X.Org security advisory, June 3rd, 2008 Multiple vulnerabilities in X server extensions CVE IDs: CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361, CVE-2008-2362 Overview Several vulnerabilities have been found in the server-side code of some extensions in the X Window System. Improper validation of client-provided data can cause data corruption. Impact Exploiting these overflows will crash the X server or, under certain circumstances allow the execution of arbitray machine code. When the X server is running with root privileges (which is the case for the Xorg server and for most kdrive based servers), these vulnerabilities can thus also be used to raise privileges. All these vulnerabilities, to be exploited succesfully, require either an already established connection to a running X server (and normally running X servers are only accepting authenticated connections), or a shell access with a valid user on the machine where the vulnerable server is installed. Affected versions All released X.Org versions are vulnerable to these problems. Other implementations derived from the X11 sample implementation are likely to be affected too. Vulnerabilities details * CVE-2008-2360 - RENDER Extension heap buffer overflow An integer overflow may occur in the computation of the size of the glyph to be allocated by the AllocateGlyph() function which will cause less memory to be allocated than expected, leading to later heap overflow. On systems where the X SIGSEGV handler includes a stack trace, more malloc()-type functions are called, which may lead to other exploitable issues. * CVE-2008-2361 - RENDER Extension crash Similarly, an integer overflow may occur in the computation of the size of the glyph to be allocated by the PRocRenderCreateCursor() function which will cause less memory to be allocated than expected, leading later to dereferencing un-mapped memory, causing a crash of the X server. * CVE-2008-2362 - RENDER Extension memory corruption Integer overflows can also occur in the code validating the parameters for the SProcRenderCreateLinearGradient, SProcRenderCreateRadialGradient and SProcRenderCreateConicalGradient functions, leading to memory corruption by swapping bytes outside of the intended request parameters. * CVE-2008-1379 - MIT-SHM arbitrary memory read An integer overflow in the validation of the parameters of the ShmPutImage() request makes it possible to trigger the copy of arbitrary server memory to a pixmap that can subsequently be read by the client, to read arbitrary parts of the X server memory space. * CVE-2008-1377 - RECORD and Security extensions memory corruption Lack of validation of the parameters of the SProcSecurityGenerateAuthorization SProcRecordCreateContext functions makes it possible for a specially crafted request to trigger the swapping of bytes outside the parameter of these requests, causing memory corruption. * DBE Memory corruption There is a bit of broken program logic in DBE code. After calling XdbeAllocateBackBufferName() (dbe/dbe.c, line 365) with 'drawable' being an oversized Window resource (big enough to make CreatePixmap() fail) DbeWindowPriv (pWindow->devPrivates[dbeWindowPrivIndex].ptr) is left in inconsistent state, leading to potential X server crash, but without exploitable conditions. Workarounds The vulnerabilies described here can be avoided by disabling the corresponding extensions (at the cost of losing the functionalities offered by these extensions) in the /etc/X11/xorg.conf configuration file: Section "Extensions" Option "MIT-SHM" "disable" Option "RENDER" "disable" Option "SECURITY" "disable" EndSection Section "Module" Disable "record" EndSection Fixes Fixes for all these vulnerabilities will be included in the next release of the Xorg xserver package. Patches for earlier versions are also provided: ftp://ftp.freedesktop.org/pub/xorg/X11R7.2/patches/ ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/ Credits These vulnerabilities were reported to iDefense by regenrecht.