ProcPutImage(), GetHosts(), RegionSizeof(), REQUEST_FIXED_SIZE() calls do not check that their calculations for how much memory is needed to handle the client's request have not overflowed, so can result in out of bounds reads or writes. These calls all occur only after a client has successfully authenticated itself. Introduced in X11R1 (1987).
Created attachment 962113 [details] 0002-dix_integer_overflow_in_ProcPutImage_CVE-2014-8092_1-4.patch
Created attachment 962114 [details] 0003-dix_integer_overflow_in_GetHosts_CVE-2014-8092_2-4.patch
Created attachment 962115 [details] 0004-dix_integer_overflow_in_RegionSizeof_CVE-2014-8092_3-4.patch
Created attachment 962116 [details] 0005-dix_integer_overflow_in_REQUEST_FIXED_SIZE_CVE-2014-8092_4-4.patch
In all the patches above, some calculation is done on data sent by the client and it results in a 32-bit integer overflow. That integer is used to malloc memory and client-controlled data is then copied into it. In most of the cases it could result in arbitrary code execution as root, and in Xorg client/server step could result in privilege escalation.
External References: http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2014:1982 https://rhn.redhat.com/errata/RHSA-2014-1982.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2014:1983 https://rhn.redhat.com/errata/RHSA-2014-1983.html