BID:21968

X.Org DBE And Render Extensions Multiple Local Integer Overflow Vulnerabilities

Info

X.Org DBE And Render Extensions Multiple Local Integer Overflow Vulnerabilities

Bugtraq ID:	21968
Class:	Boundary Condition Error
CVE:	CVE-2006-6101 CVE-2006-6102 CVE-2006-6103
Remote:	No
Local:	Yes
Published:	Jan 09 2007 12:00AM
Updated:	Nov 15 2007 12:38AM
Credit:	Sean Larsson of iDefense Labs is credited with discovering these issues.
Vulnerable:	X.org X11R7 7.1 X.org X11R7 7.0 X.org X11R6 6.9 + Mandriva Linux Mandrake 10.2 x86_64 + Mandriva Linux Mandrake 10.2 + Ubuntu Ubuntu Linux 5.0 4 powerpc + Ubuntu Ubuntu Linux 5.0 4 i386 + Ubuntu Ubuntu Linux 5.0 4 amd64 X.org X11R6 6.8.2 + Mandriva Linux Mandrake 10.2 x86_64 + Mandriva Linux Mandrake 10.2 + Ubuntu Ubuntu Linux 5.0 4 powerpc + Ubuntu Ubuntu Linux 5.0 4 i386 + Ubuntu Ubuntu Linux 5.0 4 amd64 Ubuntu Ubuntu Linux 5.10 sparc Ubuntu Ubuntu Linux 5.10 powerpc Ubuntu Ubuntu Linux 5.10 i386 Ubuntu Ubuntu Linux 5.10 amd64 Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 Turbolinux Turbolinux Server 10.0 x86 Turbolinux Turbolinux Server 10.0 Turbolinux Turbolinux Server 10.0.0 x64 Turbolinux Turbolinux Desktop 10.0 Turbolinux Turbolinux FUJI Turbolinux Turbolinux 10 F... TurboLinux Personal TurboLinux Multimedia Turbolinux Home Trustix Secure Linux 3.0 Trustix Secure Linux 2.2 Trustix Operating System Enterprise Server 2.0 TransSoft Broker FTP Server 8.0 SuSE SUSE Linux Enterprise Server 9 SP3 SuSE SUSE Linux Enterprise Server 8 + Linux kernel 2.4.21 + Linux kernel 2.4.19 SuSE SUSE Linux Enterprise Server 10 SuSE Suse Linux Enterprise Desktop 10 SuSE Linux Desktop 1.0 SuSE Linux 10.1 x86-64 SuSE Linux 10.1 x86 SuSE Linux 10.1 ppc SuSE Linux 10.0 x86-64 SuSE Linux 10.0 x86 SuSE Linux 10.0 ppc Sun Solaris 9_x86 Sun Solaris 9 Sun Solaris 8_x86 Sun Solaris 8_sparc Sun Solaris 10.0_x86 Sun Solaris 10.0 Slackware Linux 10.2 Slackware Linux 11.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SuSE Linux Open-Xchange 4.1 S.u.S.E. openSUSE 10.2 S.u.S.E. Novell Linux POS 9 S.u.S.E. Novell Linux Desktop 9 rPath rPath Linux 1 Redhat Fedora Core6 Redhat Fedora Core5 Redhat Enterprise Linux WS 4 Redhat Enterprise Linux WS 3 Redhat Enterprise Linux WS 2.1 Redhat Enterprise Linux ES 3 Redhat Enterprise Linux ES 2.1 Redhat Enterprise Linux AS 4 Redhat Enterprise Linux AS 3 Redhat Enterprise Linux AS 2.1 Redhat Desktop 3.0 Redhat Advanced Workstation for the Itanium Processor 2.1 NetBSD NetBSD 3.0.2 NetBSD NetBSD 3.0.1 NetBSD NetBSD 2.1 NetBSD NetBSD 2.0.3 NetBSD NetBSD 2.0.2 NetBSD NetBSD 2.0.1 NetBSD NetBSD 2.0 NetBSD NetBSD 4.0 BETA2 NetBSD NetBSD 4.0 NetBSD NetBSD 3.1 NetBSD NetBSD 3.1 NetBSD NetBSD 2.1.1 NetBSD NetBSD 2.0.4 Navision Financials Server 3.0 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 4.0 HP HP-UX B.11.31 HP HP-UX B.11.23 HP HP-UX B.11.11 Gentoo Linux Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1 Avaya Messaging Storage Server Avaya Message Networking Avaya Intuity LX Avaya CMS Server 13.0 Avaya CMS Server 12.0 Avaya CMS Server 11.0 Avaya CMS Server 9.0 Avaya CMS Server 13.1

Not Vulnerable:

Discussion

X.Org DBE And Render Extensions Multiple Local Integer Overflow Vulnerabilities

X.Org is prone to multiple local integer-overflow vulnerabilities.

