Red Hat Bugzilla – Bug 455209
DoS in the Xrender Extension's Trapezoid Drawing Routines
Last modified: 2008-07-30 16:05:16 EDT
XRender trapezoid drawing routines are broken in xorg-server 1.3.0, and causes
X.org crashes. They can be used as a vector for Denial-of-Service attacks, as
described in the following advisories:
The advisories say that xorg-server 1.3.1, that would presumably have been
relased Apr 30, 2007, fixed this. No such release was made to date, and current
git server-1.3-branch tree doesn't include the fix.
This is likely the cause of the following bugs:
Bug 443234 - X Server Crash with Firefox 3 Beta 5
Bug 448586 - Firefox 3 crashes Xorg at picture.c:1600
Bug 453607 - specific webpage in firefox crashes X
All these bugs have backtraces pointing to the trapezoid rendering functions
mentioned in the advisory.
The actual fix for this problem seems to be commit
047bf3349bb697c73c95729a8bbf15f72605901f of the xorg/server git tree, which is
not yet ported to server-1.3-branch.
Possible solutions include:
1. Request upstream to port the fix to server-1.3-branch, then release an
updated package; or
2. backport the needed patches to fix this problem in current Fedora 8, RHEL 5.2.
*** Bug 443234 has been marked as a duplicate of this bug. ***
*** Bug 453607 has been marked as a duplicate of this bug. ***
xorg-x11-server-184.108.40.206-47.fc8 has been submitted as an update for Fedora 8
(In reply to comment #4)
> xorg-x11-server-220.127.116.11-47.fc8 has been submitted as an update for Fedora 8
Tested, it successfully fixed the Xorg crashes.
Thanks for letting us know.
xorg-x11-server-18.104.22.168-47.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.