Debians sikkerhedsbulletin
DSA-1595-1 xorg-server -- flere sårbarheder
- Rapporteret den:
- 11. jun 2008
- Berørte pakker:
- xorg-server
- Sårbar:
- Ja
- Referencer i sikkerhedsdatabaser:
- I Mitres CVE-ordbog: CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361, CVE-2008-2362.
- Yderligere oplysninger:
-
Flere lokale sårbarheder er opdaget i X Window System. Projektet Common Vulnerabilities and Exposures har fundet frem til følgende problemer:
- CVE-2008-1377
Manglende kontrol af parametrene til funktionerne SProcSecurityGenerateAuthorization og SProcRecordCreateContext gjorde det muligt for en særligt fremstillet forespørgsel, at udløse swapning af bytes uden for for parameteret til disse forespørgsler, forårsagende hukommelseskorruption.
- CVE-2008-1379
Et heltalsoverløb i valideringen af parametrene til forespørgslen ShmPutImage(), gjorde det muligt at udløse kopiering af vilkårlig serverhukommelses til et pixmap, der efterfølgende kunne læses af klienten, til læsning af vilkårlige dele af X-serverens hukommelsesområde.
- CVE-2008-2360
Et heltalsoverløb kunne opstå i beregningen af størrelsen på den glyph, der allokeres af funktionen AllocateGlyph(), hvilket forårsagede at mindre hukommelse end forventet, blev allokeret, senere førende til heapoverløb.
- CVE-2008-2361
Et heltalsoverløb kunne opstå i beregningen af størrelsen på den glyph, der allokeres af funktionen ProcRenderCreateCursor(), hvilket forårsagede at mindre hukommelse end forventet, blev allokeret, senere førende til dereferenceret ikke-mappet hukommelse, forårsagende at X-serveren gik ned.
- CVE-2008-2362
Heltalsoverløb kunne også optræde i koden, der validerer parametrerne til funktionen SProcRenderCreateLinearGradient, SProcRenderCreateRadialGradient og SProcRenderCreateConicalGradient, førende til hukommelseskorruption ved swapning af bytes uden for de tiltænkte forespørgselsparametre.
I den stabile distribution (etch), er disse problemer rettet i version 2:1.1.1-21etch5.
I den ustabile distribution (sid), er disse problemer rettet i version 2:1.4.1~git20080517-2.
Vi anbefaler at du opgraderer din xorg-server-pakke.
- CVE-2008-1377
- Rettet i:
-
Debian GNU/Linux 4.0 (etch)
- Kildekode:
- http://security.debian.org/pool/updates/main/x/xorg-server/xorg-server_1.1.1.orig.tar.gz
- http://security.debian.org/pool/updates/main/x/xorg-server/xorg-server_1.1.1-21etch5.diff.gz
- http://security.debian.org/pool/updates/main/x/xorg-server/xorg-server_1.1.1-21etch5.dsc
- http://security.debian.org/pool/updates/main/x/xorg-server/xorg-server_1.1.1-21etch5.diff.gz
- Alpha:
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-dev_1.1.1-21etch5_alpha.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_alpha.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xdmx_1.1.1-21etch5_alpha.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xnest_1.1.1-21etch5_alpha.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_alpha.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xdmx-tools_1.1.1-21etch5_alpha.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_alpha.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/x/xorg-server/xdmx-tools_1.1.1-21etch5_amd64.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_amd64.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xdmx_1.1.1-21etch5_amd64.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xnest_1.1.1-21etch5_amd64.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_amd64.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-dev_1.1.1-21etch5_amd64.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_amd64.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/x/xorg-server/xdmx-tools_1.1.1-21etch5_arm.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_arm.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-dev_1.1.1-21etch5_arm.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xnest_1.1.1-21etch5_arm.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_arm.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xdmx_1.1.1-21etch5_arm.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_arm.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_arm.deb
- HP Precision:
- http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_hppa.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xnest_1.1.1-21etch5_hppa.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_hppa.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-dev_1.1.1-21etch5_hppa.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xdmx_1.1.1-21etch5_hppa.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_hppa.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xdmx-tools_1.1.1-21etch5_hppa.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xnest_1.1.1-21etch5_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/x/xorg-server/xnest_1.1.1-21etch5_i386.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xdmx_1.1.1-21etch5_i386.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_i386.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xdmx-tools_1.1.1-21etch5_i386.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-dev_1.1.1-21etch5_i386.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_i386.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_i386.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xdmx_1.1.1-21etch5_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_ia64.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_ia64.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_ia64.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xnest_1.1.1-21etch5_ia64.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xdmx-tools_1.1.1-21etch5_ia64.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xdmx_1.1.1-21etch5_ia64.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-dev_1.1.1-21etch5_ia64.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_ia64.deb
- Big-endian MIPS:
- http://security.debian.org/pool/updates/main/x/xorg-server/xdmx-tools_1.1.1-21etch5_mips.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_mips.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_mips.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xnest_1.1.1-21etch5_mips.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_mips.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xdmx_1.1.1-21etch5_mips.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-dev_1.1.1-21etch5_mips.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_mips.deb
- Little-endian MIPS:
- http://security.debian.org/pool/updates/main/x/xorg-server/xdmx-tools_1.1.1-21etch5_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-dev_1.1.1-21etch5_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xnest_1.1.1-21etch5_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xdmx_1.1.1-21etch5_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-dev_1.1.1-21etch5_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/x/xorg-server/xdmx_1.1.1-21etch5_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xnest_1.1.1-21etch5_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-dev_1.1.1-21etch5_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xdmx-tools_1.1.1-21etch5_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_s390.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_s390.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xnest_1.1.1-21etch5_s390.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xdmx-tools_1.1.1-21etch5_s390.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-dev_1.1.1-21etch5_s390.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xdmx_1.1.1-21etch5_s390.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_s390.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-dev_1.1.1-21etch5_sparc.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_sparc.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xnest_1.1.1-21etch5_sparc.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xephyr_1.1.1-21etch5_sparc.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xdmx-tools_1.1.1-21etch5_sparc.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xdmx_1.1.1-21etch5_sparc.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xserver-xorg-core_1.1.1-21etch5_sparc.deb
- http://security.debian.org/pool/updates/main/x/xorg-server/xvfb_1.1.1-21etch5_sparc.deb
MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.