Attackers can exploit this issue to execute arbitrary code with superuser privileges. A successful exploit will result in the complete compromise of affected computers. Failed exploit attempts will likely result in denial-of-service conditions.

Exploit / POC

X.Org DBE And Render Extensions Multiple Local Integer Overflow Vulnerabilities

Currently we are not aware of any exploits for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].

Solution / Fix

X.Org DBE And Render Extensions Multiple Local Integer Overflow Vulnerabilities

Solution:
The vendor released an advisory and fixes to address these issues. Please see the references for more information.

Sun Solaris 10.0

Sun 119059-21
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21 -119059-21-1

Sun Solaris 8_sparc

Sun 109862-04
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21 -109862-04-1

Sun 119067-06
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21 -119067-06-1

X.org X11R7 7.0

X.org X.Org 7.0
http://xorg.freedesktop.org/archive/X11R7.0/patches/

Sun Solaris 10.0_x86

Sun 119060-20
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21 -119060-20-1

HP HP-UX B.11.23

HP PHSS_36452
http://www2.itrc.hp.com/service/patch/patchDetail.do?patchid=PHSS_3645 2&sel={hpux:11.23,}&BC=main|search|

HP HP-UX B.11.11

HP PHSS_34389
http://www2.itrc.hp.com/service/patch/patchDetail.do?patchid=PHSS_3438 9&sel={hpux:11.11,}&BC=main|search|

X.org X11R6 6.8.2

Turbolinux xorg-x11-100dpi-fonts-6.8.2-48.i686.rpm

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

Turbolinux xorg-x11-6.8.2-48.i686.rpm

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

Turbolinux xorg-x11-75dpi-fonts-6.8.2-48.i686.rpm

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

Turbolinux xorg-x11-contrib-6.8.2-48.i686.rpm

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

Turbolinux xorg-x11-cyrillic-fonts-6.8.2-48.i686.rpm

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

Turbolinux xorg-x11-devel-6.8.2-48.i686.rpm

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

Turbolinux xorg-x11-fonts-6.8.2-48.i686.rpm

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

Turbolinux xorg-x11-libs-6.8.2-48.i686.rpm

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

Turbolinux xorg-x11-twm-6.8.2-48.i686.rpm

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

Turbolinux xorg-x11-xcursor-6.8.2-48.i686.rpm

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

Turbolinux xorg-x11-xcursor-devel-6.8.2-48.i686.rpm

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

Turbolinux xorg-x11-xf86config-6.8.2-48.i686.rpm

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

Turbolinux xorg-x11-xfs-6.8.2-48.i686.rpm

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

Turbolinux xorg-x11-xft-6.8.2-48.i686.rpm

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

Turbolinux xorg-x11-xft-devel-6.8.2-48.i686.rpm

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

Turbolinux xorg-x11-Xvfb-6.8.2-48.i686.rpm

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

X.org X.Org 6.8.2
http://xorg.freedesktop.org/archive/X11R6.8.2/patches/

X.org X11R6 6.9

X.org X.Org 6.9.0
http://xorg.freedesktop.org/archive/X11R6.9.0/patches/

References

X.Org DBE And Render Extensions Multiple Local Integer Overflow Vulnerabilities

References:

[DSA 1249-1] New xfree86 packages fix privilege escalation (Debian)
HPSBUX02225 SSRT071295 rev.1 - HP-UX Running Xserver, Local Denial of Service (D (HP)
Multiple Vendor X Server DBE Extension ProcDbeGetVisualInfo Memory Corruption Vu (iDefense)
Multiple Vendor X Server DBE Extension ProcDbeSwapBuffers Memory Corruption Vuln (iDefense)
Multiple Vendor X Server Render Extension ProcRenderAddGlyphs Memory Corruption (iDefense)
X.Org Home Page (X.Org)
ASA-2007-066 (Avaya)
ASA-2007-074 (Avaya)
Redhat Security Advisory RHSA-2007:0002 XFree86 security update (RedHat)
RHSA-2007:0003-3 xorg-x11 security update (RedHat)
Sun Alert ID: 102803 - Multiple Integer Overflow Vulnerabilities in the X Font S (Sun)
SUSE Security Announcement: XFree86/Xorg (SUSE-SA:2007:008) (SuSE)
X.Org Security Advisory: multiple integer overflows in dbe and render extensions (X.Org)