Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2006.0312 -- [UNIX/Linux] Buffer overflow in the Xrender extension of the X.Org server 3 May 2006 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: X.Org server 6.8.0 and later Publisher: X.Org Operating System: UNIX variants (UNIX, Linux, OSX) Impact: Root Compromise Access: Remote/Unauthenticated CVE Names: CVE-2006-1526 Original Bulletin: http://lists.freedesktop.org/archives/xorg/2006-May/015136.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 X.Org security advisory, May 2nd 2006 Buffer overflow in the Xrender extension of the X.Org server CVE-ID: CVE-2006-1526 Overview: A client of the X server using the X render extension is able to send requests that will cause a buffer overflow in the server side of the extension. This overflow can be exploited by an authorized client to execute malicious code inside the X server, which is generally running with root privileges. Vulnerability details: An unfortunate typo ('&' instead of '*' in an expression) causes the code to mis-compute the size of memory allocations in the XRenderCompositeTriStrip and XRenderCompositeTriFan requests. Thus a buffer that may be too small is used to store the parameters of the request. On platforms where the ALLOCATE_LOCAL() macro is using alloca(), this is a stack overflow, on other platforms this is a heap overflow. Affected versions: X.Org 6.8.0 and later versions are vulnerable, as well as all individual releases of the modular xorg-xserver package. To check which version you have, run Xorg -version: % Xorg -version X Window System Version 7.0.0 Release Date: 21 December 2005 X Protocol Version 11, Revision 0, Release 7.0 Fix: Apply the patch below to the source tree for the modular xorg-server source package: 9a9356f86fe2c10985f1008d459fb272 xorg-server-1.0.x-mitri.diff d6eba2bddac69f12f21785ea94397b206727ba93 xorg-server-1.0.x-mitri.diff http://xorg.freedesktop.org/releases/X11R7.0/patches/ For X.Org 6.8.x or 6.9.0, apply one of the patches below: d666925bfe3d76156c399091578579ae x11r6.9.0-mitri.diff 3d9da8bb9b28957c464d28ea194d5df50e2a3e5c x11r6.9.0-mitri.diff http://xorg.freedesktop.org/releases/X11R6.9.0/patches/ d5b46469a65972786b57ed2b010c3eb2 xorg-68x-CVE-2006-1526.patch f764a77a0da4e3af88561805c5c8e28d5c5b3058 xorg-68x-CVE-2006-1526.patch http://xorg.freedesktop.org/releases/X11R6.8.2/patches/ Thanks: We would like to thank Bart Massey who reported the issue. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iQCVAwUBRFdnIXKGCS6JWssnAQJe5gP/cP29g04rwqZil8tYD4bGpjb/cW1tAlyd T47I9qBg8asATow0HROiq8SuoG2B4g07InAZfvbdCERebYpk6lEO2L4os/4bmRW2 qG2n29a8+WfRJ0hiLwVEiLxeMtNTnK/Rh3Qsb2dhTvSWhpnuiji2IzVqVjurwCyu RKDGgq6q/k8= =IA5Z - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRFk3qih9+71yA2DNAQIpgwP/amDPPstYpjv+Ntoy0OyQ5Sw0H6g20akP DgMIKIpAua3IOcH8j2wyappZ4xfNkOhi+o2kKFGwrhxd7vy9donXGsnovgNec2pF CN0j4FD8P51R8EJDaT/FGD+vfgaLFpseTV9Sur6iMVWy8Z4aPH9n7Wk6w6mFhYHe aeS0CJJqufM= =F4Dp -----END PGP SIGNATURE-----