[Security Announce] [ MDKSA-2007:079-1 ] - Updated xorg-x11/XFree86 packages fix integer overflow vulnerabilities
Posted on: 04/11/2007 10:25 PM

The Mandriva Security Team published a new security update for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2007:079-1
http://www.mandriva.com/security/
_______________________________________________________________________

Package : xorg-x11
Date : April 11, 2007
Affected: 2007.1
_______________________________________________________________________

Problem Description:

Local exploitation of a memory corruption vulnerability in the X.Org
and XFree86 X server could allow an attacker to execute arbitrary
code with privileges of the X server, typically root.

The vulnerability exists in the ProcXCMiscGetXIDList() function in the
XC-MISC extension. This request is used to determine what resource IDs
are available for use. This function contains two vulnerabilities,
both result in memory corruption of either the stack or heap. The
ALLOCATE_LOCAL() macro used by this function allocates memory on the
stack using alloca() on systems where alloca() is present, or using
the heap otherwise. The handler function takes a user provided value,
multiplies it, and then passes it to the above macro. This results in
both an integer overflow vulnerability, and an alloca() stack pointer
shifting vulnerability. Both can be exploited to execute arbitrary
code. (CVE-2007-1003)

iDefense reported two integer overflows in the way X.org handled
various font files. A malicious local user could exploit these issues
to potentially execute arbitrary code with the privileges of the
X.org server. (CVE-2007-1351, CVE-2007-1352)

Multiple integer overflows in (1) the XGetPixel function in ImUtil.c
in x.org libx11 before 1.0.3, and (2) XInitImage function in xwd.c for
ImageMagick, allow user-assisted remote attackers to cause a denial
of service (crash) or information leak via crafted images with large
or negative values that trigger a buffer overflow. (CVE-2007-1667)

Updated packages are patched to address these issues.

Update:

