X.Org security advisory, January 9th, 2007 Multiple integer overflows in dbe and render extensions CVE IDs: CVE-2006-6101 CVE-2006-6102 CVE-2006-6103 Overview The ProcDbeGetVisualInfo(), ProcDbeSwapBuffer() and ProcRenderAddGlyphs() functions in the X server, implementing requests for the dbe and render extensions, may be used to overwrite data on the stack or in other parts of the X server memory. Vulnerability details iDefense Lab security researchers discovered that the expressions computing the parameters for ALLOCATE_LOCAL() in those functions are using client-provided value in an expression that is subject to integer overflows, which could lead to memory corruption. Moreover since ALLOCATE_LOCAL() is generally implemented using alloca(), these corruptions happen on the stack. And since there's no way for alloca() to return failure, a pointer outside the stack can be reported if the requested size is bigger than the current stack size, leading to potential corruption in other memory segments. The vulnerable requests are only available to an already authenticated client of the X server. Affected versions All X.Org X server version implementing the X render and dbe extensions are vulnerable. Other X server implementation based on the X11R6 sample implementation are probably vulnerable too. Fix Apply one of the following patches X.Org 6.8.2 http://www.freedesktop.org/releases/X11R6.8.2/patches/ MD5 (xorg-68x-dbe-render.patch) = 05f49f63cd2573a587d16e19bca7912e SHA1 (xorg-68x-dbe-render.patch) = df289636e51151121ef2924b094cb53a88fe936b X.Org 6.9.0 http://www.freedesktop.org/releases/X11R6.9.0/patches/ MD5 (x11r6.9.0-dbe-render.diff) = 992f91012c2e2f4c8abdbe8bcdf7b0c4 SHA1 (x11r6.9.0-dbe-render.diff) = 4fdb8f910ac98288745a06a8670dd1faaf5fea38 X.Org 7.0 http://www.freedesktop.org/releases/X11R7.0/patches/ MD5 (xorg-xserver-1.0.1-dbe-render.diff) = 03abf171a5c9258bf6921109803f11ae SHA1 (xorg-xserver-1.0.1-dbe-render.diff) = 9aff9da694e32006ea69a02c7d9da66243ef4f7d X.Org 7.1 http://www.freedesktop.org/releases/X11R7.1/patches/ MD5 (xorg-xserver-1.1.0-dbe-render.diff) = f4325ae286e238e0fe8bc2d68b41735c SHA1 (xorg-xserver-1.1.0-dbe-render.diff) = 2c01ee26bac79d71c9925d2b8bbfbc6b73de9396 X.Org 7.2 RC3 MD5 (xorg-xserver-1.1.99.903-dbe-render.diff) = a27da6ea7917b1871b6ec19d4cb6502f SHA1 (xorg-xserver-1.1.99.903-dbe-render.diff) = d8bfd192089a8d607c3be4fec002b80f0db1275a A patch has also been commited to the xserver git repository for development version of the X server. Thanks Sean Larsson of iDefense Labs discovered the vulnerabilities and provided sample code and advices in fixing them.