This week, Gentoo, Mandriva, Red Hat, SUSE, and Ubuntu released security updates to fix problems in the X.Org Foundation's X Server.
According the security advisory issued by X.org on May 2nd, Bart Massey reported a buffer overflow vulnerability in the Xrender extension of X.Org's X Server. Several versions are affected including X.org X11R6, 6.9, X.org X11R6, 6.8.1, X.org X11R6, 6.8, and X.org X11R6, 6.7.0. Additionally, the problem also affects all individual releases of the modular xorg-xserver package.
The announcement attributed the problem to a typo: the ampersand (&) operator was used instead of the asterisk (*) operator in an expression. According to Bart Massey, who originally discovered the flaw, when running rendertest from XCB xcb/xcb-demo, the server crashes part way through the process. The programming error causes the code to incorrectly calculate the size of the memory allocations in the
XRendercompositeTriFan requests. Consequently, the buffer may be not large enough to the store the parameters of a request.
The problem manifests itself in two ways, depending on the platform. When the
ALLOCATE_LOCAL() macro is using
alloca(), the condition causes a stack overflow vulnerability. On all other platforms, the condition causes a heap overflow vulnerability.
When an X Server client uses the X render extension, it sends requests that cause a buffer overflow in the server side of the extension. A malicious local user could exploit the problem to execute malicious code inside the X Server. Since the X Server usually runs with root privileges, the attacker could escalate privileges and gain access to root.
Earlier this year, researchers also found another security vulnerability in the X.Org server. That problem affected version (xorg-server) 1.0.0 and later, as well as versions X11R6.9.0 and X11R7.0. According to the original security advisory issued on March 20, X.Org's security team discovered the problem while using Coverity's Prevent code audit tool during a code review.
The earlier problem was the result of a flaw in the way the server parses maliciously crafted arguments via the
-modulepath command line options. Under normal circumstances, the server checks that only users with root can pass the options
-modulepath (where modules providing server functionality load) and
-logfile (which determines the location of the logfile). To change the locations of the
-modulepath and the
-logfile options, users must hold the proper access privileges.
However, upon testing of the effective UID and the real UID in X.org, researchers found that the address of the
geteuid function is tested, rather than the function itself. Consequently, since the address of
geteuid() is always non-zero, a local user without the proper credentials can load modules from any location on the filesystem. Those modules could load with the privileges of the root user or overwrite critical system files with the server log.
A malicious local user could exploit the problem by creating special arguments and passing them to the
-modulepath command line options. Consequently, the user could bypass security controls to load arbitrary modules, overwrite system files, or execute malicious commands with the privileges of the root user.
If you run X.org's X Server on affected distributions, please be sure to check the advisories and patch your systems.
Vulnerabilities affecting several packages
Package: clamav -- vulnerability
May 2, 2005
A security vulnerability in ClamAV was discovered by Ulf Härnhammar and a researcher from Germany who prefers anonymity. The vulnerability is located in the protocol code of freshclam, a program that downloads and installs antivirus updates for the antivirus scanner. An attacker could exploit the problem to cause a Denial of Service or execute arbitrary code.
Package: xserver -- buffer overflow
May 2, 2006
X.Org's implementation of the X Windows System contains a buffer overflow vulnerability in the XRender extension. An attacker could exploit the problem to force the X Server to execute arbitrary code and escalate access privileges.
Package: thunderbird -- multiple vulnerabilities
CVE: CVE-2006-0292, CVE-2006-0296, CVE-2006-0748, CVE-2006-0749, CVE-2006-0884, CVE-2006-1045, CVE-2006-1724, CVE-2006-1727, CVE-2006-1728, CVE-2006-1730, CVE-2006-1731, CVE-2006-1732, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1741, CVE-2006-1742, CVE-2006-1790
May 3, 2006
Debian and Ubuntu issued updates to address multiple vulnerabilities in Mozilla's Thunderbird email client. An attacker could exploit the vulnerabilities by creating malicious email messages in order to steal files and execute arbitrary code with the permissions of the targeted user. The update also fixes two bugs that can cause Thunderbird to crash.
Ubuntu: mozilla-- multiple vulnerabilities
CVE:CVE-2006-0749, CVE-2006-1724, CVE-2006-1727, CVE-2006-1728, CVE-2006-1729, CVE-2006-1730, CVE-2006-1731, CVE-2006-1732, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1740, CVE-2006-1741, CVE-2006-1742
May 3, 2006
- Modify the content of another Web page in order to steal sensitive data or conduct cross-site scripting (XSS) attacks.