Packages for Mandriva Linux 2007.1 are now available.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1003
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1352
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1667
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2007.1:
094834b9cec06d41814fcfbb4826a1b4 2007.1/i586/libx11-common-1.1.1-2.1mdv2007.1.i586.rpm
60ba6ee2def612bab83b056aa9143c28 2007.1/i586/libx11_6-1.1.1-2.1mdv2007.1.i586.rpm
83832a8b9a359f0199bf0b58024bcc93 2007.1/i586/libx11_6-devel-1.1.1-2.1mdv2007.1.i586.rpm
e7f0426150c15b701dca49a131d4f911 2007.1/i586/libx11_6-static-devel-1.1.1-2.1mdv2007.1.i586.rpm
4d737b55208b15a17076ea417fef6e83 2007.1/i586/libxfont1-1.2.7-1.1mdv2007.1.i586.rpm
28b347acb8851ef8cdc9b8b61ffb669b 2007.1/i586/libxfont1-devel-1.2.7-1.1mdv2007.1.i586.rpm
aa2e50b1ee6967c2ed3bb8c6dc64c84b 2007.1/i586/libxfont1-static-devel-1.2.7-1.1mdv2007.1.i586.rpm
530b51e76f6b9a0df342719a8b9ddb99 2007.1/i586/x11-server-1.2.0-8.1mdv2007.1.i586.rpm
9d717cb5fab234a4c76a4a0811bf4638 2007.1/i586/x11-server-common-1.2.0-8.1mdv2007.1.i586.rpm
5a47c5a19827c3e820b02c2db7796659 2007.1/i586/x11-server-devel-1.2.0-8.1mdv2007.1.i586.rpm
76a33d69862b1c457a2cec21a37b51d8 2007.1/i586/x11-server-xati-1.2.0-8.1mdv2007.1.i586.rpm
880f19417b5379635ddb6c5f2e612971 2007.1/i586/x11-server-xchips-1.2.0-8.1mdv2007.1.i586.rpm
dc8db2e2fa639a5e5590a9301590e58a 2007.1/i586/x11-server-xdmx-1.2.0-8.1mdv2007.1.i586.rpm
b71ce20ae5de448b2e54d6458df98526 2007.1/i586/x11-server-xephyr-1.2.0-8.1mdv2007.1.i586.rpm
fed1ade3cb4ca74c6362837618a5452c 2007.1/i586/x11-server-xepson-1.2.0-8.1mdv2007.1.i586.rpm
9e3f8d012b49126ee4b217dd24521f29 2007.1/i586/x11-server-xfake-1.2.0-8.1mdv2007.1.i586.rpm
15adb208aac159c1575a3ddd77ffbaee 2007.1/i586/x11-server-xfbdev-1.2.0-8.1mdv2007.1.i586.rpm
37b8f6fdbfca1dc9192758dabd9b5adc 2007.1/i586/x11-server-xgl-0.0.1-0.20070105.4.1mdv2007.1.i586.rpm
f8a04c4056025562b4e280a09c5c8577 2007.1/i586/x11-server-xi810-1.2.0-8.1mdv2007.1.i586.rpm
ce53fc038ab1f432b216d4057e53057d 2007.1/i586/x11-server-xmach64-1.2.0-8.1mdv2007.1.i586.rpm
a6fe363ba43b509661709a3c9245ba8c 2007.1/i586/x11-server-xmga-1.2.0-8.1mdv2007.1.i586.rpm
d95d4a1b0b7e9bdee00f7cf90e934a39 2007.1/i586/x11-server-xneomagic-1.2.0-8.1mdv2007.1.i586.rpm
7718f0eabcc0b212012ffb0e5c8e6a26 2007.1/i586/x11-server-xnest-1.2.0-8.1mdv2007.1.i586.rpm
5c06fbc05c7ea8abfdb4ecdeb2ce2d75 2007.1/i586/x11-server-xnvidia-1.2.0-8.1mdv2007.1.i586.rpm
aa416e9d9cc207be2c801c4570d43015 2007.1/i586/x11-server-xorg-1.2.0-8.1mdv2007.1.i586.rpm
9076d8da47cfa869a84896cd26722ecc 2007.1/i586/x11-server-xpm2-1.2.0-8.1mdv2007.1.i586.rpm
b6c9e9c76bfb9ad237fff6b4c2ce2e04 2007.1/i586/x11-server-xprt-1.2.0-8.1mdv2007.1.i586.rpm
dcaf5905ffdd594ac3b97aa1b94baae6 2007.1/i586/x11-server-xr128-1.2.0-8.1mdv2007.1.i586.rpm
770630c3643c095ba99d8fbd838bf148 2007.1/i586/x11-server-xsdl-1.2.0-8.1mdv2007.1.i586.rpm
57c93b2b5f8e289063dc5bd678a15e17 2007.1/i586/x11-server-xsmi-1.2.0-8.1mdv2007.1.i586.rpm
8e26db22cbba03a68962ecaa7f0f40d0 2007.1/i586/x11-server-xvesa-1.2.0-8.1mdv2007.1.i586.rpm
caa3a31e61065af8dd25b8f115657910 2007.1/i586/x11-server-xvfb-1.2.0-8.1mdv2007.1.i586.rpm
f5baee2c239e4b9d5f5c1e0d0ae64ddd 2007.1/i586/x11-server-xvia-1.2.0-8.1mdv2007.1.i586.rpm
1be993d23f79ba6356b7dfcb0dd36b44 2007.1/i586/x11-server-xvnc-1.2.0-8.1mdv2007.1.i586.rpm
aeba38426c094f892a8db7c56ed8c301 2007.1/SRPMS/libx11-1.1.1-2.1mdv2007.1.src.rpm
0e7061bca9907c2b0eca9dacdab4403c 2007.1/SRPMS/libxfont-1.2.7-1.1mdv2007.1.src.rpm
4f8be7e1843b036a3368f13d4d6a964b 2007.1/SRPMS/x11-server-1.2.0-8.1mdv2007.1.src.rpm
3771f05b9e14a04e41905e6d145d0c41 2007.1/SRPMS/x11-server-xgl-0.0.1-0.20070105.4.1mdv2007.1.src.rpm

