In servers built with support for SUN-DES-1 (Secure RPC) authentication credentials, an unauthenticated client may be able to crash the X server by sending a connection request specifying values that cause malloc to fail, causing the authentication routines to attempt to write data to the returned NULL pointer. Since the request is limited to an unsigned 16-bit integer for the allocation size, it is unlikely to fail unless the server is severely memory constrained. Introduced in the initial revision of Secure RPC support in X11R5 (1991)
Created attachment 962110 [details] 0001-unchecked_malloc_may_allow_unauthed_client_to_crash_Xserver_CVE-2014-8091.patch
This issue arises because Xorg server fails to check the return value from a malloc call. The size of data(len) to be malloced is set by the authenticated client. len is unsigned 16 bits (as per the X protocol, sent by the client), though the server casts it into a int. So, successful exploitation will require malloc to fail when allocating a buffer of size UINT16_MAX
External References: http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2014:1982 https://rhn.redhat.com/errata/RHSA-2014-1982.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2014:1983 https://rhn.redhat.com/errata/RHSA-2014-1983.html