INFORMATION BULLETIN

S-325: xorg-server Vulnerabilities

[Debian Security Advisory DSA-1595-1]

June 19, 2008 16:00 GMT


PROBLEM:	Several local vulnerabilities have been discovered in the X Window system, this could lead to a partial memory corruption and disclosure.
PLATFORM:	Debian GNU/Linux 4.0 (etch)
DAMAGE:	Partial memory corruption and disclosure.
SOLUTION:	Upgrade to the appropiate version.

VULNERABILITY ASSESSMENT:	The risk is LOW. This could lead to a partial memory corruption and disclosure.

CVSS 2 BASE SCORE: TEMPORAL SCORE: VECTOR:	6.4 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:P/E:POC/RL:OF/RC:C)

LINKS:
CIAC BULLETIN:	http://www.ciac.org/ciac/bulletins/s-325.shtml
ORIGINAL BULLETIN:	http://www.debian.org/security/2008/dsa-1595
CVE:	CVE-2008-1377 CVE-2008-1379 CVE-2008-2360 CVE-2008-2361 CVE-2008-2362

[***** Start Debian Security Advisory DSA-1595-1 *****]

Debian Security Advisory

DSA-1595-1 xorg-server -- several vulnerabilities

Date Reported:

11 Jun 2008

Affected Packages:

xorg-server

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361, CVE-2008-2362.

More information:

Several local vulnerabilities have been discovered in the X Window system. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2008-1377
Lack of validation of the parameters of the SProcSecurityGenerateAuthorization and SProcRecordCreateContext functions makes it possible for a specially crafted request to trigger the swapping of bytes outside the parameter of these requests, causing memory corruption.
CVE-2008-1379
An integer overflow in the validation of the parameters of the ShmPutImage() request makes it possible to trigger the copy of arbitrary server memory to a pixmap that can subsequently be read by the client, to read arbitrary parts of the X server memory space.
CVE-2008-2360
An integer overflow may occur in the computation of the size of the glyph to be allocated by the AllocateGlyph() function which will cause less memory to be allocated than expected, leading to later heap overflow.
CVE-2008-2361
An integer overflow may occur in the computation of the size of the glyph to be allocated by the ProcRenderCreateCursor() function which will cause less memory to be allocated than expected, leading later to dereferencing un-mapped memory, causing a crash of the X server.
CVE-2008-2362
Integer overflows can also occur in the code validating the parameters for the SProcRenderCreateLinearGradient, SProcRenderCreateRadialGradient and SProcRenderCreateConicalGradient functions, leading to memory corruption by swapping bytes outside of the intended request parameters.

For the stable distribution (etch), these problems have been fixed in version 2:1.1.1-21etch5.

For the unstable distribution (sid), these problems have been fixed in version 2:1.4.1~git20080517-2.

We recommend that you upgrade your xorg-server package.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Source:: http://security.debian.org/pool/updates/main/x/xorg-server/xorg-server_1.1.1.orig.tar.gz; http://security.debian.org/pool/updates/main/x/xorg-server/xorg-server_1.1.1-21etch5.diff.gz; http://security.debian.org/pool/updates/main/x/xorg-server/xorg-server_1.1.1-21etch5.dsc
Alpha:: http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-dev_1.1.1-21etch5_alpha.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_alpha.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xdmx_1.1.1-21etch5_alpha.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xnest_1.1.1-21etch5_alpha.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_alpha.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xdmx-tools_1.1.1-21etch5_alpha.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/x/xorg-server/xdmx-tools_1.1.1-21etch5_amd64.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_amd64.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xdmx_1.1.1-21etch5_amd64.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xnest_1.1.1-21etch5_amd64.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_amd64.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-dev_1.1.1-21etch5_amd64.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/x/xorg-server/xdmx-tools_1.1.1-21etch5_arm.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_arm.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-dev_1.1.1-21etch5_arm.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xnest_1.1.1-21etch5_arm.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_arm.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xdmx_1.1.1-21etch5_arm.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_arm.deb
HP Precision:: http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_hppa.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xnest_1.1.1-21etch5_hppa.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_hppa.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-dev_1.1.1-21etch5_hppa.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xdmx_1.1.1-21etch5_hppa.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_hppa.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xdmx-tools_1.1.1-21etch5_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/x/xorg-server/xnest_1.1.1-21etch5_i386.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xdmx_1.1.1-21etch5_i386.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_i386.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xdmx-tools_1.1.1-21etch5_i386.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-dev_1.1.1-21etch5_i386.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_i386.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_ia64.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_ia64.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_ia64.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xnest_1.1.1-21etch5_ia64.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xdmx-tools_1.1.1-21etch5_ia64.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xdmx_1.1.1-21etch5_ia64.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-dev_1.1.1-21etch5_ia64.deb
Big-endian MIPS:: http://security.debian.org/pool/updates/main/x/xorg-server/xdmx-tools_1.1.1-21etch5_mips.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_mips.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_mips.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xnest_1.1.1-21etch5_mips.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_mips.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xdmx_1.1.1-21etch5_mips.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-dev_1.1.1-21etch5_mips.deb
Little-endian MIPS:: http://security.debian.org/pool/updates/main/x/xorg-server/xdmx-tools_1.1.1-21etch5_mipsel.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-dev_1.1.1-21etch5_mipsel.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xnest_1.1.1-21etch5_mipsel.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_mipsel.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_mipsel.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_mipsel.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xdmx_1.1.1-21etch5_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/x/xorg-server/xdmx_1.1.1-21etch5_powerpc.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_powerpc.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_powerpc.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xnest_1.1.1-21etch5_powerpc.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_powerpc.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-dev_1.1.1-21etch5_powerpc.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xdmx-tools_1.1.1-21etch5_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_s390.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_s390.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xnest_1.1.1-21etch5_s390.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xdmx-tools_1.1.1-21etch5_s390.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-dev_1.1.1-21etch5_s390.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xdmx_1.1.1-21etch5_s390.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-dev_1.1.1-21etch5_sparc.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_sparc.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xnest_1.1.1-21etch5_sparc.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_sparc.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xdmx-tools_1.1.1-21etch5_sparc.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xdmx_1.1.1-21etch5_sparc.deb; http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_sparc.deb

MD5 checksums of the listed files are available in the original advisory.


[***** End Debian Security Advisory DSA-1595-1 *****]

CIAC wishes to acknowledge the contributions of Debian for the information contained in this bulletin.

DOE-CIRC can be contacted at:

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/