{"vuid":"VU#102441","idnumber":"102441","name":"Multiple X servers fail to properly allocate memory for large pixmaps","keywords":["X","memory allocation error","integer overflow","information disclosure","execute arbitrary code","PolyPoint","GetImage"],"overview":"Multiple X Window System servers contain a pixmap memory allocation flaw that may allow local users to execute code with elevated privileges.","clean_desc":"Multiple X Window System server applications share code that may contain a flaw in the memory allocation for large pixmaps. The affected products include the X.Org and XFree86 X server applications, possibly among others. An integer overflow condition may result in a memory allocation request returning an allocated region that is incorrectly sized. The client may then be able to use the XDrawPoint() and XGetImage() functions to read and write to arbitrary locations in the X server's address space.","impact":"A malicious local authenticated attacker may be able to execute arbitrary code with the privileges of the X server.","resolution":"Apply an update\nContact your vendor for updates, fixes, and workarounds.","workarounds":"","sysaffected":"","thanks":"Thanks to \nLuke Hutchison and Søren Sandmann Pedersen for reporting this vulnerability.","author":"This document was written by Ken MacInnis.","public":["https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166859","https://bugs.freedesktop.org/show_bug.cgi?id=594","http://secunia.com/advisories/16777/","http://secunia.com/advisories/16790/","https://rhn.redhat.com/errata/RHSA-2005-329.html"],"cveids":["CVE-2005-2495"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2005-09-07T19:52:46Z","publicdate":"2005-09-12T00:00:00Z","datefirstpublished":"2005-09-13T18:17:26Z","dateupdated":"2005-11-03T14:41:44Z","revision":38,"vrda_d1_directreport":"0","vrda_d1_population":"2","vrda_d1_impact":"2","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"5","cam_population":"11","cam_impact":"18","cam_easeofexploitation":"10","cam_attackeraccessrequired":"10","cam_scorecurrent":"7.425","cam_scorecurrentwidelyknown":"9.28125","cam_scorecurrentwidelyknownexploited":"16.70625","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":7.425,"vulnote":null}