SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   X Vendors:   X.org
X ShmPutImage() Integer Overflow Lets Local Users and Remote Authenticated Users View Arbitrary Memory Contents
SecurityTracker Alert ID:  1020246
SecurityTracker URL:  http://securitytracker.com/id/1020246
CVE Reference:   CVE-2008-1379   (Links to External Site)
Date:  Jun 11 2008
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): X11R7.3
Description:   A vulnerability was reported in the X Window System. A local user or remote authenticated user can view arbitrary memory contents on the target system.

A local user or a remote authenticated user can send specially crafted data to trigger an integer overflow in the processing of ShmPutImage() requests and allow the user to view arbitrary X server memory locations.

The vendor was notified on March 26, 2008.

regenrecht reported this vulnerability via iDefense.

Impact:   A local user or remote authenticated user can view arbitrary X server memory contents on the target system.
Solution:   The vendor has issued the following patches.

ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-1377.diff
MD5: 7462bea57623ad7ccdcad334ff5592b3 xorg-xserver-1.4-cve-2008-1377.diff
SHA1: 2b75985081665b8d646b5810d411047c6c150576
xorg-xserver-1.4-cve-2008-1377.diff

ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-1379.diff
MD5: edb93f202b70eea8f6cb6be39b126e56 xorg-xserver-1.4-cve-2008-1379.diff
SHA1: 1ca8b8417d805e0c233bda4b980cb168ec444abd
xorg-xserver-1.4-cve-2008-1379.diff

ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-2360.diff
MD5: 7e45c657e587ddb85b36b0ac155ae20c xorg-xserver-1.4-cve-2008-2360.diff
SHA1: 2e8532fe737e702cb18160705cd75daed4141a4c
xorg-xserver-1.4-cve-2008-2360.diff

ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-2361.diff
MD5: 0841c68a30d458918bd11747cf28bae6 xorg-xserver-1.4-cve-2008-2361.diff
SHA1: 950af2461d0bc5ff5b2b3cc40d517344a77e19f9
xorg-xserver-1.4-cve-2008-2361.diff

ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-2362.diff
MD5: 7c86b4b6927f1ed6e0f58c04ed984ea5 xorg-xserver-1.4-cve-2008-2362.diff
SHA1: e773f720057785062958d0fa9f29a4cb441883c8
xorg-xserver-1.4-cve-2008-2362.diff

The vendor's advisory is available at:

http://lists.freedesktop.org/archives/xorg/2008-June/036026.html

Vendor URL:  x.org/ (Links to External Site)
Cause:   Access control error, Boundary error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 12 2008 (Red Hat Issues Fix) X ShmPutImage() Integer Overflow Lets Local Users and Remote Authenticated Users View Arbitrary Memory Contents   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 5.
Jun 12 2008 (Red Hat Issues Fix) X ShmPutImage() Integer Overflow Lets Local Users and Remote Authenticated Users View Arbitrary Memory Contents   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 4.
Jun 12 2008 (Red Hat Issues Fix for XFree86) X ShmPutImage() Integer Overflow Lets Local Users and Remote Authenticated Users View Arbitrary Memory Contents   (bugzilla@redhat.com)
Red Hat has released a fix for XFree86 on Red Hat Enterprise Linux 3.
Jun 12 2008 (Red Hat Issues Fix for XFree86) X ShmPutImage() Integer Overflow Lets Local Users and Remote Authenticated Users View Arbitrary Memory Contents   (bugzilla@redhat.com)
Red Hat has released a fix for XFree86 on Red Hat Enterprise Linux 2.1.
Jun 13 2008 (Sun Issues Fix) X ShmPutImage() Integer Overflow Lets Local Users and Remote Authenticated Users View Arbitrary Memory Contents
Sun has issued a fix for Solaris 8, 9, and 10 and for OpenSolaris.
Jul 18 2008 (OpenBSD Issues Fix) X ShmPutImage() Integer Overflow Lets Local Users and Remote Authenticated Users View Arbitrary Memory Contents
OpenBSD has issued a fix for OpenBSD 4.2 and 4.3.
Nov 4 2008 (HP Issues Fix) X ShmPutImage() Integer Overflow Lets Local Users and Remote Authenticated Users View Arbitrary Memory Contents
HP has issued a fix for HP-UX 11.11, 11.23, and 11.31.



 Source Message Contents

Date:  Wed Jun 11 07:10:26 PDT 2008
Subject:  X.Org security advisory june 2008 - Multiple vulnerabilities in X server extensions

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

X.Org security advisory, June 11th, 2008
Multiple vulnerabilities in X server extensions
CVE IDs: CVE-2008-1377, CVE-2008-1379,  CVE-2008-2360, CVE-2008-2361,
~         CVE-2008-2362


Overview

Several vulnerabilities have been found in the server-side code
of some extensions in the X Window System. Improper validation of
client-provided data can cause data corruption.


