Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0312 -- [UNIX/Linux]
Buffer overflow in the Xrender extension of the X.Org server
3 May 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: X.Org server 6.8.0 and later
Publisher: X.Org
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact: Root Compromise
Access: Remote/Unauthenticated
CVE Names: CVE-2006-1526
Original Bulletin:
http://lists.freedesktop.org/archives/xorg/2006-May/015136.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
X.Org security advisory, May 2nd 2006
Buffer overflow in the Xrender extension of the X.Org server
CVE-ID: CVE-2006-1526
Overview:
A client of the X server using the X render extension is able to
send requests that will cause a buffer overflow in the server side of
the extension.
This overflow can be exploited by an authorized client to execute
malicious code inside the X server, which is generally running with
root privileges.
Vulnerability details:
An unfortunate typo ('&' instead of '*' in an expression) causes the
code to mis-compute the size of memory allocations in the
XRenderCompositeTriStrip and XRenderCompositeTriFan requests. Thus a
buffer that may be too small is used to store the parameters of the
request. On platforms where the ALLOCATE_LOCAL() macro is using
alloca(), this is a stack overflow, on other platforms this is a heap
overflow.
Affected versions:
X.Org 6.8.0 and later versions are vulnerable, as well as all individual
releases of the modular xorg-xserver package.
To check which version you have, run Xorg -version:
% Xorg -version
X Window System Version 7.0.0
Release Date: 21 December 2005
X Protocol Version 11, Revision 0, Release 7.0
Fix:
Apply the patch below to the source tree for the modular xorg-server
source package:
9a9356f86fe2c10985f1008d459fb272 xorg-server-1.0.x-mitri.diff
d6eba2bddac69f12f21785ea94397b206727ba93 xorg-server-1.0.x-mitri.diff
http://xorg.freedesktop.org/releases/X11R7.0/patches/
For X.Org 6.8.x or 6.9.0, apply one of the patches below:
d666925bfe3d76156c399091578579ae x11r6.9.0-mitri.diff
3d9da8bb9b28957c464d28ea194d5df50e2a3e5c x11r6.9.0-mitri.diff
http://xorg.freedesktop.org/releases/X11R6.9.0/patches/
d5b46469a65972786b57ed2b010c3eb2 xorg-68x-CVE-2006-1526.patch
f764a77a0da4e3af88561805c5c8e28d5c5b3058 xorg-68x-CVE-2006-1526.patch
http://xorg.freedesktop.org/releases/X11R6.8.2/patches/
Thanks:
We would like to thank Bart Massey who reported the issue.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iQCVAwUBRFdnIXKGCS6JWssnAQJe5gP/cP29g04rwqZil8tYD4bGpjb/cW1tAlyd
T47I9qBg8asATow0HROiq8SuoG2B4g07InAZfvbdCERebYpk6lEO2L4os/4bmRW2
qG2n29a8+WfRJ0hiLwVEiLxeMtNTnK/Rh3Qsb2dhTvSWhpnuiji2IzVqVjurwCyu
RKDGgq6q/k8=
=IA5Z
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRFk3qih9+71yA2DNAQIpgwP/amDPPstYpjv+Ntoy0OyQ5Sw0H6g20akP
DgMIKIpAua3IOcH8j2wyappZ4xfNkOhi+o2kKFGwrhxd7vy9donXGsnovgNec2pF
CN0j4FD8P51R8EJDaT/FGD+vfgaLFpseTV9Sur6iMVWy8Z4aPH9n7Wk6w6mFhYHe
aeS0CJJqufM=
=F4Dp
-----END PGP SIGNATURE-----