Mandriva Linux 2007.1/X86_64:
a8e9b831949d99880f61e496fcda81fa 2007.1/x86_64/lib64x11_6-1.1.1-2.1mdv2007.1.x86_64.rpm
8a2cdcf52cb086a7ec479585f4615aff 2007.1/x86_64/lib64x11_6-devel-1.1.1-2.1mdv2007.1.x86_64.rpm
9a3f679f360cf576598f3bd2058b441c 2007.1/x86_64/lib64x11_6-static-devel-1.1.1-2.1mdv2007.1.x86_64.rpm
38588291d4baf93d53f2cacfc91470fc 2007.1/x86_64/lib64xfont1-1.2.7-1.1mdv2007.1.x86_64.rpm
08a34ff0e3a6a6c25beaef8b5f4d6dbf 2007.1/x86_64/lib64xfont1-devel-1.2.7-1.1mdv2007.1.x86_64.rpm
0709d442ee2fdc7134abb5d1a71afab1 2007.1/x86_64/lib64xfont1-static-devel-1.2.7-1.1mdv2007.1.x86_64.rpm
ee41dd9b5381466727456905d4c2b29a 2007.1/x86_64/libx11-common-1.1.1-2.1mdv2007.1.x86_64.rpm
99fdfc64834e47ed1efc35796f1da887 2007.1/x86_64/x11-server-1.2.0-8.1mdv2007.1.x86_64.rpm
47570e6070fc356fe3213d5787990a1c 2007.1/x86_64/x11-server-common-1.2.0-8.1mdv2007.1.x86_64.rpm
deb1c9a780b5789f71c7b3bc23c24f2c 2007.1/x86_64/x11-server-devel-1.2.0-8.1mdv2007.1.x86_64.rpm
21d5e1148cc503e47a135fad2cf10257 2007.1/x86_64/x11-server-xdmx-1.2.0-8.1mdv2007.1.x86_64.rpm
500a8bb735d0cdda28044f85d436ea64 2007.1/x86_64/x11-server-xephyr-1.2.0-8.1mdv2007.1.x86_64.rpm
b7a993ad6689524f5328861f1415af4a 2007.1/x86_64/x11-server-xfake-1.2.0-8.1mdv2007.1.x86_64.rpm
bbcf31887871cb70d78b6c8c45bd236a 2007.1/x86_64/x11-server-xfbdev-1.2.0-8.1mdv2007.1.x86_64.rpm
03627273fc38f69659e62dff615e8dee 2007.1/x86_64/x11-server-xgl-0.0.1-0.20070105.4.1mdv2007.1.x86_64.rpm
f393ec9760d243e1171a7ad38d0ed70d 2007.1/x86_64/x11-server-xnest-1.2.0-8.1mdv2007.1.x86_64.rpm
95aeec7bb4cf44b44ae9c7ae8f020c6f 2007.1/x86_64/x11-server-xorg-1.2.0-8.1mdv2007.1.x86_64.rpm
00e692ed014b06e59922e12d8de52e16 2007.1/x86_64/x11-server-xprt-1.2.0-8.1mdv2007.1.x86_64.rpm
c0d22ee28f8e7fd394cf6e9cdcd7a876 2007.1/x86_64/x11-server-xsdl-1.2.0-8.1mdv2007.1.x86_64.rpm
d6f33606ca00eb807db566dab93830f5 2007.1/x86_64/x11-server-xvfb-1.2.0-8.1mdv2007.1.x86_64.rpm
e35758ceb44dddd8e368d0535ad03c49 2007.1/x86_64/x11-server-xvnc-1.2.0-8.1mdv2007.1.x86_64.rpm
aeba38426c094f892a8db7c56ed8c301 2007.1/SRPMS/libx11-1.1.1-2.1mdv2007.1.src.rpm
0e7061bca9907c2b0eca9dacdab4403c 2007.1/SRPMS/libxfont-1.2.7-1.1mdv2007.1.src.rpm
4f8be7e1843b036a3368f13d4d6a964b 2007.1/SRPMS/x11-server-1.2.0-8.1mdv2007.1.src.rpm
3771f05b9e14a04e41905e6d145d0c41 2007.1/SRPMS/x11-server-xgl-0.0.1-0.20070105.4.1mdv2007.1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGHQammqjQ0CJFipgRAqaQAKCdjtSCGHIqRkCEZDq51Ybn/Tn6gwCg9H8G
JjBWGCkfa5AOJa5EdSZ4h0Y=
=Xwtx
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/security_announce_mdksa_2007079_1__updated_xorg_x11xfree86_packages_fix_integer_overflow_vulnerabilities.html)