Impact

Exploiting these overflows will crash the X server or,
under certain circumstances allow the execution of arbitray machine code.

When the X server is running with root privileges (which is the case
for the Xorg server and for most kdrive based servers), these
vulnerabilities can thus also be used to raise privileges.

All these vulnerabilities, to be exploited successfully, require either
an already established connection to a running X server (and normally
running X servers are only accepting authenticated connections), or a
shell access with a valid user on the machine where the vulnerable
server is installed.


Affected versions

All released X.Org versions are vulnerable to these problems. Other
implementations derived from the X11 sample implementation are likely
to be affected too.


Vulnerabilities details

~ * CVE-2008-2360 - RENDER Extension heap buffer overflow

An integer overflow may occur in the computation of the size of the
glyph to be allocated by the AllocateGlyph() function which will cause
less memory to be allocated than expected, leading to later heap
overflow.

On systems where the X  SIGSEGV handler includes a stack trace, more
malloc()-type functions are called, which may lead to other
exploitable issues.

~ * CVE-2008-2361 - RENDER Extension crash

Similarly, an integer overflow may occur in the computation of the
size of the  glyph to be allocated by the ProcRenderCreateCursor()
function  which will cause less memory to be allocated than expected,
leading later to dereferencing  un-mapped memory, causing a crash of
the X server.

~ * CVE-2008-2362 - RENDER Extension memory corruption

Integer overflows can also occur in the code validating the parameters
for the SProcRenderCreateLinearGradient, SProcRenderCreateRadialGradient and
SProcRenderCreateConicalGradient functions, leading to memory
corruption by swapping bytes outside of the intended request
parameters.

~ * CVE-2008-1379 - MIT-SHM arbitrary memory read

An integer overflow in the validation of the parameters of the
ShmPutImage() request makes it possible to trigger the copy of
arbitrary server memory to a pixmap that can subsequently be read by
the client, to read arbitrary parts of the X server memory space.

~ * CVE-2008-1377 - RECORD and Security extensions memory corruption

Lack of validation of the parameters of the
SProcSecurityGenerateAuthorization SProcRecordCreateContext
functions makes it possible for a specially crafted request to trigger
the swapping of bytes outside the parameter of these requests, causing
memory corruption.


Workarounds

The vulnerabilies described here can be avoided by disabling the
corresponding extensions (at the cost of losing the functionalities
offered by these extensions) in the /etc/X11/xorg.conf configuration
file:


~  Section "Extensions"
	Option "MIT-SHM" "disable"
	Option "RENDER" "disable"
	Option "SECURITY" "disable"
~  EndSection

~  Section "Module"
~       Disable "record"
~  EndSection


Fixes

Fixes for all these vulnerabilities will be included in the next
release of the Xorg xserver package. Patches for earlier versions are
also provided:

ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-1377.diff
MD5: 7462bea57623ad7ccdcad334ff5592b3  xorg-xserver-1.4-cve-2008-1377.diff
SHA1: 2b75985081665b8d646b5810d411047c6c150576
xorg-xserver-1.4-cve-2008-1377.diff

ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-1379.diff
MD5: edb93f202b70eea8f6cb6be39b126e56  xorg-xserver-1.4-cve-2008-1379.diff
SHA1: 1ca8b8417d805e0c233bda4b980cb168ec444abd
xorg-xserver-1.4-cve-2008-1379.diff

ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-2360.diff
MD5: 7e45c657e587ddb85b36b0ac155ae20c  xorg-xserver-1.4-cve-2008-2360.diff
SHA1: 2e8532fe737e702cb18160705cd75daed4141a4c
xorg-xserver-1.4-cve-2008-2360.diff

ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-2361.diff
MD5: 0841c68a30d458918bd11747cf28bae6  xorg-xserver-1.4-cve-2008-2361.diff
SHA1: 950af2461d0bc5ff5b2b3cc40d517344a77e19f9
xorg-xserver-1.4-cve-2008-2361.diff

ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-2362.diff
MD5: 7c86b4b6927f1ed6e0f58c04ed984ea5  xorg-xserver-1.4-cve-2008-2362.diff
SHA1: e773f720057785062958d0fa9f29a4cb441883c8
xorg-xserver-1.4-cve-2008-2362.diff


Credits

These vulnerabilities were reported to iDefense by regenrecht.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (OpenBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQCVAwUBSE/c0nKGCS6JWssnAQI7kwP9GxbFef3WsfL/audl9W8lI8+2BVc0yV0h
IXrwgZ/kK0RsJPCxIjWpwwD+CyhvU6P/iw8k/ETJxQpwO1MnPapBW2YROqPqG/Dc
Tt7zuC4tn0wYL0sovnANqj4hOhiiB/0K8lviN/qWJidXt6qF6+wp5hqAx4ffcpmZ
6Etk7Ss/6iM=
=a7tZ
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC