http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2495
CAN-2005-2495:
This issue seems to effect both Xfree86 and X.Org versions of X. Many
linux distro's have now begun to patch. Debian's advisory is really
unclear, as they seem to imply that only versions *before* XFree86 4.30
are affected. Checking out some of the links and advisories from the
other distro's, I find this Slackware one, which implies current X.Org
is affected:
Tue Sep 13 02:15:06 PDT 2005
x/x11-6.8.2-i486-3.tgz: Patched an integer overflow in the X server pixmap
memory allocation that could potentially allow any X user to execute
arbitrary code with root privileges.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2495
(* Security fix *)
x/x11-devel-6.8.2-i486-3.tgz: Recompiled.
x/x11-docs-6.8.2-noarch-3.tgz: Rebuilt.
(*snip*)
At http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2495 -->
Name CAN-2005-2495 (under review)
Description:
Multiple integer overflows in XFree86 before 4.3.0
^^^^^^^^^^^^^^^^^^^^
allow user-complicit attackers to execute arbitrary
code via a crafted pixmap image.
References* GENTOO:GLSA-200509-07
* URL:http://www.gentoo.org/security/en/glsa/glsa-200509-07.xml
* MANDRAKE:MDKSA-2005:164
* URL:http://www.mandriva.com/security/advisories?name=MDKSA-2005:164
* REDHAT:RHSA-2005:501
* URL:http://www.redhat.com/support/errata/RHSA-2005-501.html
* TRUSTIX:2005-0049
* URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112690609622266&w=2
So all of us using XFree86's binaries for linux at version 4.5.0 should
be OK, right? Well...
Mandriva Security Advisories
Package name XFree86
DateSeptember 13th, 2005
Advisory ID MDKSA-2005:164
Affected versions 10.0, 10.1, CS2.1, CS3.0, 10.2
Synopsis Updated XFree86/x.org packages fix vulnerability
Problem Description
A vulnerability was discovered in the pixmap allocation handling of the X
server that can lead to local privilege escalation. By allocating a huge
pixmap, a local user could trigger an integer overflow that resulted in a
memory allocation that was too small for the requested pixmap, leading to
a buffer overflow which could then be exploited to execute arbitrary code
with full root privileges.
The updated packages have been patched to address these issues.
Updated Packages
Mandrakelinux 10.0
a22ae2b3b2cc019d7769a29fb8d15104 10.0/RPMS/libxfree86-4.3-32.5.100mdk.i586.rpm
d13d37d18a49addab3b0a2d0531499da 10.0/RPMS/libxfree86-devel-4.3-32.5.100mdk.i586.rpm
09b8bbc447d39afb1cd67ca808c3c409 10.0/RPMS/libxfree86-static-devel-4.3-32.5.100mdk.i586.rpm
739c0d36b7de1927718087e6b58107a3 10.0/RPMS/X11R6-contrib-4.3-32.5.100mdk.i586.rpm
8fbce53ac64d76dd1f3c01c1697a37f7 10.0/RPMS/XFree86-100dpi-fonts-4.3-32.5.100mdk.i586.rpm
7
(*snip*)
So are XFree86's version 4.5.0 binaries off their web/ftp servers affected
or not? It would appear that before 4.3.0 of XFree86 only is, but then
why would Slackware Linux and Mandrake be going so far as to replace
current X.Org stuff?
To put it another way, why are these linux distro's issuing
advisories for their current X.Org stuff when it seems only super old
XFree86 versions are affected? 4.3.0 is 2 whole versions behind 4.5.0.
But then, on http://www.x.org/ :
"This advisory affects all known versions and releases of the X Window
System whether from X.Org or other vendors. Therefore users are strongly
recommended to upgrade."
Only one problem, there doesn't seem to BE a security upgrade for XFree86.
Where does this leave users of current XFree86? As the issue and its fix
seem to deal with Xserver source code, that would like mean at least
downloading a full source of X11 and re-making the Xserver target (if it
was implemented this way, eg, is able to just build one part instead of
having to do a full rebuild, such as "make xserver" instead of "make all")
I'm not looking forward to patching and rebuilding a complete X11; one of
my machine has room, the other doesn't, which will mean NFS/SMBFS build
over the network on a PII (glibc 2.3.5 took 17 hours to compile like this,
to give an idea of what it's like).
In summary, can users expect fixed binary releases, or prehaps they
already are patched (no info about this on the XFree86 website)? If it IS
just the Xserver itself, (that is, the XFree86/X binary) I can probably
rob a patched one from some distro's "package". What are other users doing
about this?
_______________________________________________
XFree86 mailing list
XFree86@xxxxxxxxxxx
http://XFree86.Org/mailman/listinfo/xfree86