- Execute arbitrary code with the privileges of the user operating Firefox.
- Spoof a secure site when the browser is configured to display a secure site dialog warning.
- Trick users into filling out a form on a malicious Web page in order to obtain arbitrary files from the victim's computer.
Ethereal issued updates for several critical security vulnerabilities, including multiple buffer overflow vulnerabilities and potential Denial of Service vulnerabilities.
Vulnerabilities listed by distribution
Debian: resmgr -- programming error
April 30, 2006
A resource manager library daemon and PAM module, resmgr incorrectly handles access to USB devices which use the usb;<bus>,<dev> notation. A malicious local user could exploit the vulnerability to bypass access rules to open any USB device, even though access was supposed to have been granted to only one USB device.
Debian: asterisk -- multiple vulnerabilities
May 1, 2006
The Asterisk telephone control center contains several security vulnerabilities. Adam Pointon found that an attacker could retrieve recorded phone messages for a different extension by exploiting a directory transversal vulnerability in vmail.cgi. According to Emmanouel Kellinis, an integer signedness error can cause a buffer overflow vulnerability. An attacker could exploit the problems to execute arbitrary code.
Gentoo: mplayer -- heap-based buffer overflow
May 2, 2006
The Xfocus Team reported multiple integer overflows in Mplayer, a multimedia player. The multiple integer overflows could trigger a heap-based buffer overflow under certain conditions. An attacker could craft malformed ASF files or malicious AVI files to execute arbitrary code with the privileges of the user running the application.
Gentoo: phpwebsite -- directory traversal vulnerability
May 3, 2006
Rgod discovered a vulnerability in phpWebSite, a content management system. According to the report, there is a directory traversal vulnerability in the
loadConfig function in index.php. When
magic_quotes_gpc is disabled, a remote attacker can exploit the problem to include and execute arbitrary PHP scripts from local resources with the rights of the targeted user. The attacker could also gain access to sensitive information and escalate access rights to further compromise the system.
Red Hat: dia -- buffer overflow
May 2, 2006
Red Hat issued an update addressing a buffer overflow vulnerabilityin the XFig file import plugin in Dia. The problem discovered by infamous41md. An attacker could exploit the security hole, using a specially crafted file to execute arbitrary code with the rights of the user running Dia.
Red Hat: squirrelmail -- multiple vulnerabilities
May 2, 2005
The popular Web-based email system, SquirrelMail, is vulnerable to several problems:
- According to Martijn Brinkers and Ben Maurer, webmail.php, which does not correctly validate the
right_mainparameter, is vulnerable to attack which could cause a user's browser to launch malicious scripting code.
- Martijn Brinkers and Scott Hughes discovered an interpretation conflict in the MagicHTML filter. Remote attackers conducting cross-site scripting (XSS) attacks could exploit the flaw.
- Vicente Aguilera of Internet Security Auditors, S.L. discovered a CRLF injection vulnerability. When processing the
sqimap_mailbox_selectmailbox parameter, an input validation error could be exploited by a malicious attacker to inject arbitrary IMAP commands.
Ubuntu: libtiff -- vulnerability
May 3, 2006
Ubuntu issued an update for libtiff4 because a remote attacker could exploit several vulnerabilities with a specially crafted TIFF image. The malicious file could cause the following:
- Errors in the
TIFFFetchAnyArray()function in tif_dirread.c.
- Errors in certain "codec cleanup methods" in tif_lzw.c, tif_pixarlog.c, and tif_zip.c.
- Improper restoration of
getfieldmethods in cleanup functions within tif_jpeg.c, tif_pixarlog.c, tif_fax3.c, and tif_zip.c.
Ubuntu: gdm -- programming error
May 2, 2006
The GNOME Display Manager contains a race condition that was discovered by Marcus Meissner. The error occurs when GDM handles the ~/.ICEauthority file permissions. A local attacker could exploit the problem in order to launch arbitrary files and execute arbitrary commands with the permissions of the root user.
Ubuntu: kernel update -- multiple vulnerabilities
May 4, 2006
Ubuntu issued a kernel update, advising users to upgrade the affected package to version 2.6.10-34.17 (for Ubuntu 5.04) or 2.6.12-10.32 (for Ubuntu 5.10). As always, Ubuntu's security team advises users to reboot their computer to ensure proper system updates.