Bug 285991 (CVE-2007-4730)
Summary: | CVE-2007-4730 X.org composite extension buffer overflow | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Josh Bressers <bressers> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | kreilly, xgl-maint |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://bugs.freedesktop.org/show_bug.cgi?id=7447 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-10-26 09:16:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 286051, 286061, 286071, 286081, 286091, 286101, 286111 | ||
Bug Blocks: |
Description
Josh Bressers
2007-09-11 14:01:10 UTC
FC6, F7, Fdevel, and rhels 5.0.z, 5.1 are not vulnerable because of this patch: localhost:~/vertigo/rpms/xorg-x11-server/RHEL-5% cat xorg-x11-server-1.1.0-dont-backfill-bg-none.patch Disable backfilling of windows created with bg=none, which otherwise would force a framebuffer readback. --- ./composite/compalloc.c.spiffiffity 2006-03-13 16:59:55.000000000 -0500 +++ ./composite/compalloc.c 2006-04-12 16:37:50.000000000 -0400 @@ -478,6 +478,7 @@ * Copy bits from the parent into the new pixmap so that it will * have "reasonable" contents in case for background None areas. */ +#if 0 if (pGC) { XID val = IncludeInferiors; @@ -492,6 +493,7 @@ w, h, 0, 0); FreeScratchGC (pGC); } +#endif return pPixmap; } We are changing the severity here to moderate. Here is some additional information provided by Adam Jackson: - the Composite extension is not enabled by default in RHEL4, so the user would have had to go out of their way to turn it on. - we don't ship any compositing manager in RHEL4, so they'd need to have installed one. - the exploit requires the ability to authenticate to the X server, so the attacker would need to have already gained rights equivalent to the user. For Red Hat Enterprise Linux 4, this issue was addressed in RHSA-2007:0898: https://rhn.redhat.com/errata/RHSA-2007-0898.html Red Hat Enterprise Linux 5 and current versions of Fedora were not affected as described in comment #2. |