x-dbe-render.patch

X.Org 6.9.0
http://xorg.freedesktop.org/archive/X11R6.9.0/patches/
MD5:  992f91012c2e2f4c8abdbe8bcdf7b0c4         x11r6.9.0-dbe-render.diff
SHA1: 4fdb8f910ac98288745a06a8670dd1faaf5fea38 x11r6.9.0-dbe-render.diff

X.Org 7.0
http://xorg.freedesktop.org/archive/X11R7.0/patches/
MD5:  03abf171a5c9258bf6921109803f11ae
xorg-xserver-1.0.1-dbe-render.diff
SHA1: 9aff9da694e32006ea69a02c7d9da66243ef4f7d
xorg-xserver-1.0.1-dbe-render.diff

X.Org 7.1
http://xorg.freedesktop.org/archive/X11R7.1/patches/
MD5:  f4325ae286e238e0fe8bc2d68b41735c
xorg-xserver-1.1.0-dbe-render.diff
SHA1: 2c01ee26bac79d71c9925d2b8bbfbc6b73de9396
xorg-xserver-1.1.0-dbe-render.diff

A patch has also been commited to the xserver git repository for
development versions of the X server.

Thanks

Sean Larsson of iDefense Labs discovered the vulnerabilities and
provided sample code and advices in fixing them.

- --
Matthieu Herrb

Comment 1 Donnie Berkholz (RETIRED) gentoo-dev

2007-01-09 18:05:03 UTC

I'll put ebuilds together, probably later today.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-01-09 18:23:34 UTC


*** This bug has been marked as a duplicate of bug 157421 ***