{"vuid":"VU#633257","idnumber":"633257","name":"X.Org server buffer overflow in Xrender extension","keywords":["XRender","X11","buffer overflow","arbitrary code execution","triangle handling code","x.org"],"overview":"A vulnerability in the X.Org X server could allow an attacker to execute arbitrary code with the privileges of the server.","clean_desc":"The X Window System provides a number of components to support graphical user interfaces, primarily on Unix-like operating systems. It features a client-server design whereby client applications specify instructions to a server (the X server) which then interacts with the display hardware to render graphics on the display. The X Rendering Extension (Render) introduces digital image composition as the foundation of a rendering model within the X Window System. The X.Org Foundation provides a free and open source implementation of the X Window System, including the X render extension. A flaw in the render extension, reportedly introduced through a typographical error, causes an incorrect computation for memory allocation size in XRenderCompositeTriStrip() and XRenderCompositeTriFan() requests. As a result, a buffer may be allocated that is too small to store the parameters of the request. For platforms where the ALLOCATE_LOCAL() macro is using alloca(), this situation can cause a stack overflow; on other platforms, it can cause a heap overflow.","impact":"A client of the X server using the X render extension is able to send requests that will cause a buffer overflow in the server side of the extension. This overflow can be exploited by an authorized client to execute malicious code inside the X server, which is generally running with root privileges.","resolution":"Apply a patch A number of redistributors have supplied patches for this issue. Please see the Systems Affected section of this document for more information.","workarounds":"","sysaffected":"","thanks":"Thanks to the X.Org Foundation for reporting this vulnerability. They, in turn, credit Bart Massey with reporting this issue to them.","author":"This document was written by Chad R Dougherty.","public":["http://secunia.com/advisories/19900/","http://secunia.com/advisories/19915/","http://secunia.com/advisories/19916/","http://secunia.com/advisories/19921/","http://secunia.com/advisories/19943/","http://secunia.com/advisories/19951/","http://secunia.com/advisories/19956/","http://secunia.com/advisories/19983/","http://www.auscert.org.au/6259","http://www.auscert.org.au/6268","http://www.auscert.org.au/6271","http://sunsolve.sun.com/search/document.do?assetkey=1-26-102339-1","http://www.ciac.org/ciac/bulletins/q-189.shtml"],"cveids":["CVE-2006-1526"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2006-05-03T13:26:08Z","publicdate":"2006-05-02T00:00:00Z","datefirstpublished":"2006-06-16T18:11:45Z","dateupdated":"2006-07-05T19:51:40Z","revision":34,"vrda_d1_directreport":"0","vrda_d1_population":"3","vrda_d1_impact":"2","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"10","cam_population":"10","cam_impact":"19","cam_easeofexploitation":"5","cam_attackeraccessrequired":"7","cam_scorecurrent":"3.1171875","cam_scorecurrentwidelyknown":"3.740625","cam_scorecurrentwidelyknownexploited":"6.234375","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":3.1171875,"vulnote":null}