Secunia

Some vulnerabilities have been reported in X.org X11, which can be exploited by malicious, local users to cause a DoS (Denial of Service), disclose potentially sensitive information, or to gain escalated privileges.

1) An integer overflow error when calculating the size of the glyph exists in the "AllocateGlyph()" function within the Render extension. This can be exploited to cause a heap-based buffer overflow via a specially crafted request.

2) An integer overflow error when calculating the size of the glyph in the "ProcRenderCreateCursor()" function within the Render extension can be exploited to crash the X server via a specially crafted request.

3) An integer overflow error exists in the Render extension when parsing client requests for the "SProcRenderCreateLinearGradient", "SProcRenderCreateRadialGradient", or "SProcRenderCreateConicalGradient" functions and can be exploited to corrupt heap memory.

4) Multiple input validation errors in the "SProcSecurityGenerateAuthorization()", "SProcRecordCreateContext()", and "SProcRecordRegisterClients()" functions within the Record and Security extensions can be exploited to corrupt heap memory via specially crafted requests.

Successful exploitation of vulnerabilities #1, #3, and #4 may allow execution of arbitrary code with privileges of the X server (typically root).

5) An integer overflow error when processing parameters to the "ShmPutImage()" request can be exploited to disclose arbitrary memory of the X server process.

The vulnerabilities are reported in X.org X11 version R7.3. Other versions may also be affected.

Solution
Apply vendor patches.
Further details available in Customer Area

Provided and/or discovered by
regenrecht, reported via iDefense.

Original Advisory
X.org:
http://lists.freedesktop.org/archives/xorg/2008-June/036026.html

iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=718
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=719
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=720
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=721
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=722

Deep Links
Links available in Customer Area