Several holes closed in X.org's X server
The developers of X.org, the X Windows implementation have released version 1.4.2 of its X server ,which closes five security holes. A user logged on to a system can exploit these holes to crash X server or elevate their access privileges on the system. Since X servers usually run with root privileges, attackers have full access to the system. If the vulnerable X server system also allows access via the internet, the vulnerabilities can be exploited remotely.
The problems stem from three integer overflows in the RENDER extension, one of which can be exploited to create a heap overflow. A memory error occurs as a result of specially crafted requests to the RECORD and security extension. A further integer overflow in the MIT shared memory extension makes it possible to read arbitrary parts of the X server memory. According to the security advisory, all versions prior to 1.4.2 are affected, although many users may not even have activated the affected extensions on their systems. If possible, as an alternative to the update, the developers recommend simply deactivating the vulnerable extensions. To do this, change the entries in /etc/X11/xorg.conf
as follows:
Section "Extensions"
Option "MIT-SHM" "disable"
Option "RENDER" "disable"
Option "SECURITY" "disable"
EndSection
Section "Module"
Disable "record"
EndSection
Along with the update, patches are also available for download. Linux distributors and vendors of other operating systems are also expected to deliver updated packages soon.
See also:
- X.Org security advisory june 2008 - Multiple vulnerabilities in X server extensions, X.org security advisory
- Multiple Vendor X Server Render Extension AllocateGlyph() Integer Overflow Vulnerability, iDefense public advisory
- Multiple Vendor X Server Render Extension ProcRenderCreateCursor() Integer Overflow Vulnerability, iDefense public advisory
- Multiple Vendor X Server Render Extension Gradient Creation Integer Overflow Vulnerability, iDefense public advisory
- Multiple Vendor X Server Record and Security Extensions Multiple Memory Corruption Vulnerabilities, iDefense public advisory
- Multiple Vendor X Server MIT-SHM Extension Information Disclosure Vulnerability, iDefense public advisory
(trk)