Secunia

Some vulnerabilities have been reported in X.org X11, which can be exploited by malicious, local users to cause a DoS (Denial of Service), disclose potentially sensitive information, or to gain escalated privileges.

1) An array indexing error within the XFree86 Misc extension can be exploited to execute arbitrary code by sending a specially crafted PassMessage request.

2) An integer overflow error within the EVI extension can be exploited to cause a heap-based buffer overflow via a specially crafted GetVisualInfo request.

3) An integer overflow error within the MIT-SHM extension can be exploited to overwrite arbitrary memory addresses by creating a pixmap with a specially calculated size.

4) An array indexing error within the "ProcGetReservedColormapEntries()" function from the TOG-CUP extension can be exploited to disclose arbitrary memory.

5) An error in multiple functions contained within the Xinput extension when swapping the byte order of received requests can be exploited to corrupt heap memory.

6) An error exists within the processing of security policy arguments when executing X. This can be exploited to determine the existence of restricted files by passing the file names as arguments to the "X -sp" command.

7) A boundary error exists within the X server when processing PCF fonts. This can be exploited to cause a buffer overflow via a PCF font containing a specially crafted PCF_BDF_ENCODINGS table with the difference between the "last col" and "first col" elements being greater than 255.

The vulnerabilities are reported in X.org X11 version R7.3 and prior.

Solution
Apply vendor patches.
Further details available in Customer Area

Provided and/or discovered by
1 - 5) Discovered by regenrecht, reported via iDefense Labs.
6) Takuya Shiozaki
7) Discovered by an anonymous researcher, reported by the vendor.

Changelog
Further details available in Customer Area

Original Advisory
iDefense Labs:
1) http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=646
2, 3) http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=645
4) http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=644
5) http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=643

X.Org:
http://lists.freedesktop.org/archives/xorg/2008-January/031918.html

JVN:
http://jvn.jp/jp/JVN88935101/index.html

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area