Open SourceDevelopers X.Org reported identifying 30 vulnerabilities affecting various client libraries X11, as well as the components of DRI-Mesa.

The problems are due to lack of proper validation transferred within the X11 protocol data sets and manifest themselves as going beyond the boundaries of the buffer and integer overflows when processing your request correctly.

Many of the vulnerabilities allow to activate a code on the side of the X-client interaction with the server controlled by the attacker. Because the client and the server in most cases are performed on the same machine under the same user or server is running with higher privileges identified vulnerabilities do not pose much danger. However, they may threaten configurations when privileged client connects to a non-privileged third-party server (for example, setuid X-client connects to a virtual X-server such as Xvfb and Xephyr).

Fixes included in future releases of libraries: libX11 1.5.99.902 (1.6 RC2), libXcursor 1.1.14, libXext 1.3.2, libXfixes 5.0.1, libXi 1.7.2, libXinerama 1.1.3, libXp 1.0.2, libXrandr 1.4.1 , libXrender 0.9.8, libXRes 1.0.7, libXv 1.0.8, libXvMC 1.0.8, libXxf86dga 1.1.4, libXxf86vm 1.1.3, libdmx 1.1.3, libxcb 1.9.1, libFS 1.0.5, libXt 1.1.4 .

Supplement: vulnerabilities researcher gave a presentation (PPT) at the conference CanSecWest, in which he told of the sad state of security used in the Linux desktop systems, and pointed out some other vulnerability (details are not disclosed until the elimination of problems in key projects) in various libraries and the components of desktop environments, including affecting the DBus, KDE / Qt and GNOME / GTK +

Main link to news: http://lists.x.org/archives/xorg-announce/2013-May/002219.html

Advertisements